[Cfrg] Minimum freshness in EdDSA25519 signed messages
Robert Moskowitz <rgm-sec@htt-consult.com> Thu, 29 August 2019 15:30 UTC
Return-Path: <rgm-sec@htt-consult.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA1A21208A2 for <cfrg@ietfa.amsl.com>; Thu, 29 Aug 2019 08:30:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4GqThbHJEKJX for <cfrg@ietfa.amsl.com>; Thu, 29 Aug 2019 08:30:45 -0700 (PDT)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [23.123.122.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23776120896 for <cfrg@irtf.org>; Thu, 29 Aug 2019 08:30:45 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by z9m9z.htt-consult.com (Postfix) with ESMTP id 25B7D6211D for <cfrg@irtf.org>; Thu, 29 Aug 2019 11:30:44 -0400 (EDT)
X-Virus-Scanned: amavisd-new at htt-consult.com
Received: from z9m9z.htt-consult.com ([127.0.0.1]) by localhost (z9m9z.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id ed1x-E-ixqDk for <cfrg@irtf.org>; Thu, 29 Aug 2019 11:30:38 -0400 (EDT)
Received: from lx140e.htt-consult.com (unknown [192.168.160.12]) (using TLSv1.2 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by z9m9z.htt-consult.com (Postfix) with ESMTPSA id 6253762110 for <cfrg@irtf.org>; Thu, 29 Aug 2019 11:30:36 -0400 (EDT)
To: cfrg@irtf.org
From: Robert Moskowitz <rgm-sec@htt-consult.com>
Message-ID: <e3590ca1-1d67-fd6a-b3a4-78cdb4bf5316@htt-consult.com>
Date: Thu, 29 Aug 2019 11:30:32 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/fT9fO3HzpmsSUyGuNWjL651xxjs>
Subject: [Cfrg] Minimum freshness in EdDSA25519 signed messages
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Aug 2019 15:30:47 -0000
This is for a project I am working on: EdDSA25519 as HIP HI (rfc7401) 16 byte HHIT (draft-moskowitz-hierarchical-hip under revision) Device has HHIT/HI (100M devices potentially) Authorizer's HHIT/HI (see HDA bits in Device HHIT; no more than a few hundred HDAs) Case 1: Simple message construction 16 byte HHIT, 4 byte lifetime stamp, n bytes shared context data, 64 byte sig of 16+4+n Is the 4 bytes lifetime stamp enough freshness to protect the sig from attack? Attacker can know all other information months in advance to compute an attack for a future time. Is 4 bytes freshness enough? Is more needed? How large must n be? Pointer to information on this? Note: Given device HHIT, receiver can lookup device HI (signing EdDSA25519 public key). Case 2: 2nd level of sig for off-line validation. Receiver has no Internet access to look up the HI in Case 1. Fortunately, there are only a limited, x, number of signing authorities with their own EdDSA25519 HI/HHIT. Which can be cached. Message in Case 1 PLUS 32 byte Device's HI, 4 byte Authorizer's signing date, 16 byte Authorizer's HHIT m bytes shared context, 64 byte sig of 32+4+16+m message (that is. not including Case 1 message) Receiver can validate outer sig based on cache of Authorizer's HHIT/HI. With now, trusted Device HI, receiver can now validate Case 1 message. Is 4 bytes freshness enough? Is more needed? How large must m be? m may be unique for each Authorizer. My limited readings and searches (my search foo is terribly weak) lead me to believe that those 4 byte timestamps are all that I need and both n and m could be zero, but practice is to have something there. Thank you for any reviews and/or pointers. Bob
- [Cfrg] Minimum freshness in EdDSA25519 signed mes… Robert Moskowitz