[CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidance-09.txt
Alicja Kario <hkario@redhat.com> Mon, 29 June 2026 18:41 UTC
Return-Path: <hkario@redhat.com>
X-Original-To: cfrg@mail2.ietf.org
Delivered-To: cfrg@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id C5BEF10A117C8 for <cfrg@mail2.ietf.org>; Mon, 29 Jun 2026 11:41:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1782758502; bh=McB/LkIARi2eD/s0VTzq1oVAYr2wlOzLs4HS6mU4z6w=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=oIYKER/dxUDuvhCXowmhFP/Sl01/2Q5By+fzl9MiXDIkDfF+MJ7iyUuhYUPHhEqQS H6UsV2iftoAfNWBCBeGhyfJlh4doUFaaVUL0wule6CSWMbVOTwUIIKnx4GbBrCXxMo Nl7vhmq1u1t6FVAEy8sz9YBVPwdewyqud3/jZeiw=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id if_vzJW47Xap for <cfrg@mail2.ietf.org>; Mon, 29 Jun 2026 11:41:42 -0700 (PDT)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 7687C10A116B2 for <cfrg@irtf.org>; Mon, 29 Jun 2026 11:40:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1782758425; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=dWzzFLHTeFe1qjZCPVzygx4AWTH3kuHEyBsTOwYGOMM=; b=bbfvhr++4qMkxe04H5qxoGwjVTpmc6xxtvmP+e/TKbWhvLeT/U+r4haplxKOK8AsAln6M/ lOc5Er+0/Qu4l/WuSOGuJvBw8h+zfcNZj/Guq2RNKuRtj24XGqWnH11uqBFPoKASG7EwOw BfthKAJsIBlBMJxIfkdkm6hx9nRXiTM=
Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-63-OAk27iDJPYe-RkI3bamt0w-1; Mon, 29 Jun 2026 14:40:23 -0400
X-MC-Unique: OAk27iDJPYe-RkI3bamt0w-1
X-Mimecast-MFC-AGG-ID: OAk27iDJPYe-RkI3bamt0w_1782758422
Received: by mail-wm1-f70.google.com with SMTP id 5b1f17b1804b1-4924583c7baso40193255e9.1 for <cfrg@irtf.org>; Mon, 29 Jun 2026 11:40:23 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782758422; x=1783363222; h=content-transfer-encoding:user-agent:organization:references :in-reply-to:message-id:mime-version:date:subject:cc:to:from:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=+5evwCx3ckQkP6i5shggE8SCWFe/ZsIHXTWfxER9y94=; b=pRTcdZfK0dCwqQ1XIJoMYVXRmGaIaLgzsKMEg/j9mV1LKEdIAxUrc103FKhY+Xsunm uFHwjImUT5TbqY8bfoSlN5vazY1T6E0l9skein25W1uSKkQmVK/FrkxRWu2HweyFYznj adr7olw1uOXDE6d04jMs0TiKRVzbFbO5uTktkRAv2KBMxgpk3khzP+RbnMTDZMT5Hrh/ GqV7x/AHucOsd06yn90zsbi6kdDkKNaUnTGTVwp4npyZKCw+TLLG3ta78XyVUkwpcpNo Z0hRWLKwl0J9Lb3RashYrzDapNoedWxIhBA6BGp5vbXTlGznY25VMsxlRc+/g9KS6WIF lQJA==
X-Gm-Message-State: AOJu0Yyhp82OcYsU7koNDyF41dD6DNVur5rAlP/ujmxR3kEV1LMm5njo YKR5+P/lOyD4ZF5kPU4CW2ViLU3LErp2p2ArkZGde5gdlhyYKfQnjba6MMTkoIzmH04TZdtfiZ/ i8vcEO1l92AVAOcIiazZ6aThCZCRf8pIZ2W0uKLyNnOeC7z/fnRA/qw==
X-Gm-Gg: AfdE7cmYWFaHHpzjRb4GxD9sm9GXxAD6cjDR1a79NUOQg48ktjaBm+wFdFljCjdIdNu mmPq05HoX58EkjimdhCnYYs8rsQJz2Gsz4aNJeaZ2+NHlJxkdgtSOm7ktizfCx5fA7GADkhqTvh R9QfWAUfzuoH6RDVd84SclcQpPvgOQ/KY7lKYYPdE0S0AwsFe3ehRxZg7LBshZWl3JEAQVoQrXF ZMdHneEurUdBKpSqOwHK1o42GSww+jID7jYJPyFvQW+TF8J6Sp6rGCJYbEykcLqO8DS2WvRrPYW n1SCoyKG2wWP6tNab3DENSudKgCYa00IGVAFgZkE9oAi/KS0AD6vJ7vTKQMSsQx8tuHjEI4HJ4f a1YJjP/WpN9RqfRj1L5xG0pIB9HOta2PLeVs=
X-Received: by 2002:a05:600c:c83:b0:493:aa24:792b with SMTP id 5b1f17b1804b1-493b82b0e10mr13135015e9.22.1782758422083; Mon, 29 Jun 2026 11:40:22 -0700 (PDT)
X-Received: by 2002:a05:600c:c83:b0:493:aa24:792b with SMTP id 5b1f17b1804b1-493b82b0e10mr13134635e9.22.1782758421651; Mon, 29 Jun 2026 11:40:21 -0700 (PDT)
Received: from localhost (ip-94-112-13-93.bb.vodafone.cz. [94.112.13.93]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4756778f015sm60095f8f.31.2026.06.29.11.40.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jun 2026 11:40:21 -0700 (PDT)
From: Alicja Kario <hkario@redhat.com>
To: Michael StJohns <msj@nthpermutation.com>
Date: Mon, 29 Jun 2026 20:40:20 +0200
MIME-Version: 1.0
Message-ID: <d1f76682-1563-4789-b72a-d160d0001a07@redhat.com>
In-Reply-To: <f3833237-1c74-4679-a989-1ddc59d908d8@nthpermutation.com>
References: <178249028053.1700343.17333027857089927144@dt-datatracker-f9b87776f-xzl65> <9600be9b-5a3d-4fca-ad34-810ee38decd8@redhat.com> <f3833237-1c74-4679-a989-1ddc59d908d8@nthpermutation.com>
Organization: Red Hat
User-Agent: Trojita/0.7-git; Qt/5.15.18; wayland; Linux; Fedora release 43 (Forty Three)
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: f_iP7F9GZ-f1PBK8iFIXF-W5exG8snrqssYRGSjS0kY_1782758422
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: QVGGMIGO7JRM4RRYBTUX2SDVNHLWPTI4
X-Message-ID-Hash: QVGGMIGO7JRM4RRYBTUX2SDVNHLWPTI4
X-MailFrom: hkario@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; header-match-cfrg.irtf.org-1; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: cfrg@irtf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidance-09.txt
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/s73PGY2mr5IQb6aQBph6--8AyEw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>
On Friday, 26 June 2026 20:43:22 CEST, Michael StJohns wrote: > Two more suggested changes in the same vein: > > In the abstract: > s/This document specifies additions to RFC 8017. Specifically, > it provides/This document supplements RFC 8017 by providing/ > > In the security considerations - instead of what's there > (including "specifies"): > > "The entirety of this document provides guidance for the secure > implementation of the RSA standards and algorithms." > > And a quick scan through: > > 1 - second para: "Protections against them" - sightly > ambiguous. Instead "Protections against such attacks" > > Section 6 - somewhat inconsistent use of SHOULD/should and > MUST/must - suggest a pass to review. AIRC, the use of BCP14 > language is disfavored in non-standards. At most what this > document is doing is making suggestions for the implementer (who > may or may not have other requirements to meet) rather than > imposing requirements, so lower-casing all of these and removing > section 3 may be appropriate. I would say that the MUST in 5th paragraph of Section 5: "...the algorithm MUST be implemented as stated..." is necessary, so I'm strongly opposed to dropping BDP14 language in entirety. Fair point on the inconsistent use though. Will try to address it tomorrow. > Section 6 - power based side channels attacks aren't mentioned > in this section at all, and there may be design tradeoffs > between memory, power, processing etc. A paragraph (e.g. more > than a throwaway note in section 5 and in section 9.1) > indicating the limitations of this discussion with respect to > other side channels not fully discussed/developed here may be > appropriate. > > General - I see not a single mention of existing testing > regimes, and what they miss/might miss without these > improvements. And a few brief notes on how effective these > mitigation techniques might be against machine-learning based > SCA might also be useful. I'll answer both of those paragraphs together. The big issue is that it depends on multiple things: - the leakage of the hardware in question - assumed capabilities of the attacker - no "gold standard" for side-channel analysis the same way we have for timing Some of those operations (like blinding) are just defence in depth (if the whole modular exponentation is side-channel free then it's not necessary, OTOH, if it is leaky with respect to the base, then that is an easy fix for it). For timing side-channels we do have the "Traditional Constant Time Model" (as defined by https://arxiv.org/pdf/2606.13000) that can be summed up as "no secret-dependent branches, no secret-dependent memory address location accesses, and no instructions with secret-dependent timing". That is achievable in practice on commodity hardware (x86_64, aarch64, ppc64,...) The problem is that for more physical side channels, like power, EM, etc. the typical platforms that need this kind of protections use very simple hardware (microcontrollers, not full-fledged microarchitectures) that may not even have a timing-side-channel free multiplication unit (*cough*Cortex M4*cough*). Then we have the issue that the dominant assesment method (TVLA) is so flawed that you can write papers just on ways that it fails: https://pdfs.semanticscholar.org/e518/a72553adbae0df971c8e13a7fc5c68461662.pdf Generally, testing for side-channels is a *mess* and thus the typical countermeasures are also rather bad (target specific attack method, not leak in general). But I don't think this is a fight that a CFRG document should contribute at this point. > Overall, a useful document and fairly easy to understand. Thank you! > Mike > > > > > > On 6/26/2026 12:16, Alicja Kario wrote: >> Document was updated to make it clear that it's the consensus of CFRG, not >> a IETF standard. >> >> On Friday, 26 June 2026 18:11:20 CEST, internet-drafts@ietf.org wrote: ... > -- Regards, Alicja Kario Principal Quality Engineer, RHEL Crypto team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00, Brno, Czech Republic
- [CFRG] I-D Action: draft-irtf-cfrg-rsa-guidance-0… internet-drafts
- [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidan… Alicja Kario
- [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidan… Michael StJohns
- [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidan… Alicja Kario
- [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidan… Michael StJohns
- [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidan… Alicja Kario
- [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidan… Michael StJohns