Re: [Cfrg] Message Digest Algorithm Choice for CMS with Ed448
Jim Schaad <ietf@augustcellars.com> Mon, 14 November 2016 23:10 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 990881295D6 for <cfrg@ietfa.amsl.com>; Mon, 14 Nov 2016 15:10:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.398
X-Spam-Level:
X-Spam-Status: No, score=-3.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.497, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fcP--aULm4CX for <cfrg@ietfa.amsl.com>; Mon, 14 Nov 2016 15:10:20 -0800 (PST)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48084129621 for <cfrg@irtf.org>; Mon, 14 Nov 2016 15:10:20 -0800 (PST)
Received: from hebrews (31.133.148.101) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Mon, 14 Nov 2016 15:27:53 -0800
From: Jim Schaad <ietf@augustcellars.com>
To: 'Taylor R Campbell' <campbell+cfrg@mumble.net>, 'Derek Atkins' <derek@ihtfp.com>
References: <sjmlgwmrpo7.fsf@securerf.ihtfp.org> (derek@ihtfp.com) <20161114184709.B803D60380@jupiter.mumble.net>
In-Reply-To: <20161114184709.B803D60380@jupiter.mumble.net>
Date: Tue, 15 Nov 2016 08:10:08 +0900
Message-ID: <06d301d23ecc$402eb8e0$c08c2aa0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Content-Language: en-us
Thread-Index: AQGrf7bJGBsBJzXKVQAs8edFrI58+KEmmGjA
X-Originating-IP: [31.133.148.101]
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/tz7ZKtoYKamu1JqY3XVP7RaIG-Q>
Cc: 'Russ Housley' <housley@vigilsec.com>, 'IRTF CFRG' <cfrg@irtf.org>, "'Scott Fluhrer (sfluhrer)'" <sfluhrer@cisco.com>
Subject: Re: [Cfrg] Message Digest Algorithm Choice for CMS with Ed448
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Nov 2016 23:10:22 -0000
> -----Original Message----- > From: Cfrg [mailto:cfrg-bounces@irtf.org] On Behalf Of Taylor R Campbell > Sent: Tuesday, November 15, 2016 3:47 AM > To: Derek Atkins <derek@ihtfp.com> > Cc: IRTF CFRG <cfrg@irtf.org>; Russ Housley <housley@vigilsec.com>; Scott > Fluhrer (sfluhrer) <sfluhrer@cisco.com> > Subject: Re: [Cfrg] Message Digest Algorithm Choice for CMS with Ed448 > > Date: Mon, 14 Nov 2016 11:28:56 -0500 > From: Derek Atkins <derek@ihtfp.com> > > It depends which security service of signatures you're asking about. > For non-repudiation, yes, collision resistance is important. However > preimage resistance is important for integrity/forging security. > > No! > > A signature scheme defined in terms of H(m), such as RSASSA-PSS, relies on the > collision resistance of H to prevent forgery. Preimage resistance is *not* > sufficient. Failure of MD5 to be collision- resistant is what enabled HTTPS > certificate forgery in the wild ten years ago. > > (Attack: Find m =/= m' such that H(m) = H(m') and m is a certificate for for > harmlessexample.com while m' is a certificate for google.com. > Submit a CSR to a CA that you predict will issue m signed. Now you have a > signed certificate for google.com.) > > A more sensible signature scheme defined in terms of H(r, m) for some > unpredictable per-message value r, such as EdDSA, relies only on the > *target* collision resistance of H to prevent forgery. This is a stronger > requirement than preimage resistance, but all the standard hash functions, even > MD5, are still conjectured to be target- collision-resistant. > > However, the question at hand is about a scheme defined in terms of > H(m) -- in particular, what H should we use for computing the message digest in > step 1 of Russ Housley's original message, message-id <7DDD1353-96FC-4E70- > 8427-AA9C6F499232@vigilsec.com> at <https://www.ietf.org/mail- > archive/web/cfrg/current/msg08786.html>? > > Date: Sat, 12 Nov 2016 22:55:21 -0500 > From: Russ Housley <housley@vigilsec.com> > > The CURDLE WG is working on a document that specifies the > conventions for using EdDSA with CMS [RFC5652]. See > draft-ietf-curdle-cms-eddsa-signatures. > > The most common case involves these steps: > > 1. Compute a message digest on the content. > [...] > > Can we persuade the CURDLE WG to use an H(r, m) scheme instead, such as > EdDSA without the prehash, and thereby dispel requirements of collision > resistance? Please note that the following is how CMS works Sign( list of attributes ) List of attributes contains a hash of the message along with other items such as a time, which signature algorithm, which hash algorithm, potentially which certificate(s) to use for verification. For this exercise, we are looking what to use for the hash of message, the sign operation is using EdDSA pure. Jim > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] Message Digest Algorithm Choice for CMS wi… Russ Housley
- Re: [Cfrg] Message Digest Algorithm Choice for CM… Scott Fluhrer (sfluhrer)
- Re: [Cfrg] Message Digest Algorithm Choice for CM… Ilari Liusvaara
- Re: [Cfrg] Message Digest Algorithm Choice for CM… Derek Atkins
- Re: [Cfrg] Message Digest Algorithm Choice for CM… Salz, Rich
- Re: [Cfrg] Message Digest Algorithm Choice for CM… Taylor R Campbell
- Re: [Cfrg] Message Digest Algorithm Choice for CM… Taylor R Campbell
- Re: [Cfrg] Message Digest Algorithm Choice for CM… Jim Schaad
- Re: [Cfrg] Message Digest Algorithm Choice for CM… Salz, Rich
- Re: [Cfrg] Message Digest Algorithm Choice for CM… Taylor R Campbell
- Re: [Cfrg] Message Digest Algorithm Choice for CM… Taylor R Campbell
- Re: [Cfrg] Message Digest Algorithm Choice for CM… Russ Housley
- Re: [Cfrg] Message Digest Algorithm Choice for CM… Ilari Liusvaara
- Re: [Cfrg] Message Digest Algorithm Choice for CM… Derek Atkins
- Re: [Cfrg] Message Digest Algorithm Choice for CM… Watson Ladd
- [Cfrg] Re: Message Digest Algorithm Choice for CM… Russ Housley
- Re: [Cfrg] Message Digest Algorithm Choice for CM… Ilari Liusvaara