IETF Logo Mail Archive

[CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidance-01.txt

Alicja Kario <hkario@redhat.com> Fri, 06 September 2024 16:04 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05A56C14F6EA for <cfrg@ietfa.amsl.com>; Fri, 6 Sep 2024 09:04:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.253
X-Spam-Level:
X-Spam-Status: No, score=-2.253 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b-7OkTIdJmCE for <cfrg@ietfa.amsl.com>; Fri, 6 Sep 2024 09:04:25 -0700 (PDT)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42BD6C180B63 for <cfrg@ietf.org>; Fri, 6 Sep 2024 09:04:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1725638664; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=EzaYtY0/TSolVYUtcUzpmEFtQmR2P2d8zua2rx095+M=; b=IktxAuApQhBBEhgF+cxJw7OiUuEVfsSsE5dQckII7MhGlyELV7y6eoCmk6QF+NEMZQ7BxI cjnGAmsbu9VAn8Qu7ArfIEpac22ClAPj3odpvZyThhVoTiUOMdO8fiaBzJM59l5LLgeVF6 jVy2GLBQ5zllzzZkW4I1GT5ejp4A39o=
Received: from mail-lf1-f71.google.com (mail-lf1-f71.google.com [209.85.167.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-353-LgfJUUYTO5uH2zuxf2K__g-1; Fri, 06 Sep 2024 12:04:22 -0400
X-MC-Unique: LgfJUUYTO5uH2zuxf2K__g-1
Received: by mail-lf1-f71.google.com with SMTP id 2adb3069b0e04-5356aaecdf6so2451763e87.2 for <cfrg@ietf.org>; Fri, 06 Sep 2024 09:04:22 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725638661; x=1726243461; h=content-transfer-encoding:user-agent:organization:references :in-reply-to:message-id:mime-version:date:subject:cc:to:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=gdMRZrKtzM5c+H0sRvgw9dchUFlcPS6dHZPL5o2si/U=; b=Ch/tExnEgc/Cs9WBw4O3iyDSVIk6D3JyGd9VoiUA2a85mLxKxBFpsXSbNz1z4kgrQJ NZ+nIBeCqXAH+oL7UeN/gKgsd5QojVcTRRf7yDjgdXXwe03vjhKNVinmIZD29yKVEveu zup30r/fnodVijHhXwjfkVRjjbJYnPLboTBm0hhYJ0/pafQwh5ofwf8+KO3AQ3FU2Zn4 9Ijf9f33ZXdC+PFRBuWVF3H7dGglVqcdOyQR+LJXavbBjgpJYAcoAg0maE0wdsQwQe4N k3jQ37jwgaZuxvxSeNLS8RSs8gV+mJVGJ0EuiDsVsX3qvkKrg7JHzRwtr93dS72dDNCh wELQ==
X-Forwarded-Encrypted: i=1; AJvYcCVnWye89CQgYEUv1wcW8VGHeK6uXCEqxAZ2mKvxtBdA/z5pqKf8TtTbiWJFe5hhP5yBQm/L@ietf.org
X-Gm-Message-State: AOJu0YyGUfB+9xWgc0rU2xCvikUrsJOzIXsgKnh0U4PytmU9r+usQJQg Jb6F+UVtf64dkVgfRwnKfFCdyODQ+0NqdBsf55PX8JZWclcgOkwUw/RBNKSJnC+pJRhehABK9e6 axodaxbrHrH/mr9mEq+oAX9rgrTewUwmzFF5bkn0oaQ==
X-Received: by 2002:a05:6512:1392:b0:533:809:a94d with SMTP id 2adb3069b0e04-536587ad9c5mr2289616e87.17.1725638661140; Fri, 06 Sep 2024 09:04:21 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IG8y0SSe3/5UWiZ4zCTc+m0BChqtlc6A9Kuxbo44ajYtXkMUmbVBoZ8ghwpmTmrEug/M+kk6w==
X-Received: by 2002:a05:6512:1392:b0:533:809:a94d with SMTP id 2adb3069b0e04-536587ad9c5mr2289577e87.17.1725638660344; Fri, 06 Sep 2024 09:04:20 -0700 (PDT)
Received: from localhost (nat-pool-brq-u.redhat.com. [213.175.37.12]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-42ca05ccbf5sm23756915e9.16.2024.09.06.09.04.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 06 Sep 2024 09:04:20 -0700 (PDT)
From: Alicja Kario <hkario@redhat.com>
To: "Riad S. Wahby" <rsw@jfet.org>
Date: Fri, 06 Sep 2024 18:04:18 +0200
MIME-Version: 1.0
Message-ID: <3efb9ac7-5c30-41cc-b9f4-af3a3113121a@redhat.com>
In-Reply-To: <6nseitllindpwcbgbdbkho7jjjkahzcn4s3mpfonkgyhqglzar@u6vsrplr5hbs>
References: <172538719711.1420249.4393971363081609427@dt-datatracker-68b7b78cf9-q8rsp> <02e9a51e-b938-49f2-b832-de4d3ec575ee@redhat.com> <CAMm+Lwh3DwF1GA=WUMEsXZ-Ho__AKB6R-kfkxF9=pRZxn3jZBw@mail.gmail.com> <dad51c80-4eb6-423a-af8f-9a99c86377be@redhat.com> <g7dd62nttkb7u3qyki6b5hpjyk5opz36ehpbgvx4i3hr6batan@3vpb3ubbwt6p> <96769b45-db3a-4ab5-9a5f-dfcf635e4db6@redhat.com> <6nseitllindpwcbgbdbkho7jjjkahzcn4s3mpfonkgyhqglzar@u6vsrplr5hbs>
Organization: Red Hat
User-Agent: Trojita/0.7-git; Qt/5.15.13; xcb; Linux; Fedora release 39 (Thirty Nine)
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: S7CWQPA477GV5UQCWYETX5LRYYZ6RW4E
X-Message-ID-Hash: S7CWQPA477GV5UQCWYETX5LRYYZ6RW4E
X-MailFrom: hkario@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: cfrg@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidance-01.txt
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/oZZpgHQqiyC5L8ijzXwClE3uks0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

On Friday, 6 September 2024 16:14:27 CEST, Riad S. Wahby wrote:
> Hello Alicja,
>
> Thanks for your message. I completely understand your position, so I guess
> at this point I'm just advocating for the devil. But here goes, in reverse
> order:
>
> Alicja Kario <hkario@redhat.com> wrote:
>> Also, RFC 8017 says nothing about how to generate the RSA parameters.
>> 
>> So, I consider key generation out of scope.
>> See https://github.com/tomato42/marvin-ietf/pull/new/outside-scope
>> for the proposed text.
>
> This text is strictly true but also pretty unhelpful to the reader.
>
> Reader thinks: "But I need to generate keys... so what do I do now?"
>
> It seems like at the very least it makes sense to recommend generating keys
> on a system that is safely hidden from prying eyes. And perhaps in this
> context that's enough---even if it still seems like a missed opportunity
> to help the reader by at least waving in the directin of countermeasures!
>
>> The protections I talk in the Draft are for remote timing attacks,
>> potentially conducted even over the Internet.
>> 
>> How do you perform a remote network based attack against RSA 
>> key generation?
>
> This question is hard to answer in part because answering "how" requires
> knowing details of the system being attacked. I don't have those details.
>
> But if you're asking, does there exist a system in which RSA key generation
> can be attacked remotely via timing, my guess is very much yes: at this
> point it seems prudent just to assume that remote timing attacks are always
> practical in the absence of countermeasures. That's an over-approximation,
> but recent history suggests it's not all that far off.

And I'm going to say that the answer is "no".

Because simple timing attacks require you to measure the same operation
on the same secret values. If you have a situation where the attacker can
force you to generate private keys with the same RNG seed values you
have much bigger issues than side channel attacks.

So, just like Raccoon attack is impossible against server that uses 
ephemeral
key shares, remote timing attacks against RSA key gen that uses actual
entropy is not possible.

If you have a system that simply transmits in EM spectrum values
of the registers before operating on them, then there's literally nothing
we can do to protect against an attacker that can read the EM spectrum.
But that's not the typical system and that's not the typical attacker.
This is not a guide for designing TEMPEST hardened solutions.

So, please, let's focus on realistic scenarios, and not go into the weeds:
don't let the perfect be the enemy of the good.

> Or, putting on my Captain Obvious hat: "we've taken steps to prevent X"
> is always preferred to "we can't imagine how an attacker will do X".
>
> I'll end my devil's advocacy here. And: thank you for doing the hard work
> of writing down these valuable recommendations---please don't mistake
> my free-floating anxiety for a failure to appreciate your efforts!

OK, I'll take it as the PR https://github.com/tomato42/marvin-ietf/pull/3
being good enough.
-- 
Regards,
Alicja (nee Hubert) Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00, Brno, Czech Republic

v2.43.4 | Report a Bug | By Email | System Status