Re: [Cfrg] Help with the use of contexts

Ilari Liusvaara <ilariliusvaara@welho.com> Fri, 03 February 2017 12:55 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02F111204D9 for <cfrg@ietfa.amsl.com>; Fri, 3 Feb 2017 04:55:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.098
X-Spam-Level:
X-Spam-Status: No, score=-5.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-3.199, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rr7MZR1BXGoO for <cfrg@ietfa.amsl.com>; Fri, 3 Feb 2017 04:55:37 -0800 (PST)
Received: from welho-filter1.welho.com (welho-filter1.welho.com [83.102.41.23]) by ietfa.amsl.com (Postfix) with ESMTP id DAA43129629 for <cfrg@irtf.org>; Fri, 3 Feb 2017 04:55:36 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id E28E81EDAC; Fri, 3 Feb 2017 14:55:34 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id dtS5i5kRCc4w; Fri, 3 Feb 2017 14:55:34 +0200 (EET)
Received: from LK-Perkele-V2 (87-92-51-204.bb.dnainternet.fi [87.92.51.204]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id 81A8E2310; Fri, 3 Feb 2017 14:55:34 +0200 (EET)
Date: Fri, 3 Feb 2017 14:55:33 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Tibor Jager <tibor.jager@gmail.com>
Message-ID: <20170203125533.GA11515@LK-Perkele-V2.elisa-laajakaista.fi>
References: <20170116200948.6535.qmail@cr.yp.to> <5eeb3d4d-1fc0-35ba-6f47-87fa0d808edc@cs.tcd.ie> <AA42E783-43FC-4C9B-A387-623B5B18B4FB@gmail.com> <708C8E8E-37AE-4B8F-9843-B0F8CDB29229@gmail.com> <CACsn0cm22h8_61CEZjKYyHfnd7vvnC39ZMjhusjWcZKu_Z0zhw@mail.gmail.com> <DA141A39-05C2-4B87-92FA-AE8C5421E104@gmail.com> <0435210f-0aa4-1c34-89d6-0f7a2aef0621@cs.tcd.ie> <D4B4D5E4.82A6D%kenny.paterson@rhul.ac.uk> <CA+yVaTxTbqDUBbX2oTgC6BT2LprOz8uqAbhTRukuqfZD124kSA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <CA+yVaTxTbqDUBbX2oTgC6BT2LprOz8uqAbhTRukuqfZD124kSA@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/gxhOA2PnYYSKkXh3naVqJXooO48>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Help with the use of contexts
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Feb 2017 12:55:39 -0000

On Fri, Feb 03, 2017 at 09:16:11AM +0100, Tibor Jager wrote:
> On 30 January 2017 at 12:40, Paterson, Kenny <Kenny.Paterson@rhul.ac.uk>
> wrote:
> 
> >
> > So: does anyone else want to offer an opinion on the question of contexts?
> >
> >
> Contexts are a clean and relatively simple way to prevent cross-protocol
> attacks, in particular when implemented in an as simple way as proposed
> by Adam and Dan.

Unfortunately, in practice those are anything but clean and simple.

Yes, the theoretical notion is pretty simple (where (context,message)
tuple replaces the message in standard notion of signature security).

The biggest practical problem: Backwards compatiblity, the ever-present
nemsis of security.

There are basically two major problems:

- Non-contextualized schemes, which leave the system wide open for
  any possible attacks. Hopefully nothing major.
- The standard signature API can't accomodiate contexts.

When it comes to TLS, AFAIK the most significant target for possible
cross-protocol attacks is PKIX CSR mechanism.


What I think it would take to deploy contextualization to TLS and
closely associated technologies (PKIX mainly):

- New RSA-PSS (possibly original RSA-PSS), ECDSA and EdDSA signature
  schemes (X.509 algorithms) that are contextualized.
- New RSA and ECDSA key types (X.509 key types; EdDSA can reuse keys) 
- New TLS SignatureScheme values to go with these.

One advantage of having different RSA key type would be that the old
standard one has been jinxed by the broken RSA-PKCS#1v1.5 encryption.
However, there is already standard RSA-PSS key type, which does not
have the same problem AFAIK.


-Ilari