IETF Logo Mail Archive

[Curdle] questions on draft-ietf-curdle-cms-eddsa-signatures-03.txt

Daniel Migault <daniel.migault@ericsson.com> Thu, 09 March 2017 21:56 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14007129420 for <curdle@ietfa.amsl.com>; Thu, 9 Mar 2017 13:56:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.369
X-Spam-Level:
X-Spam-Status: No, score=-2.369 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.229, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9xbUtKyiol0X for <curdle@ietfa.amsl.com>; Thu, 9 Mar 2017 13:56:16 -0800 (PST)
Received: from mail-it0-x22e.google.com (mail-it0-x22e.google.com [IPv6:2607:f8b0:4001:c0b::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B95E127735 for <curdle@ietf.org>; Thu, 9 Mar 2017 13:56:16 -0800 (PST)
Received: by mail-it0-x22e.google.com with SMTP id h10so136820550ith.1 for <curdle@ietf.org>; Thu, 09 Mar 2017 13:56:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:from:date:message-id:subject:to; bh=DIZgzWuvg5fc2eq8DNIF5+O9HuqDs60FihCsySKKbG0=; b=XSZX+B3fERgAZRfbKi4f6Eqc0qSvGMGE2b9mV0D7DHyeM44jEdwxZkgMKGruqQMFxv cbZtqHkqS/QqnX8kY759BXanE10VVZcpn/fMPVhEVHl0qDjj7zrcaUcyTeGtGqqtJBRr iXAIkEmKZcWX3WihcAtjpCaEewH3eVWNeeWQ/Q3fMLYKL1jMMU5Fl09xOd8sL31ZE42Q YefPdujv14nDCpR1jje0gkzmHdyt96m52buwaHi6T7YdB+aAoVfGN4XTt7EEv2aDCxYp BCvepIJ2qzTC2RSpT4eFzeebeYZ+ZW4z7/dTRkROZt7x87jIXollhp4yB3yIt3TPW2mI 8odw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to; bh=DIZgzWuvg5fc2eq8DNIF5+O9HuqDs60FihCsySKKbG0=; b=Nek/c5rUs7yr9vuylBhhJhYhCECQN5islAvY4ggiQJTh2PG7t+izCOFB+Wsxian/bE 8oV9Z1S+6aCyWi2m0QJ1EOo3umHVUZfXelJoHrq5qx6hM4gM39P+BCbYG05qHafWm/9k Yhg16Gb7QfOa74Uas3fn7Mnx48KMQwE/C+8d9LaZfNtYG3jacnM7avvRNFpHo1xA/lHd NcwaYR/3dEe19eReEDRWI/qllNZENcJla6LKFJc+ZctEeTwBLYtvohtbCTkDuW31IG9b jkRWVbfPFXUZKMhy+8bh7E0LyVtul2DW4olbuw1Nk/dJq6E5n05lvkl04lwP7CtVgLWU 17iA==
X-Gm-Message-State: AMke39k53R8KLmuCPSnfuXD+iu2/qHC5XkoMJVpZ21msdOpJLfB37X4AGXdnNgKR9E6X1rKBz9m2aTYtwyz+Ng==
X-Received: by 10.36.164.75 with SMTP id v11mr14254354iti.101.1489096575195; Thu, 09 Mar 2017 13:56:15 -0800 (PST)
MIME-Version: 1.0
Sender: mglt.ietf@gmail.com
Received: by 10.107.35.213 with HTTP; Thu, 9 Mar 2017 13:56:14 -0800 (PST)
From: Daniel Migault <daniel.migault@ericsson.com>
Date: Thu, 09 Mar 2017 16:56:14 -0500
X-Google-Sender-Auth: 8rtvpI_FMIKgz6eb8l2CI_fR6Ag
Message-ID: <CADZyTk=GYO-PpBk3v+6Se_ZTygiwwKDfvTbFKC+j9+4Rt7K-FA@mail.gmail.com>
To: curdle <curdle@ietf.org>
Content-Type: multipart/alternative; boundary="f403045fbba866a059054a53501d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/2VEIIlafvFhtba_57UXL3cZuqtg>
Subject: [Curdle] questions on draft-ietf-curdle-cms-eddsa-signatures-03.txt
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Mar 2017 21:56:18 -0000

Hi,

I read draft-ietf-curdle-cms-eddsa-signatures-03.txt and have a few
questions. Please find my questions/comments inline.

Yours,
Daniel

   Use of EdDSA Signatures in the Cryptographic Message Syntax (CMS)
            <draft-ietf-curdle-cms-eddsa-signatures-03.txt>

2.  EdDSA Signature Algorithm

   One of the parameters of the EdDSA algorithm is the "prehash"
   function.  This may be the identity function, resulting in an
   algorithm called PureEdDSA, or a collision-resistant hash function,
   resulting in an algorithm called HashEdDSA.  In most situations the
   CMS SignedData includes signed attributes, including the message
   digest of the content. Since HashEdDSA offers no benefit when signed
   attributes are present, only PureEdDSA is used with the CMS.

MGLT: My understanding of the two latest sentences is that, in most cases
the CMS when used with signed attributes may specify the hash of the
content. As prehashing is performed by CMS, there is no need to have a pre
hash variant version.

>From the two sentences it may appear that without signed attributes, they
might be some advantages of having HashEdDSA over PureEdDSA. If that is the
case, maybe we should provide them and then motivate our choice.

What is unclear to me is why signed attributed make it different ? My
understanding is that in any case digestAlgorithm is used to compute the
digest of the eContent and when defined additional signed attributes.


I am also wondering if we were using the prehash variant a combination of
digestAlgorithm with the prehash function would not be problematic. At
least, the signing operation would not be performed on the same content
this might add unnecessary overhead. If that is the case, it would provide
a generic motivation to only consider PureHash with CMS.

My understanding of EdDSA is that when PureEdDSA is possible, it is always
recommended over HashEdDSA. I assume this is also recommended for CMS.


2.3.  Message Digest Algorithm Identifiers

   When the signer includes signed attributes, a message digest
   algorithm is used to compute the message digest on the eContent
   value.  When signing with Ed25519, the message digest algorithm MUST
   be SHA-512 [RFC4634].  When signing with Ed448, the message digest
   algorithm MUST be SHAKE256 [FIPS202] with a 512-bit output value.

MGLT: I am wondering why the digestAlgorithm cannot be the identity.

   Signing with Ed25519 uses SHA-512 as part of the signing operation,
   and signing with Ed448 uses SHAKE256 as part of the signing
   operation.

MGLT: I am wondering if the text above wants to specify that the digest
algorithm specified are already part of the signature and as such no
additional hash functions really need to be added or if there is another
motivation for this text.

   For convenience, the object identifiers and parameter syntax for
   these algorithms are repeated here:

 MGLT: IOD are repeated, maybe we could add a reference where these have
been defined. -- Note that the ref becomes clearer on the next page.

2.4.  EdDSA Signatures

   The id-Ed25519 and id-Ed448 object identifiers are also used for
   signature values.  When used to identify signature algorithms, the
   AlgorithmIdentifier parameters field MUST be absent.

MGLT: I do not understand why id-Ed25519 and id-Ed448 are used for the
signature value. My understanding is that the Signer Info carries the
signature algorithm, which defines the signature.

3.  Signed-data Conventions

   The processing depends on whether the signer includes signed
   attributes.

   The inclusion of signed attributes is preferred, but the conventions
   for signed-data without signed attributes are provided for
   completeness.

MGLT: Maybe we could briefly explain or provide a reference why signed
attributes are preferred.

3.1.  Signed-data Conventions With Signed Attributes

   The SignedData digestAlgorithms field includes the identifiers of the
   message digest algorithms used by one or more signer.  There MAY be
   any number of elements in the collection, including zero.  When
   signing with Ed25519, the digestAlgorithm SHOULD include id-sha512,
   and if present, the algorithm parameters field MUST be absent.  When

   signing with Ed448, the digestAlgorithm SHOULD include
   id-shake256-len, and if present, the algorithm parameters field MUST
   also be present, and the parameter MUST contain 512, encoded as a
   positive integer value.

 MGLT: For which reason do we have a SHOULD and not a MUST, as the hash
function specified have a MUST status in te message digest identifier.


3.2.  Signed-data Conventions Without Signed Attributes

v2.23.0 | Report a Bug | By Email