Re: [Cfrg] Message Digest Algorithm Choice for CMS with Ed448

Jim Schaad <ietf@augustcellars.com> Mon, 14 November 2016 23:10 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 990881295D6 for <cfrg@ietfa.amsl.com>; Mon, 14 Nov 2016 15:10:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.398
X-Spam-Level:
X-Spam-Status: No, score=-3.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.497, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fcP--aULm4CX for <cfrg@ietfa.amsl.com>; Mon, 14 Nov 2016 15:10:20 -0800 (PST)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48084129621 for <cfrg@irtf.org>; Mon, 14 Nov 2016 15:10:20 -0800 (PST)
Received: from hebrews (31.133.148.101) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Mon, 14 Nov 2016 15:27:53 -0800
From: Jim Schaad <ietf@augustcellars.com>
To: 'Taylor R Campbell' <campbell+cfrg@mumble.net>, 'Derek Atkins' <derek@ihtfp.com>
References: <sjmlgwmrpo7.fsf@securerf.ihtfp.org> (derek@ihtfp.com) <20161114184709.B803D60380@jupiter.mumble.net>
In-Reply-To: <20161114184709.B803D60380@jupiter.mumble.net>
Date: Tue, 15 Nov 2016 08:10:08 +0900
Message-ID: <06d301d23ecc$402eb8e0$c08c2aa0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Content-Language: en-us
Thread-Index: AQGrf7bJGBsBJzXKVQAs8edFrI58+KEmmGjA
X-Originating-IP: [31.133.148.101]
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/tz7ZKtoYKamu1JqY3XVP7RaIG-Q>
Cc: 'Russ Housley' <housley@vigilsec.com>, 'IRTF CFRG' <cfrg@irtf.org>, "'Scott Fluhrer (sfluhrer)'" <sfluhrer@cisco.com>
Subject: Re: [Cfrg] Message Digest Algorithm Choice for CMS with Ed448
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Nov 2016 23:10:22 -0000


> -----Original Message-----
> From: Cfrg [mailto:cfrg-bounces@irtf.org] On Behalf Of Taylor R Campbell
> Sent: Tuesday, November 15, 2016 3:47 AM
> To: Derek Atkins <derek@ihtfp.com>
> Cc: IRTF CFRG <cfrg@irtf.org>; Russ Housley <housley@vigilsec.com>; Scott
> Fluhrer (sfluhrer) <sfluhrer@cisco.com>
> Subject: Re: [Cfrg] Message Digest Algorithm Choice for CMS with Ed448
> 
>    Date: Mon, 14 Nov 2016 11:28:56 -0500
>    From: Derek Atkins <derek@ihtfp.com>
> 
>    It depends which security service of signatures you're asking about.
>    For non-repudiation, yes, collision resistance is important.  However
>    preimage resistance is important for integrity/forging security.
> 
> No!
> 
> A signature scheme defined in terms of H(m), such as RSASSA-PSS, relies on
the
> collision resistance of H to prevent forgery.  Preimage resistance is
*not*
> sufficient.  Failure of MD5 to be collision- resistant is what enabled
HTTPS
> certificate forgery in the wild ten years ago.
> 
> (Attack: Find m =/= m' such that H(m) = H(m') and m is a certificate for
for
> harmlessexample.com while m' is a certificate for google.com.
> Submit a CSR to a CA that you predict will issue m signed.  Now you have a
> signed certificate for google.com.)
> 
> A more sensible signature scheme defined in terms of H(r, m) for some
> unpredictable per-message value r, such as EdDSA, relies only on the
> *target* collision resistance of H to prevent forgery.  This is a stronger
> requirement than preimage resistance, but all the standard hash functions,
even
> MD5, are still conjectured to be target- collision-resistant.
> 
> However, the question at hand is about a scheme defined in terms of
> H(m) -- in particular, what H should we use for computing the message
digest in
> step 1 of Russ Housley's original message, message-id <7DDD1353-96FC-4E70-
> 8427-AA9C6F499232@vigilsec.com> at <https://www.ietf.org/mail-
> archive/web/cfrg/current/msg08786.html>?
> 
>    Date: Sat, 12 Nov 2016 22:55:21 -0500
>    From: Russ Housley <housley@vigilsec.com>
> 
>    The CURDLE WG is working on a document that specifies the
>    conventions for using EdDSA with CMS [RFC5652].  See
>    draft-ietf-curdle-cms-eddsa-signatures.
> 
>    The most common case involves these steps:
> 
>       1.  Compute a message digest on the content.
>       [...]
> 
> Can we persuade the CURDLE WG to use an H(r, m) scheme instead, such as
> EdDSA without the prehash, and thereby dispel requirements of collision
> resistance?

Please note that the following is how CMS works

Sign( list of attributes )
List of attributes contains a hash of the message along with other items
such as a time, which signature algorithm, which hash algorithm, potentially
which certificate(s) to use for verification.

For this exercise, we are looking what to use for the hash of message, the
sign operation is using EdDSA pure.

Jim

> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg