Re: [Cfrg] draft-irtf-cfrg-randomness-improvements-00 vs currently-deployed alternatives
Christopher Wood <christopherwood07@gmail.com> Sat, 16 June 2018 17:06 UTC
Return-Path: <christopherwood07@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1658130E31 for <cfrg@ietfa.amsl.com>; Sat, 16 Jun 2018 10:06:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sT_oIcx4dPtA for <cfrg@ietfa.amsl.com>; Sat, 16 Jun 2018 10:06:30 -0700 (PDT)
Received: from mail-yw0-x234.google.com (mail-yw0-x234.google.com [IPv6:2607:f8b0:4002:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1BAA7130DEB for <cfrg@irtf.org>; Sat, 16 Jun 2018 10:06:30 -0700 (PDT)
Received: by mail-yw0-x234.google.com with SMTP id b125-v6so4393295ywe.1 for <cfrg@irtf.org>; Sat, 16 Jun 2018 10:06:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=QlVQcLRRjCAgvOH9AsTS46a2JOC3gx6HtYZmQTxmDlc=; b=XPaxeFZUutIoZ8fQGYmly3q2cJrmMh6kPC98dvQkBmhMOilLiuVbO+2zClUt43cPZQ m0EuTPUiJIIDAhhICfJppDdKU/lKIGnmtciYbLdvE0aEiKz0X8NeMxStZIwqvMmY7Upy oxoKpYX9hI4Rss6WgZNDMEAEgFUCPKFNYBMWJm3cBCGTNQRLAwv1DtWaGxbVNuvfFTjm MmT9Ao3WOl0B/rm7QSVO5fjsNiXnj9Y0kh7CGX2VxWmXwffU1cUshGVvHxaUjIWjCy24 wT01/0sZkfifn5v9gxSQ3xPgjMWTqMxqHNjzeDTe7cNWzzBlnkuaoc4y+tql6XFQ40Dq 6O6Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=QlVQcLRRjCAgvOH9AsTS46a2JOC3gx6HtYZmQTxmDlc=; b=Rg8iEhtu6vVTUjWULesZdHtpwpjyhcWs8bQGUI9r1j9gMNPTosamcpO6tJOQbofmsO 7J6CYi8VtbesaKqcBWzaCO5Fgp2TMwi2wOf502pfqKZz+OubmVPEw0gajR5T+47EIS/X nvoc6nNg4oDLvrsvL9yD+CrVPbncXe3CjplVq0JOAmto3wq9tKarnxD9cciFR2x5COK1 mmWuz7KdsA3R7RnYhj5zRxO/5lWAaTbMSvC6SEAwAXYr3H2kOWH5DKfbebcIi/Fq8hwk 0yeyCOVN/jiLMeKHQ/abKdP5v+oZIuvbwbLheMn+0JsqclIjmo6vDmM0DTUNMJ6vO9WI UWfQ==
X-Gm-Message-State: APt69E00/iWAxmNXmLZ52j0LRaUDCkA/XlvXI5wXjZFkJPkpbPTciPBz P7WGy+68mQGkZ7eR8FRyDNjlaTzbhG+NCeJgwKc=
X-Google-Smtp-Source: ADUXVKJa6wmdnYaLlA6sWBEL3pYhabHEz6KB4lEKOmvbFV1RK47FEVkvJJQeCIqeDNz5cHWwedfPff1MmHCZGxUgnpE=
X-Received: by 2002:a0d:e345:: with SMTP id m66-v6mr3099335ywe.304.1529168789098; Sat, 16 Jun 2018 10:06:29 -0700 (PDT)
MIME-Version: 1.0
References: <CAFewVt6E8Ft3vRKEs3vdvOhNr8JmOEDwQH8SU5rm_SkDdsi89A@mail.gmail.com> <CAMr0u6=1WBmo_qHSOzT6HRQ1N3Qfsf49rN-F2uk9m9wSrYOi+w@mail.gmail.com> <CAFewVt5mq4MRHKMrjB-eFtsguBy6+8tv7J9J4nX3MYONKXqSQw@mail.gmail.com>
In-Reply-To: <CAFewVt5mq4MRHKMrjB-eFtsguBy6+8tv7J9J4nX3MYONKXqSQw@mail.gmail.com>
From: Christopher Wood <christopherwood07@gmail.com>
Date: Sat, 16 Jun 2018 10:06:17 -0700
Message-ID: <CAO8oSXkX3oFxz+4QXFVjx3VUm7EC_x6=wNpu7YtBS7Vk3wtzrg@mail.gmail.com>
To: brian@briansmith.org
Cc: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>, cfrg@irtf.org, Luke Garratt <luke.garratt@wolfson.ox.ac.uk>, Cas Cremers <cas.cremers@gmail.com>, Cas Cremers <cas.cremers@cs.ox.ac.uk>, Nick Sullivan <nick@cloudflare.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/gTw9ML0Sncwle7zSZZ3bamwEEbg>
Subject: Re: [Cfrg] draft-irtf-cfrg-randomness-improvements-00 vs currently-deployed alternatives
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Jun 2018 17:06:32 -0000
Hi Bryan, Apologies for the delay. Please see inline below. On Wed, Jun 13, 2018 at 8:07 PM Brian Smith <brian@briansmith.org> wrote: > > Stanislav V. Smyshlyaev <smyshsv@gmail.com> wrote: > > About deterministic signature functions. > > > > Actually the worst case scenario we are defending against is a complete > > breakdown of all existing entropy sources (say, because of failure of > > hardware RNG) on a certain computer. > > The draft says "In the NAXOS key exchange protocol, raw entropy output > x is replaced by H(x, sk), where sk is the sender's private key. > Unfortunately, as private keys are often isolated in HSMs, direct > access to compute H(x, sk) is impossible. An alternate yet > functionally equivalent construction is needed. [...] Implementations > SHOULD apply this technique when indirect access to a private key is > available and CSPRNG randomness guarantees are dubious" > > If the private key `sk` is available to the user then one could use > NAXOS or a variant of it. > > If the private key `sk` is not available but the HSM lets the user > choose the nonce then the user can extract `sk` from the HSM by using > the standard ECDSA attack, and then use NAXOS or a variant of it. > > If the private key `sk` is not available and the HSM rightly doesn't > let the user choose the nonce then the only way one can follow the > recommendation to use a deterministic signature function is if the HSM > implements deterministic ECDSA itself. But it is really uncommon for > an HSM to implement deterministic ECDSA, especially because > deterministic ECDSA is non-compliant with all specifications for > ECDSA. Note: I'm not saying this is good or bad. > > The main consequence of this is that, practically speaking, it seems > like one can't really use deterministic ECDSA except in cases where > one could also use NAXOS or a similar thing. Thus the "e.g., > deterministic ECDSA [RFC6979]" seems to contradict "direct access to > compute H(x, sk) is impossible." > > Similarly, APIs for HSMs generally don't let one choose the salt for > PSS signature generation, though in some implementations one can set > the salt length to zero to get a deterministic PSS signature. However, > other work on PSS in TLS has already tried to make it so an > implementation (e.g. mine and a few other new implementations) need > only support specific non-zero lengths of salts. Thus one probably > can't rely on deterministic PSS being available either. > > Similarly, TLS 1.3 says that we must use PSS instead of PKCS#1 > signatures so a TLS 1.3 implementation wouldn't need to implement > PKCS#1 signing. Further, everybody knows that we shouldn't use the > same private key for two different algorithms, so if we have an RSA > private key for use with TLS 1.3 then we shouldn't use it to make > PKCS#1 signatures; ideally the HSM would enforce that. > > Thus, the requirement that "Sig MUST be a deterministic signature > function" seems unrealistic except in cases where a new mechanism may > not even be useful since NAXOS or similar would work fine. > > > The problem > > occurs in another case - when a random value used in ECDSA/EC-RDSA is > > obtained from the same potentially broken entropy source. > > Right. One the one hand you don't want to trust the ECDSA's > implementation's RNG. On the other hand, ECDSA implementations don't > generally expose APIs that let you replace their RNG unless they also > give you the raw private key, in which case we wouldn't need to use > ECDSA to derive the initial key. > > > Of course it would be better to mix-in entropy, but we'd like to stress that > > the main reason of using the techniques described in our draft is to address > > the possible worst-case scenarios of having no working entropy sources – > > when we cannot rely on any mixed-in entropy at all. > > The point I'm trying to make is subtle: > 1. Obviously, we don't want to rely on having any entropy. > 2. Less obviously, if there is entropy available then it seems silly > to ignore it. > > > In fact the > > problem we're trying to address here is the following. If we do not have any > > actual entropy, then, in case of using our techniques, we'll leverage the > > security of such worst-case scenarios – but – if we also have two equivalent > > environments (two cloned virtual machines, for example) and two tags are > > equivalent, then we can do nothing at all: no entropy and no differences > > between two environments would lead to completely equivalent outputs. > > There are four cases to consider: > 1. A working entropy source is available, and the two tags are the same. > 2. A working entropy source is available, and the two tags are different. > 3. The entropy source is broken, and the two tags are the same. > 4. The entropy source is broken, and the two tags are different. > > In your paragraph above, you are describing case #3. But what about case #1? > > BTW, I think that you and I may be thinking of different use cases for > draft-irtf-cfrg-randomness-improvements-00. The question I original > set out to answer is "Would it be better to use > draft-irtf-cfrg-randomness-improvements-00 instead of RFC 6979 when > implementing ECDSA?" From re-reading the draft I think that target use > case might have been more about "How can we strengthen key agreement > (e.g. ECDH)?" > > Since I posted my question I actually came up a few with more > questions, but the general question I think is still unanswered is > "Why is this mechanism better than using other established > mechanisms?" In particular, why is this mechanism better than a > variant of NAXOS or better than using the HMAC DRBG? Speaking from my > own experience and motivation for reading the document, that's the main > question that I think is left unanswered in the draft. I think the delta between what's proposed and what's implemented is small. This is what's proposed: PRF(KDF(G(x) || H(Sig(sk, tag1))), tag2) Here, G(x) is the CSPRNG, which uses whatever entropy is available at the time on the caller, which is not necessarily where the signature is computed. The input to the KDF is thus effectively whatever randomness is available and a function of the private key, which I'll denote as r. The construction then simplifies to: PRF(KDF(r), tag2) This is basically HKDF -- Expand(Extract(r), tag2, x). (I would prefer it be rewritten using this common terminology to make it more readable.) It could also be recast as the HMAC DRBG as outlined in Section 3.3 of RFC 6979 by setting entropy_input to r and nonce to bits2octets(H(tag2)), for example. So the difference between this and NAXOS or HMAC DRBG as specified in Section 3.3 is how the private key is used. In both NAXOS and RFC 6979, it's assumed the caller has direct access to the private key, which is not the assumption here. That's the extent of the difference, as I see it. Do you think unifying terminology around RFC 6979 would help emphasize that difference? Thanks, Chris
- Re: [Cfrg] draft-irtf-cfrg-randomness-improvement… Christopher Wood
- Re: [Cfrg] draft-irtf-cfrg-randomness-improvement… Brian Smith
- Re: [Cfrg] draft-irtf-cfrg-randomness-improvement… Stanislav V. Smyshlyaev
- [Cfrg] draft-irtf-cfrg-randomness-improvements-00… Brian Smith