Re: [Cfrg] WebCrypto Security Guidelines into IRTF Informational Draft?
Watson Ladd <watsonbladd@gmail.com> Mon, 02 November 2015 00:34 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 302021B3D88 for <cfrg@ietfa.amsl.com>; Sun, 1 Nov 2015 16:34:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RmAbrAIKHud7 for <cfrg@ietfa.amsl.com>; Sun, 1 Nov 2015 16:34:48 -0800 (PST)
Received: from mail-wm0-x233.google.com (mail-wm0-x233.google.com [IPv6:2a00:1450:400c:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D8D31B3DA9 for <cfrg@irtf.org>; Sun, 1 Nov 2015 16:34:48 -0800 (PST)
Received: by wmeg8 with SMTP id g8so46809326wme.0 for <cfrg@irtf.org>; Sun, 01 Nov 2015 16:34:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=mgKfjOxhFWxY4oBzueorQ3kQvJElNzz1JD50oac94Tc=; b=sDHXap0uPeJeeydWVRk197uPRwRUXyZerhRiS5q//7XHPjUenNsvhe6w/Q5WjD2mOX k2hTO45th6vFPDaw9HLFU62lKxyFdTTpNy/MvpkvfymwwSgUW0AY9hUBPEzAdD3A0cyz /FP2ckI3hZ95jZNBolAIkHAXtYmKp1VnhpVmPJff+jQ3sC46lP4/h7zcndvUJqWXr9pS /rcaijlkLHFPIRMu9wT+vf0U9jgkgXFyG2Tm61TVuLV7r2xJRxU2S17bLBKJ4PYAZVv8 OGe+2jOu0rdOysANwWL7ksBR+pLtlomY1UtHOXI9R5TzNTXdNzp86gD69GbQ0+Nw59Od F7IA==
MIME-Version: 1.0
X-Received: by 10.28.173.194 with SMTP id w185mr10584850wme.23.1446424486739; Sun, 01 Nov 2015 16:34:46 -0800 (PST)
Received: by 10.28.101.212 with HTTP; Sun, 1 Nov 2015 16:34:46 -0800 (PST)
In-Reply-To: <5636A760.8080207@w3.org>
References: <5636A760.8080207@w3.org>
Date: Sun, 01 Nov 2015 19:34:46 -0500
Message-ID: <CACsn0c=18dyVEQE9=DzgDJOdBCmtjQPCRrNxBw6-2BK6kSkBqA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Harry Halpin <hhalpin@w3.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/sS-6Isst_zQ-CE6YAv5tbtrMeeY>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] WebCrypto Security Guidelines into IRTF Informational Draft?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Nov 2015 00:34:50 -0000
On Sun, Nov 1, 2015 at 6:59 PM, Harry Halpin <hhalpin@w3.org> wrote: > CFRG, > > Note we did a update taking into account the last round of feedback of the CFRG, and we'd like to ask CFRG if they are any objections to moving this forward. I can file and Internet Draft tomorrow if there are no objections to moving it forward. Input from end-users of the WebCrypto W3C draft said a security guideline document would help them, so we'd like to have this resource available and myself and INRIA can maintain it. Developers will mostly look at the "Yes/No" table for future use. > > The new draft is here: > > http://www.w3.org/2012/webcrypto/draft-irtf-cfrg-webcrypto-algorithms-01.html I think this is a necessary idea, but I have several substantive comments: This document discusses nonce reuse issues with AES-CTR but not with AES-GCM. This is a recipe for disaster, as readers will not realize that the same warning needs to be applied to both. The above discusses CCA security. Is this actually useful to a developer who doesn't know anything about cryptography, the intended audience for this document? HKDF should not be used with passwords! As it stands the above document recommends it over PBKDF2. There are no key size recommendations. RSA 512 is perfectly fine according to this document. "Note that draft, while attempting to gather consensus of the cryptographic literature, may not be complete and there may be disagreement". What, you expect attacks to depend on Mochizuki's proof of ABC conjecture, or Arthur finishing the proofs in chapter 9 of his book? No, there is really no disagreement for these algorithms about what the best attacks are and how long they take. Many of the citations are just wrong. The claim of security proofs of ECDH links to a paper about hard-core predicates, which, while theoretically important, aren't what protocols rely on. This misunderstanding of how security proofs work extends to ECDSA. While a Pointcheval-Stern result doesn't exist, I doubt anyone believes a forger exists with time-space complexity substantially faster than solving discrete logarithms. All security proofs are dependent on assumptions like one-way function (at weakest) or strong RSA (medium) or sometimes ridiculous assumptions like q-XSIGDH (I hope that isn't a real assumption, but it might be!). The statements about proofs murders these details, and the result is just wrong. It remains unclear to me how this document helps developers. If they make applications which need to comply with bad crypto in an old protocol, they are stuck. If they don't have an existing model, they are making new crypto and really, really should call someone before they go on. So what's left, and what do they need to know? I hope that these points can be corrected as this document progresses. > > The main changes, based on CFRG feedback, was to change the 'No' to future use for ECDSA to 'Yes.' We've updated the description of applying MACs to anything not AES-GCM, and added a reference to the Weak DH attack, as well as clarified the 'nonce' terminology. > > We have *not* yet added CFRG curve recommendations, although we will once browser vendors decide to expose them to WebCrypto. We think a paragraph that then explains the nuances (side channels, etc.) of the CFRG's discussion re elliptic curve choice would be useful. > > I am not at IETF but Wendy Seltzer is and she can possibly field questions if she is in CFRG about W3C process, although not the specifics of the document. > > Again, we'd like to maintain this document, so we welcome feedback. > > Although not formally tied to any particulars, we'd like for the W3C WebCrypto spec to reference this document informationally before it goes to Recommendation status at the end of the year. > > cheers, > harry > > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg -- "Man is born free, but everywhere he is in chains". --Rousseau.
- [Cfrg] WebCrypto Security Guidelines into IRTF In… Harry Halpin
- Re: [Cfrg] WebCrypto Security Guidelines into IRT… Watson Ladd
- Re: [Cfrg] WebCrypto Security Guidelines into IRT… Taylor R Campbell
- Re: [Cfrg] WebCrypto Security Guidelines into IRT… Simon Josefsson