IETF Logo Mail Archive

[CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidance-01.txt

Phillip Hallam-Baker <phill@hallambaker.com> Fri, 06 September 2024 05:29 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DD80C1A07F5; Thu, 5 Sep 2024 22:29:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.654
X-Spam-Level:
X-Spam-Status: No, score=-1.654 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QNQPXxS7rNKo; Thu, 5 Sep 2024 22:29:58 -0700 (PDT)
Received: from mail-oo1-f43.google.com (mail-oo1-f43.google.com [209.85.161.43]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84D09C151717; Thu, 5 Sep 2024 22:29:58 -0700 (PDT)
Received: by mail-oo1-f43.google.com with SMTP id 006d021491bc7-5dfa315ffbdso1029079eaf.3; Thu, 05 Sep 2024 22:29:58 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725600598; x=1726205398; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=cOkXIRt3fADjyIxVSsk9hayBqbqOaI5MJenOIQx9T4E=; b=DcqnE7J7QYIj70Ry5WK0P+DXaJWHh+YJksD4qySUOn5Tc9xlDZAcF8AE1LBXCAKm2e LDNl/kJOQFzulSbvWE/vSh2ZrhENEu6J5WnUi4wU5p6rt35K3WyRc/jNYMXnwSwXrn+d lw+4l5A3kveEqavIjuOTWf0Gi7CURp21zzRU3wsiGf5+yRp8x2N5imMXXITcxgirEFa/ yX9n3NMn6inD8v37YqhjChkAHFQlhUBwYaYDweNAebPQ7D4nJPzwb/Yi6Cgtn8fa3lpm jhTROPwOXyU6KltJA4x7UpCpBR8COuoW69OffqSaVSND7f9xhYrnhK7rdIyFnH3vehZ/ CUsw==
X-Forwarded-Encrypted: i=1; AJvYcCVCmEMrQT78BxTt72MEJi6bWk/aMIdjtu8k4g71uVvzy3LVv7iy0/PqxuevxihdB1MThnVw@ietf.org, AJvYcCX1jfj5GbAN0Q93Q5JtxYYXRhLHhdNk0V+aYtWWkxAXT7AmG0TQc1jt5oOYGT+oaOP7DqGRuOuR75Pfv5Lj@ietf.org
X-Gm-Message-State: AOJu0YwjejftOEhb8jphlMs8423XH5VzqBjWyzzwXvkPP04eSp/vFy5Z bZs4FQZGOEA8N+NnL5bQ1QSyh774GKjnR73X40C7xqOV+do56tfPciQdI7s5oLtfhJ4BbUb+5wK mgeim/tjUMlulvHAZRCIceSVtJ0lhkrGq
X-Google-Smtp-Source: AGHT+IEruIZFlSC0JuPoWdtKXrAst2awAtqOBkxaXktLiyp32KkRUFtGCMEZB9ZEOSPKLp2YeqBmbueKlQUHTM44xv0=
X-Received: by 2002:a05:6820:1ad5:b0:5d6:ae6:a852 with SMTP id 006d021491bc7-5e1a9d28a50mr1540491eaf.6.1725600597533; Thu, 05 Sep 2024 22:29:57 -0700 (PDT)
MIME-Version: 1.0
References: <172538719711.1420249.4393971363081609427@dt-datatracker-68b7b78cf9-q8rsp> <02e9a51e-b938-49f2-b832-de4d3ec575ee@redhat.com> <CAMm+Lwh3DwF1GA=WUMEsXZ-Ho__AKB6R-kfkxF9=pRZxn3jZBw@mail.gmail.com> <dad51c80-4eb6-423a-af8f-9a99c86377be@redhat.com>
In-Reply-To: <dad51c80-4eb6-423a-af8f-9a99c86377be@redhat.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Fri, 06 Sep 2024 01:29:42 -0400
Message-ID: <CAMm+Lwikkoc=kRp_yZbYzPb4sNfwwtXfNPrf9TCsFEJ8wCD+xA@mail.gmail.com>
To: Alicja Kario <hkario@redhat.com>
Content-Type: multipart/alternative; boundary="000000000000a3ee2106216cb2b4"
Message-ID-Hash: YEITPUCJKTFDM2IIZ5LDDK3JAJDMZKWZ
X-Message-ID-Hash: YEITPUCJKTFDM2IIZ5LDDK3JAJDMZKWZ
X-MailFrom: hallam@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: internet-drafts@ietf.org, i-d-announce@ietf.org, cfrg@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidance-01.txt
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/xE0GKEx6q5LsOokgJk7BTOkEiVg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

On Thu, Sep 5, 2024 at 2:03 PM Alicja Kario <hkario@redhat.com> wrote:

> On Thursday, 5 September 2024 19:21:39 CEST, Phillip Hallam-Baker wrote:
> > Very interesting. RSA will be with us for a long time...
> >
> > Have you considered key generation? Just adding a reference to
> > FIPS 185-5 might be enough. I am currently trying to decide
> > whether probabilistic or provable primes are the way to go. I
> > have also noticed that keygen on my state of the art 2023
> > machine is taking almost as long as it used to take in 1990.
> > That is because we are using longer keys and we are doing a lot
> > more checks - the auxiliary primes.
>
> RSA key generation is a very rare occurance, so it's easier to just
> do it offline, on a trusted system, than to work to make it side
> channel safe. So, no, I consider it out of scope.
>

RSA is vulnerable to kleptography attacks.

If we are going to do the job, we should do it right. Kleptography is a
real world attack.

If you want to create a malicious HSM, you use the following:

p1 = number(seed)
p = nextPrime (p1)
m1 = BytesToBigNum   (Encrypt (p, traitorKey)  + random)

q1 = m1/p
q = nextPrime (q1)

Moti Yung is credited with the public discovery of this but there is reason
to believe it has been used in the wild.

Having thought through the process of storing ML-DSA seeds, I am convinced
that storing the seed rather than the expanded key is the correct move for
security grounds even if the keys were not gienormous. Giving the expanded
key is an invitation to kleptographic malice.

RSA is no different, specifying the seed and a strong key
derivation mechanism offers superior security.

>
>

v2.43.4 | Report a Bug | By Email | System Status