IETF Logo Mail Archive

Re: [CFRG] [Non-DoD Source] Re: Please review draft-ietf-drip-rid

"Gajcowski, Nicholas H" <nhgajco@nsa.gov> Thu, 23 September 2021 17:16 UTC

Return-Path: <nhgajco@nsa.gov>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 681AC3A1447 for <cfrg@ietfa.amsl.com>; Thu, 23 Sep 2021 10:16:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.162
X-Spam-Level:
X-Spam-Status: No, score=-3.162 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.612, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nsa.gov
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KzAGex-cHj_v for <cfrg@ietfa.amsl.com>; Thu, 23 Sep 2021 10:15:55 -0700 (PDT)
Received: from USFB19PA33.eemsg.mail.mil (USFB19PA33.eemsg.mail.mil [214.24.26.196]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5ADE3A1429 for <cfrg@ietf.org>; Thu, 23 Sep 2021 10:15:53 -0700 (PDT)
X-EEMSG-check-017: 262157159|USFB19PA33_ESA_OUT03.csd.disa.mil
X-IronPort-AV: E=Sophos;i="5.85,316,1624320000"; d="scan'208,217";a="262157159"
Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.3]) by USFB19PA33.eemsg.mail.mil with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 23 Sep 2021 17:15:49 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nsa.gov; i=@nsa.gov; q=dns/txt; s=nsa.gov; t=1632417350; x=1663953350; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=DfxhZe4ZcXRmf2Yc2fbRjN6B1sfAU5iytkgQghKj9cU=; b=L7cTLsOvaAdGte2IJcLY0PzxDXerp6ptynZeUiU3Rzm9NB1bXCR1iudD bl8DrNc0A6KVxK8qaaYhiGtjutNsDTz4Qrx7sNIXHzVJrdwRt7YG8/T/l t96ZyRjAhVThqv1yhs1DnKDZvZs+uyRLTTO+pTUz6mkdzZNV8xCARgfzc oHW+KUDhXPd+3txlnQpQDSK984SKNV9QK75UOOMKgSz+D32At640mgl4q Ba0a66ZVzWbrFUC3EgFcO+q7HIcBc9eCtTGLx1pHpe2SIhqqZrBZz6r11 wYrv06yWZ2JDlQ9MgCH4DH40dV5FwZhp1rqtwiWET054uV2ZbxvW7eyLF Q==;
X-IronPort-AV: E=Sophos; i="5.85,316,1624320000"; d="scan'208,217"; a="64942805"
IronPort-PHdr: A9a23:0m1DwR17L7IEsX8ysmDO5AMyDhhOgF0UFjAc5pdvsb9SaKPrp82kYBaHo6wz3RSQBdWTwskHotKei7rnV20E7MTJm1E5W7sIaSU4j94LlRcrGs+PBB6zBvfraysnAJYKDwc9rDm0PkdPBcnxeUDZrGGs4j4OABX/Mhd+KvjoFoLIgMm7yfy+94fObwhJgDexbq5+IAm1oA7MqsQYnIxuJ7orxBDUuHVIYeNWxW1pJVKXgRnx49q78YBg/SpNpf8v7tZMXqrmcas2S7xYFykmPHsu5ML3rxnDTBCA6WUaX24LjxdHGQnF7BX9Xpfsriv3s/d21SeGMcHqS70/RDqt771vSBT1likJMTA3+3zThsBpjK9XpRSsrAF9zYHJeoGYLPpwcL3Ac9MGS2RPXchRWC5AAoygYIQCFPAOMfpar4Tnu1cCsRmzCA+xD+3v0D9IgXr20LU03+ogCw7G3hAvH9UAsXTPr9X1Nb8eWv2twqnJ0TrDb/RW2TPn54jTbxsvo/+AVq93fMrXyUkvGBnKjleMpoziJD6V0P8NvHKB4+pvUuKvlXcqpgdsqTeg2skikJPGhp4Jyl/a7yV5xp44KNOmRENmYdOpDJpduj2UOoZ2TM0vQGBltiknxrAJvZO2fCcExZsoyhPcZfKKfYaF7gz/WeuRLjl1i3BodK69ihu07EOuxOr8Vsyu31ZLqCpIitjMtmoR1xzd8MSHTeF9/kin1D2S1A7T8vlJLV07mKfUMZIswqM8moAOvUnMAiP6gkb7gLOOekk55uSk8frrbqjpq5OGKYN5ixvyPrkgl8G9Geg0LwcDUmeB9em8ybHv51D1TbpWgvEskaTUs5bXLtkBqKGjGQ9ayIMj5g66DzehzdsXg2EKLElAeBKbl4jpPEzOIOzgAfe/nVuslDBryujBMLP8AJvDMGHPnrbjc7pg8kJTxgU9wMxf6p5IEL0OPPXzWlXptNDCCB85KBa7z/zoCNV6yIMSQWOPAqmHP6POqVKE++0iLuaWaIIVpTrxMeUp6vHygXMjmlIRYbGl3Z4NZ3C5GvRmLV+ZYX3pgtoZF2cKvgU+Q/boiFKeVj5efHCyX7km6T0hB4KmCpnDSpi3gLOdxCe7AoFWZmdeB1CWHnfocpyIW+wSZy2OOcJhkiAEVaS4R4A90hGushT6y6djLurI4CEXqZXj1N1t7e3JiR4y7SB0D9ia02yVU250kHkIRzAt0aB+v0N91lmD3bJ/g/xCGtwAr89OB0gAMpTR1fAyLtfpWQXef8ubBx7yWNqjRCo8Rfox38NLaEF7AMimklbI2C/8R/dfnLKRC7Q1/77SmX/rKIw1n33IzqYJjlQ6TI1IL2Lw1YBl8A2GTaHAkU6eiL2pdOBU+i/G9GCHxHHGnAsQBAhwXqzHVnc3YFDf69v++BWRHPeVFb07P14Zmoa5IaxQZ4is0D17
IronPort-Data: A9a23:8to1DqpgmLOBWSBqSxPdYY8D5P9eBmLIZxIvgKrLsJaIsI4StFCztgarIBmPOPqIZGShLtF3bNjipEgE75+Bz4NqGwFspX8yQilEpJacVYWSI27OZC7DdceroGBPtJxCN4aafKjYbVeB/Ev3Yui5xZVEOBLhqoPUUIYoAQgsA185IMsdoUg7wbdh09Qz2YHR7z6l4LseneWOYDdJ5BYpagr424rbwP9elKyaVAEw5zTSVtgS1LPqrET5ObpETU2HByaiHtMETrbSq9Hrl9lV9kuBl/sk50jMfrzTKiXmSZaKVeSCZ+Y/ZkSsvvRCjnRaPqcTEcE8VQJ4q2zMov1YlY0LvpuqUUEvJaSKl+MDO/VaO3giYesbofmefSD54ZT7I07uKhMAx91oDE4/P4Yf0uBsCCdB8uJwxDUlMEzS27jmmO/Tpu5Ew55LwNPQFJkQvzR7wDrxDeo6BJvERb7X4cMe1zA17uhFE+zRT8sUdTQpaw7PCyCjkH9/5IkWmfyomjzwc2QdtV+c+PJx6G/J1Ep3y7GrP93LEuFmjP59xi6wzl8qNUygav3CCOGi9A==
IronPort-HdrOrdr: A9a23:7fSw5a4CjN/hxeFgAgPXwCrXdLJyesId70hD6qkXc20uTiX4rbHUoB11726MtN98YgBFpTniAsK9qBHnlKKdiLN5VYtKOjOW3ldAA7sSiLcKqAeQYxEWmNQtspuIC5IfNDXFYGIK7/oT12SDYrUd6cjC+KWlnvrfwh5WIz1CeuVp6gtjFxyWCVJ7XxRXHJZRLvChz9sCrz+tYmkLbtm/ChA+MtTrtpnCkZ78fAALDAQg4BDmt1yVwa+/Gx2VxQoBXzhS2rJKywT4rzA=
X-IPAS-Result: A2CYCADotUxh/1CMM5BQAQkeAQELEgyDPFmBJllpC4Q8jmeCJQOKbZEzgWIDAwsBAQEBAQEBAQEIASoBCgwEAQGEfQIXgjABJTgTAQIEFQEBAQUBAQEBAQYDAQGBI4VoDYI1KYNkAQEBAQMBASEKQQUWAgEIDgMEAQEoAwICAh8GCxQJCAIEARACCIIqQIF+VwMvD68deoExgQGEaYI5DYJDBgkBgTCHFAEBgRuDVgSBeycWBoINgRWDKj6CIEIBgSwBBwEKAVeCYoJlBIg0LzwFHRI6MhEQBQQ/Bg0qL18qKw+RLE+DEYhunwpeCoMsmHmFVS8Ug2eLZ4ZFjg+CZpYeg1KMMJA0GwOEYgIEAgQFAhaBeIENcCsKQQ87gmlRFwIPiEuFYAEWiGSFSkMFLDgCBgEKAQEDCZEogRABAQ
Received: from msht-gh1-uea50.corp.nsa.gov ([144.51.140.80]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 23 Sep 2021 17:15:48 +0000
Received: from MSMS-GH1-UEA15.corp.nsa.gov (144.51.140.86) by MSHT-GH1-UEA50.corp.nsa.gov (144.51.140.80) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.14; Thu, 23 Sep 2021 13:15:48 -0400
Received: from MSMS-GH1-UEA17.corp.nsa.gov (144.51.140.88) by MSMS-GH1-UEA15.corp.nsa.gov (144.51.140.86) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.14; Thu, 23 Sep 2021 13:15:48 -0400
Received: from MSMS-GH1-UEA17.corp.nsa.gov ([144.51.140.88]) by MSMS-GH1-UEA17.corp.nsa.gov ([144.51.140.88]) with mapi id 15.01.2308.014; Thu, 23 Sep 2021 13:15:48 -0400
From: "Gajcowski, Nicholas H" <nhgajco@nsa.gov>
To: 'Robert Moskowitz' <rgm-sec@htt-consult.com>, "cfrg@ietf.org" <cfrg@ietf.org>
Thread-Topic: [Non-DoD Source] Re: [CFRG] Please review draft-ietf-drip-rid
Thread-Index: AQHXq89mY5Lh4wOeskifEGpO/BseoauonpSAgAAgoICACSHlkA==
Date: Thu, 23 Sep 2021 17:15:48 +0000
Message-ID: <f07f2a9e399a415b80ad062ee3e7c829@nsa.gov>
References: <03b5ea0e-cf1a-8edf-d642-2fb4b2e458fd@htt-consult.com> <CACsn0ckZbA4=Xe+Lc1w5bc5os8Ekeh9q7AAxknknwrrBZ0R-KQ@mail.gmail.com> <E0D027B0-089E-4402-BD65-38ADEABC3351@ll.mit.edu> <CAEseHRoH941WndaQmL8F=4w6BLkfjCaxa8mKP14bjNUEz2MRfw@mail.gmail.com> <865c8f1c-a79e-d05f-2ece-05a3b04f5c9d@htt-consult.com>
In-Reply-To: <865c8f1c-a79e-d05f-2ece-05a3b04f5c9d@htt-consult.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.214.26.137]
Content-Type: multipart/alternative; boundary="_000_f07f2a9e399a415b80ad062ee3e7c829nsagov_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/tAJJq60W6TlUv7_pde5cw5TDTCU>
Subject: Re: [CFRG] [Non-DoD Source] Re: Please review draft-ietf-drip-rid
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Sep 2021 17:16:04 -0000

Concerning pre-image resistance, the threat as I understand is that someone can create a separate Host Identity, i.e., EdDSA public key, that produces an already taken HHIT, i.e, satisfies a 64-bit condition on the output of cSHAKE128( static data || public key ).  The way to do this would be through brute force, i.e., compute private, public EdDSA key pairs until you find one with the desired cSHAKE128 output.  This should take about 2^64 attempts.  To get an idea of how hard this would be, consider that a *single* bitcoin mining ASIC can do on the order of 2^46 sha256 hashes a second or about 2^62 hashes in a single day. (Also, note there are DES crackers available that will exhaust the space of 2^56 keys).  The point being, 2^64 is not prohibitive esp. as this can be done in parallel.

To address this shortcoming, RFC 3972 includes a hardening function that ups the cost of finding a pre-image by increasing the number of hashes needed to create a CGA. However, this has obvious limitations as it increases the cost of creating a CGA by the same factor it increases the cost of stealing a CGA.  A better tradeoff is to increase the number of bits taken from the hash such as the 96 bits used in ORCHIDv2.

Now it should be noted that the 2^64 attempts is for stealing a *specific* HHIT/CGA. As noted in the case of CGAs (RFC 3972),stealing *a* CGA with the same prefix out of many becomes commensurately cheaper and so that applies here.  Say there are roughly 1,024 such possible HHITs for which you'd be happy stealing any one of.  Then rather trying to satisfy a 64-bit condition on the cSHAKE128 output, you need only satisfy a 54-bit condition (since you have 2^10 more opportunities for success).

In the end, I suspect this boils down to not to whether it's feasible to find a 64 bit preimage, but rather how expensive you want to make it.

As for collisions of the CGA, I'm not sure what that buys an attacker as the threat model is unclear.  I suppose an attacker will then have two UAs with the same CGA with one being legitimate/registered.  Unclear how that is better than simply having the two use the same public key/HOST_ID unless perhaps you want to retain some form of deniability.

Nick G

From: CFRG <cfrg-bounces@irtf.org> On Behalf Of Robert Moskowitz
Sent: Friday, September 17, 2021 1:32 PM
To: cfrg@ietf.org
Subject: [Non-DoD Source] Re: [CFRG] Please review draft-ietf-drip-rid

I am not aware of any PQ signature that will work here and accepted for production systems.  So I continue to work with pre-PQ so vendors can make hardware today to meet their 2023 mandate to support these rules.  That means manufacturing soon.  The manufacturers are very unhappy on how long it is taking ASTM to finish the revision and get FAA approval of the Memorandum Of Compliance.  And we in DRIP will have to do an addendum to the ASTM MoC for our contribution.

So please keep the discuss is:

Do I use EdDSA properly?
Is my use of cSHAKE right?
What are the collision and pre-image attacks.  Is there more that I should reference.


On 9/17/21 11:34 AM, Michael Scott wrote:

On Fri, Sep 17, 2021 at 3:21 PM Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu<mailto:uri@ll.mit.edu>> wrote:
I have not read the draft, but my answer to Watson is - because there is not enough room for Post-Quantum certificates, and Ed25519 is not an acceptable alternative for some of us.

I for one would be interested in just how extensive this "some of us" group is. In the interests of transparency I think they should step forward and identify themselves. It is a view I respect, but personally disagree with.

If people in good faith are willing to make major efforts to put forward proposals to this forum, it would only be fair for them to be aware of the extent of that grouping who would reject such proposals out-of-hand.

Mike

--
Regards,
Uri

There are two ways to design a system. One is to make is so simple there are obviously no deficiencies.
The other is to make it so complex there are no obvious deficiencies.
                                                                                                                                     -  C. A. R. Hoare


On 9/17/21, 09:59, "CFRG on behalf of Watson Ladd" <cfrg-bounces@irtf.org<mailto:cfrg-bounces@irtf.org> on behalf of watsonbladd@gmail.com<mailto:watsonbladd@gmail.com>> wrote:

    I've read your email and have only one response.

    Why?

    There is enough room for an entire certificate chain using Ed25519 and
    compact encodings. That would be a lot simpler.

    Sincerely,
    Watson Ladd

    --
    Astra mortemque praestare gradatim

    _______________________________________________
    CFRG mailing list
    CFRG@irtf.org<mailto:CFRG@irtf.org>
    https://www.irtf.org/mailman/listinfo/cfrg
_______________________________________________
CFRG mailing list
CFRG@irtf.org<mailto:CFRG@irtf.org>
https://www.irtf.org/mailman/listinfo/cfrg



_______________________________________________

CFRG mailing list

CFRG@irtf.org<mailto:CFRG@irtf.org>

https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email