IETF Logo Mail Archive

Re: [core] Concerns with EC key joint signature and DH usage in draft-ietf-core-oscore-groupcomm

Göran Selander <goran.selander@ericsson.com> Wed, 20 January 2021 14:05 UTC

Return-Path: <goran.selander@ericsson.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0719E3A1384; Wed, 20 Jan 2021 06:05:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.351
X-Spam-Level:
X-Spam-Status: No, score=-2.351 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.25, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AN6SHgPI-i9i; Wed, 20 Jan 2021 06:05:51 -0800 (PST)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2056.outbound.protection.outlook.com [40.107.20.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCD423A1386; Wed, 20 Jan 2021 06:05:50 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=V7qf6TH6QqIgaPjEVuRHYNJZZUPQjlZsrGzW2SoJMp4K+1Pm/jUzt+1RE0P3mnCu/173oZZKBQS4RBZNG4L94aeoOqGt6WKag5YWSo0i3HSUn+tB3za0Aut/HFQAG2sPTRHprGM1r/48lC73iyPAMxzNvuYpUBM2RXgEmjJ/Uf345wfX5xvYT8pQybZ2Wm+Nf3VrM+0YvfC/ZSXN1ThPOq9nsRyfwJRGnbFMvNK3ddpEjuyG4V5Ajfn+y/j5L6sNM/VcnQYqLt01N1R+yk1gz2BCyjVpikUYs1O4Phx+4VnV5a+YS6ib1+k2VrlqYs+HgejY/vAAQ+aJ1CSJd0NxuQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=I3BN/SccQhDjr28Q6sbKv1QL48jeQBHzctlqWC3wC3o=; b=l9z/raN2Wx7QUO47A+tc4G5os9JbfIfjGIRTy5ciATg/DHRGyvmQ8Z6YTHCUt6acgnkUJLCMnxSNp+88lUqAa0T6ekxx4Pig2uNu+1xsSuk8yDIwQlHQMP0lICS2gI+aFr1J7c5KAAh/rOtF66S9+8mXM64GaZe0CIUbQs/qq+IcuBBfMAeuaU54wzDyWppY6PeGSJXhoibETrwVHmBTjKoXCrscHWWj0sdY4h/Sxb2X7EghvU2c9g3/V4UW9shO5DCyReh3XuqTqHX2qqcTvkzgmQumfirGOi7TMK2wqHNIQnQXL6WnMByjGOXIoGn3Mf1ZybQV15CYf1UCiB3QjA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=I3BN/SccQhDjr28Q6sbKv1QL48jeQBHzctlqWC3wC3o=; b=BCf9PnqHgdqEp7GZcRahgUnQEswa2UDyKXnL3GOjRifb+HT4FHr4S9ffv8/Yr6oJPmx6w93j2C9rUMLzc8LYdRBSixChobKKrHipmrS2aHodMzTLQHvNyN3lp43lpXzKV187Pmy8gylDLGsYL7wD4q07TVmsqnot4jcLYkmNgac=
Received: from (2603:10a6:7:82::14) by HE1PR0702MB3673.eurprd07.prod.outlook.com (2603:10a6:7:81::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3784.9; Wed, 20 Jan 2021 14:05:45 +0000
Received: from HE1PR0702MB3674.eurprd07.prod.outlook.com ([fe80::fd09:b8f4:2698:e86]) by HE1PR0702MB3674.eurprd07.prod.outlook.com ([fe80::fd09:b8f4:2698:e86%6]) with mapi id 15.20.3784.011; Wed, 20 Jan 2021 14:05:45 +0000
From: Göran Selander <goran.selander@ericsson.com>
To: Benjamin Kaduk <kaduk@mit.edu>, "draft-ietf-core-oscore-groupcomm@ietf.org" <draft-ietf-core-oscore-groupcomm@ietf.org>
CC: "core@ietf.org" <core@ietf.org>
Thread-Topic: Concerns with EC key joint signature and DH usage in draft-ietf-core-oscore-groupcomm
Thread-Index: AQHW6RfY9iCglnm+UUiICUuvD3s5raowqUSA
Date: Wed, 20 Jan 2021 14:05:45 +0000
Message-ID: <9D7AAAF7-D8BF-46F2-B6D5-60BEEA836636@ericsson.com>
References: <20210112191911.GT161@kduck.mit.edu>
In-Reply-To: <20210112191911.GT161@kduck.mit.edu>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.46.21011300
authentication-results: mit.edu; dkim=none (message not signed) header.d=none;mit.edu; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [83.249.67.87]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f5e8f2d1-4815-426e-0b2d-08d8bd4c7b34
x-ms-traffictypediagnostic: HE1PR0702MB3673:
x-microsoft-antispam-prvs: <HE1PR0702MB3673616F5E798692C6675587F4A20@HE1PR0702MB3673.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: /SnXpDDNmQTX/Se1ZWfAL4MgKgof7Of/EKTnLT/3Xr+gFXQ3Zo+V16R80cOAUpeeloVELKh4mWka15bWNX8+mPOXKSEvZBltUfOGzXt4P2gHODGLnu3hjxIMwwdqZHpfQq9tlXigXoCovEEbFCREPnVvSlq/BkKlYM/MU+5oBQgS+GmBHbkJsCjktESpEO9UFI/nqNLs1TZf7Eau+ySxlry0kh+rpeMFAGXB2xgsMPJG4iLmWqW1MXQmrOgVi3aD/c6JoCQNRrx44n+G2xIzeDBdfOcI2WylPOH6Q1ZKe+ZIZFahuJ4bnf7hAGMkI5WK+8LjHaLou0E6dB/PdVytj6jluOVM5ChsaN8D5VHwsca3GeGeJasU6Rs7jMPF1seM+BOKUnuCdqJeriRwAsKEM/CvphLGkhM2eIUr3NgZqE/RGHzs7HELXDikiznEKl0xchcMGNBJy8kYI/Hntvf6TGRdpxA9hBbDXnCRfGKhe6b2WTVsWP9jO5y9Ug0vLOuBBVoMP5bt9HYKk5tlr1Wxjg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0702MB3674.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(346002)(396003)(376002)(39860400002)(366004)(83380400001)(2906002)(6512007)(316002)(478600001)(2616005)(6506007)(966005)(26005)(66446008)(66574015)(71200400001)(186003)(76116006)(33656002)(64756008)(66556008)(85202003)(36756003)(66946007)(5660300002)(85182001)(66476007)(6486002)(8676002)(110136005)(8936002)(86362001)(4326008)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: QRGKvohds2prqGJdT4pig+J5BddBy5ZTqmAts/i+AFw85CDU26tt8pvM+QwQl6gdq9OkknOOaY05W6Hd163iEUeQJw/5i8Sg5ctqrx6rh3Y/UZ4pRZHtFLRND9+Q/hPEKQfluWLis93gNlcvM82aQ7hyaPFzLHwyRPuxiSEQuPSCLQmS63pF0JHqjA7SGAcmHUyU5Ao6JQeXsy2P1wWNxWAv3gnyAy4nK1bXZJMwNnxh/Tfgugv1ezDb/1LnOBjcQ7vZt1EDoEOdfKDK/Dnfww7txWkdWa7MRoKOx64o7nuGSv2YQd6L+YU0CkDxmm2vc+AwgoFB3z1gna74mlzWpRxHsvwzAPpagCDIncGZrdDvdokIkYmEc+4XuuXU4EGa1CbwLN1/XXvsqgwef22fL7HtjUMluHOTra+YZEkK203fMt+dfA4bCDeVCIYw8C+/YvHuavPxVgcKqnqooNEDOkmWn1v0DXhtsE2vPzsXzkkU9ok/cre+vkJmn3RXgh5qDUz+y/UuTYAE/zjfFgj8ZxM8N2F+mAlOhAHe312AuMdjZyABMLmPRD7NxnIadq1qaxsQM5ikwkxqjnoAOrksGfIKx+HzgjJOKhxNqA6+TAvNYUOuzYqoNfxCSp9zJff0CK4FJsKKz72ksquq71I3GOz3wbmJ07efDjCblHJxAgPdoW1hONwWZJlNZGNndESCLiYAK8wLFo2ORSFueG7p9ydgZcjVn02rrtZMKgzUwLt5fZit5wdh8y6uK6EUSG04OwxgGJUW7K1lJRU1Q11ialxKmgsktQJN7F9o0gz2BFiQweRSOn+XGPEQ0EuSDj1kPxr48dk6pWAH0WtSlsSLQncDc3bG+XkcLlzRX4Ax6chCwVTll47wHDQJgSfaRymdmSKzUkKPbjfYwXEGECBiGXC46iVKTZTPqW0dc0KsWrqUTPNQxSltDdH01636mxDUmK9UH/JPRsMnb7gBQlf4smmcqO3I2y+0mkNDcB9mwDnAhYhe5Jf/QrYgSOyI6glI
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <39C1836AB276A445A0EAF1740D19AB55@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0702MB3674.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f5e8f2d1-4815-426e-0b2d-08d8bd4c7b34
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Jan 2021 14:05:45.4338 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: pjeSVt3d+L5qNKOUdJsr6Av3AuEjkfSU8miUv8dXU5KVh0ZIehLgM7qmAI4Rh6ygmITfWT0d++xcc0iOHGrsR5oN4t/o1p89jT8LAuD0C7U=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0702MB3673
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/YRNXvtiFmHLk5YkXK8-uJg-t3NU>
Subject: Re: [core] Concerns with EC key joint signature and DH usage in draft-ietf-core-oscore-groupcomm
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jan 2021 14:05:54 -0000

Hi Ben,

Thanks for bringing up this already in the WG. 

Below we recap the reasoning which led to use the same public key in pairwise mode as in group mode. Triggered by your mail we revisited the problem area and we agree that simply referring to [1] as is currently done is not sufficient motivation. More details further below.


1. [1] does prove the joint security of a DH-based KEM and signing using ECDSA or elliptic curve Schnorr signatures. The KEM is then used in ECIES, but that does not limit the proof to this setting, and the use of static DH in the protocol can be mapped to a KEM setting. 

2. We made an assessment similar as for Signal's X3DH [2] which uses the same XEdDSA [3] key pair for DH and signing (the conversion between Edwards and Montgomery coordinates in that case is in the reverse direction).

3. The pairwise mode as specified in the draft works with separate signature and key agreement keys, but that would incur double overhead both in terms of key distribution and storage. The construction in [1] is a desirable optimization that has an impact on performance in constrained settings.

4. One major reason why to not use one key with multiple algorithms is because there may be vastly different policies associated with the different uses. That is not the case here, where the purpose of both uses is to protect the communication between endpoints during the validity of the group context.

With this we found it motivated to re-use the signature key of group mode as key agreement key of the pairwise mode. But the setting is not identical to the literature so a further motivation is needed. We have opened an issue on the CoRE WG github. Allow us to get back with more details. 

Göran


[1] https://eprint.iacr.org/2011/615.pdf
[2] https://signal.org/docs/specifications/x3dh/
[3] https://signal.org/docs/specifications/xeddsa/


On 2021-01-12, 20:19, "Benjamin Kaduk" <kaduk@mit.edu> wrote:

    Hi all,

    A recent feature request for openssl
    (https://protect2.fireeye.com/v1/url?k=e4a3a920-bb389025-e4a3e9bb-86959e472243-27bb378ffbf586b9&q=1&e=2faf5050-4a0e-4176-8761-8cc2752fdfe1&u=https%3A%2F%2Fgithub.com%2Fopenssl%2Fopenssl%2Fissues%2F13630) pointed out that this
    document rather blithely proposes to reuse signature (e.g., EdDSA and
    ECDSA) keys for purposes of ECDH key agreement.  (This is part of the
    "pairwise keys" construction in Section 2.3, specifically in 2.3.1.)

    Use of a given key with multiple algorithms diverges from general
    cryptographic best practice, and I do see that this draft acknowledges
    this fact and attempts to justify the choice in the security
    considerations (Section 10.12) with reference to [Degabriele]
    (https://protect2.fireeye.com/v1/url?k=f72d4ea3-a8b677a6-f72d0e38-86959e472243-ea870c7babbcb38c&q=1&e=2faf5050-4a0e-4176-8761-8cc2752fdfe1&u=https%3A%2F%2Feprint.iacr.org%2F2011%2F615).  However, I do not think that the
    current discussion (in the -10) is anywhere close to sufficient
    justification that the proposed behavior is secure.  Specifically, the
    referenced paper primarily focuses on methods used for EMV standards,
    and in particular limits itself to ECIES (which combines key agreement
    and message encryption).  While OSCORE provides mechanisms conceptually
    similar to ECIES, the actual mechanics of the cryptography and wire
    protocol are, to my knowledge, different, and so the referenced paper
    does not seem to directly apply.  This document does not attempt to
    "bridge the gap" between what it does in practice and the
    (ECIES-specific) proof, so based on my current understanding, it must
    still be considered as defying best current practice without formal
    cryptographic justification.

    In my opinion, we need to either produce a reference/proof that does
    apply to OSCORE's usage, or remove this mechanism from the protocol.

    -Ben

v2.23.0 | Report a Bug | By Email