Re: [Cfrg] Keys for multiple cryptographic uses

Rene Struik <rstruik.ext@gmail.com> Fri, 17 January 2014 00:42 UTC

Return-Path: <rstruik.ext@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C92561AC441 for <cfrg@ietfa.amsl.com>; Thu, 16 Jan 2014 16:42:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.3
X-Spam-Level:
X-Spam-Status: No, score=0.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MANGLED_MEDS=2.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iIsI1jp5Y4lL for <cfrg@ietfa.amsl.com>; Thu, 16 Jan 2014 16:42:52 -0800 (PST)
Received: from mail-ig0-x231.google.com (mail-ig0-x231.google.com [IPv6:2607:f8b0:4001:c05::231]) by ietfa.amsl.com (Postfix) with ESMTP id B8F5E1AC4A3 for <cfrg@irtf.org>; Thu, 16 Jan 2014 16:42:52 -0800 (PST)
Received: by mail-ig0-f177.google.com with SMTP id k19so181826igc.4 for <cfrg@irtf.org>; Thu, 16 Jan 2014 16:42:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=yGDyEsDt08LAwezVwR3EYAKlEVrhMcRuyVljb2uiMSM=; b=HVRdldvG4QDoJyCmNV02h1rcA7V3zWBiESPrRzlQOyOuPUXCvEfFU/kjIzkMG4KYzi 8zex2oXdZMTdJAIabohDqcHB48wmijYtKRH6SHUwzxSGqs3hridGMhER83U2LtR1UAl+ 9hukIdR+sfMfqxrIVnRKqDP31BtA1J+QuuI2b14w8FvXse9tp0/o8RSVBVj4tUqc7h3l QMYmaLhBNOPutMSbukJmXXWbecHkhL2umn8yi6l79KKWoDbPtbRCB3itpk4DOchzsRx6 kJ8abWGu6aWHktrXuS+b5Vvn2qAC4Wdce1zzUwt8Xu+AekKWow2QJ17+O7NElCdWHN0i wFJg==
X-Received: by 10.42.148.3 with SMTP id p3mr10681633icv.25.1389919360327; Thu, 16 Jan 2014 16:42:40 -0800 (PST)
Received: from [192.168.1.103] (CPE0013100e2c51-CM001cea35caa6.cpe.net.cable.rogers.com. [99.230.254.17]) by mx.google.com with ESMTPSA id x6sm567215igb.3.2014.01.16.16.42.38 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 16 Jan 2014 16:42:39 -0800 (PST)
Message-ID: <52D87C7A.5080701@gmail.com>
Date: Thu, 16 Jan 2014 19:42:34 -0500
From: Rene Struik <rstruik.ext@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>, Paul Lambert <paul@marvell.com>, David McGrew <mcgrew@cisco.com>, "Igoe, Kevin M." <kmigoe@nsa.gov>, Watson Ladd <watsonbladd@gmail.com>
References: <CEFC6B5C.2C6E8%paul@marvell.com> <CACsn0ckSMUbEJ4F3bQ5KVMbhdPQw1MTMCce6B8uhMfA_V0Nupw@mail.gmail.com> <CEFCBB2E.2C792%paul@marvell.com> <3C4AAD4B5304AB44A6BA85173B4675CABA9A493F@MSMR-GH1-UEA03.corp.nsa.gov> <52D8417B.9030908@cisco.com> <52D85DBB.1010505@gmail.com> <7BAC95F5A7E67643AAFB2C31BEE662D018B7FB9E77@SC-VEXCH2.marvell.com> <CEFDCB1C.13EFA%kenny.paterson@rhul.ac.uk>
In-Reply-To: <CEFDCB1C.13EFA%kenny.paterson@rhul.ac.uk>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Cc: Yaron Sheffer <yaronf.ietf@gmail.com>, "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Keys for multiple cryptographic uses
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jan 2014 00:42:55 -0000

Hi Kenny:

Another useful reference is the Indocrypt2009 paper "Reusing Static Keys 
in Key Agreement Protocols" by Sanjit Chatterjee, Alfred Menezes, and 
Berkant Ustaoglu. This being said, it seems you concur that the picture 
is complicated and that the precise conditions under which key 
separation is required are not exactly known (my original note to Paul 
Lambert's practical question [and discussed as motivation in your 
2011-486 ePrint]).

Best regards, Rene


On 1/16/2014 5:57 PM, Paterson, Kenny wrote:
> Hi
>
> There is significant *scientific* literature on the question of security
> of multiple uses of keys - both for the setting where the same key is used
> in more than one algorithm of the same type (under the name of
> cryptographic agility) and where the same key is used in algorithms of
> different types (e.g. same key in a signature scheme and in a public key
> encryption scheme).
>
> Cautionary examples include:
>
> T. Jager, K.G. Paterson and J. Somorovsky, One Bad Apple: Backwards
> Compatibility Attacks on State-of-the-Art Cryptography. In Network and
> Distributed System Security Symposium (NDSS 2013).
> http://www.isg.rhul.ac.uk/~kp/BackwardsCompatibilityAttacks.pdf
>
>
> J.P. Degabriele, A. Lehmann, K.G. Paterson, N.P. Smart and M. Strefler, On
> the Joint Security of Encryption and Signature in EMV. In O. Dunkelmann
> (ed.), CT-RSA 2012, Lecture Notes in Computer Science Vol. 7178, pp.
> 116-135, Springer, 2012. Full version at: http://eprint.iacr.org/2011/615
>
>
> Positive (and some negative) results can be found in:
>
> K.G. Paterson, J.C.N. Schuldt, M. Stam and S. Thomson, On the Joint
> Security of Encryption and Signature, Revisited. In D.H. Lee and X. Wang
> (eds.), ASIACRYPT 2011, Lecture Notes in Computer Science Vol. 7073, pp.
> 161-178, Springer, 2011. Full version at http://eprint.iacr.org/2011/486
>
>
>
> Acar, T., Belenkiy, M., Bellare, M., Cash, D.: Cryptographic agility and
> its relation to circular encryption.
> In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 403{422.
> Springer, Heidelberg (2010)
>
> Coron, J.S., Joye, M., Naccache, D., Paillier, P.: Universal padding
> schemes for RSA. In: Yung, M. (ed.)
> CRYPTO 2002. LNCS, vol. 2442, pp. 226{241. Springer, Heidelberg (2002)
>
> Haber, S., Pinkas, B.: Securely combining public-key cryptosystems. In:
> ACM Conference on Computer and
> Communications Security. pp. 215{224 (2001)
>
>
>
>
>
> This list is by no means complete, but serves to illustrate that the
> picture is complicated and we are far from having a full understanding of
> this domain. Several additional references can be found in the
> first-mentioned paper above.
>
> Finally, let me draw your attention to this very recent paper which
> highlights the issues arising from multiple key usage in the context of
> TLS:
>
> Karthikeyan Bhargavan, Cedric Fournet, Markulf Kohlweiss, Alfredo Pironti,
> Pierre-Yves Strub, and Santiago Zanella-Beguelin. Proving the TLS
> Handshake Secure (as it is).
> https://www.mitls.org/downloads/Proving_the_TLS_Handshake.pdf
>
>
> Happy reading.
>
> Cheers
>
> Kenny
>
> On 16/01/2014 17:37, "Paul Lambert" <paul@marvell.com> wrote:
>
>> Hi Rene,
>>
>> ⨳|-----Original Message-----
>> ⨳|From: Rene Struik [mailto:rstruik.ext@gmail.com]
>> ⨳|Sent: Thursday, January 16, 2014 2:31 PM
>> ⨳|To: David McGrew; Igoe, Kevin M.; Paul Lambert; Watson Ladd
>> ⨳|Cc: Yaron Sheffer; cfrg@irtf.org
>> ⨳|Subject: Keys for multiple cryptographic uses (was: Re: [Cfrg] Outline
>> ⨳|-> was Re: normative references)
>> ⨳|
>> ⨳|Hi Paul et al:
>> ⨳|
>> ⨳|A counter example in practice to the "received wisdom" not to reuse
>> ⨳|public keys both for key agreement and non-repudiation is during
>> ⨳|certification requests, when the key to be certified is to be used for
>> ⨳|uses including key agreement and where the request is signed.
>> ⨳|
>> ⨳|[see also NIST SP 800-56a-2013, Section 5.6.3.2, item #5:
>> ⨳|A static key pair may be used in more than one key-establishment
>> ⨳|scheme.
>> ⨳|However, one static public/private key pair shall not be used for
>> ⨳|different purposes (for example, a digital signature key pair is not
>> ⨳|to be used for key establishment or vice versa) with the following
>> ⨳|possible
>> ⨳|exception: when requesting the (initial) certificate for a public
>> ⨳|static key-establishment key, the key-establishment private key
>> ⨳|associated with the public key may be used to sign the certificate
>> ⨳|request. See SP 800-57, Part 1 on Key Usage for further information.
>> ⨳|]
>> ⨳|
>> ⨳|While key separation seems prudent, it is not entirely clear (to me)
>> ⨳|whether the conditions under which this is required are precisely
>> ⨳|known (even in the above-mentioned case of signed certificate
>> ⨳|requests).[ ⨳]
>>
>> Yes - exactly!   Caution is good ... but once this guidance was set down
>> we have not bothered to investigate deeply which algorithm combinations
>> are secure for mixed use.
>>
>> Additional wisdom on where specific Oracle exist would be very
>> informative.
>>
>> Thanks,
>>
>> Paul
>>
>>
>> ⨳|
>> ⨳|Best regards, Rene
>> ⨳|
>> ⨳|
>> ⨳|On 1/16/2014 3:30 PM, David McGrew wrote:
>> ⨳|> Hi Kevin, Paul, and Watson,
>> ⨳|>
>> ⨳|> On 01/16/2014 02:42 PM, Igoe, Kevin M. wrote:
>> ⨳|>> Paul Lambert
>> ⨳|>> On Thursday, January 16, 2014 1:43 AM Paul Lambert wrote:
>> ⨳|>>
>> ⨳|>>> A truly ‘unified' public key system would support both signatures
>> ⨳|>>> and key establishment with the same key.
>> ⨳|>>>
>> ⨳|>> Received wisdom is that using the same key for both key
>> ⨳|establishment
>> ⨳|>> and signatures is a bad idea.  I believe the concern is that one
>> ⨳|>> protocol might be used an Oracle to subvert the other.
>> ⨳|>
>> ⨳|> Agreed on that point, but there is a background issue here that I
>> ⨳|want
>> ⨳|> to ask about.
>> ⨳|>
>> ⨳|> [snip]
>> ⨳|
>> ⨳|
>> ⨳|--
>> ⨳|email: rstruik.ext@gmail.com | Skype: rstruik
>> ⨳|cell: +1 (647) 867-5658 | US: +1 (415) 690-7363
>>
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> http://www.irtf.org/mailman/listinfo/cfrg


-- 
email: rstruik.ext@gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 690-7363