Re: [Curdle] Comments on draft-housley-cms-eddsa-signatures
Russ Housley <housley@vigilsec.com> Thu, 05 May 2016 20:05 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F161412D514 for <curdle@ietfa.amsl.com>; Thu, 5 May 2016 13:05:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.9
X-Spam-Level:
X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bYbynKWr5V9N for <curdle@ietfa.amsl.com>; Thu, 5 May 2016 13:05:37 -0700 (PDT)
Received: from mail.smetech.net (x-bolt-wan.smeinc.net [209.135.219.146]) by ietfa.amsl.com (Postfix) with ESMTP id 3EA2212D51B for <curdle@ietf.org>; Thu, 5 May 2016 13:05:35 -0700 (PDT)
Received: from localhost (ronin.smetech.net [209.135.209.5]) by mail.smetech.net (Postfix) with ESMTP id 1D121F2402E; Thu, 5 May 2016 16:05:35 -0400 (EDT)
X-Virus-Scanned: amavisd-new at smetech.net
Received: from mail.smetech.net ([209.135.209.4]) by localhost (ronin.smeinc.net [209.135.209.5]) (amavisd-new, port 10024) with ESMTP id iyiDMwpWTIk9; Thu, 5 May 2016 15:49:08 -0400 (EDT)
Received: from [5.5.33.88] (vpn.snozzages.com [204.42.252.17]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.smetech.net (Postfix) with ESMTP id ECE49F24013; Thu, 5 May 2016 16:05:33 -0400 (EDT)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <0c7301d1a4a2$cc47a680$64d6f380$@augustcellars.com>
Date: Thu, 05 May 2016 16:05:26 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <B0C9A58C-2BDB-4CB5-867E-CE6FE02F9AA4@vigilsec.com>
References: <086701d1a0e4$965f2320$c31d6960$@augustcellars.com> <9458BE75-3657-4726-949C-6C9D7511AF21@vigilsec.com> <0c7301d1a4a2$cc47a680$64d6f380$@augustcellars.com>
To: Jim Schaad <ietf@augustcellars.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/curdle/70lRpKjqUyo_pWT8oFUC2CfTSDg>
Cc: curdle@ietf.org
Subject: Re: [Curdle] Comments on draft-housley-cms-eddsa-signatures
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 May 2016 20:05:39 -0000
Jim: > Jim Schaad sent me some comments on this document. Since I have asked this > working group to adopt this draft, I have gotten Jim's permission to respond > to the comments on list. Dropping items 1 and 3 since they seem to be resolved. See below for the continued discussion of items 2 and 4. >> 2. We need to get a definition of how to use SHAKE256 from someplace >> if we are going to say use the same hash algorithm throughout as that >> is what >> Ed448 uses. It would be worthwhile to specify what hash algorithms >> should be used with each of the different signature algorithms given >> that it is not clear from the name of the algorithm identifier. > > This document references draft-irtf-cfrg-eddsa-05, and that document > includes this reference for SHAKE256: > > [FIPS202] National Institute of Standards and Technology, U.S. > Department of Commerce, "SHA-3 Standard: Permutation-Based > Hash and Extendable-Output Functions", FIPS 202, August > 2015. > > I'm not sure what more you think is needed. > > [JLS] To start with, I think we need to get a reference for an OID for the > SHAKE256 algorithm from NIST (or internally) since that is needed as one of > the authenticated attributes. Based on other traffic on this list, I hope that NIST will assign the OID. > I worry that since we have changed this set of identifiers from saying X > with Y to just saying X that there is going to be a degree of people missing > which algorithm is being used as a hash algorithm for this. We need to do the same thing with this document and draft-ietf-curdle-pkix-eddsa. I have started a separate thread on this mail list. Let’s have the discussion on that thread, and then put the conclusion in both documents. > A second worry is that SHAK256 is defined as being an XOF function and not a > hash function. I think it might make more sense to say that we should be > using SHA3-256 rather than SHAKE256. In any event the OID assigned on the > NIST web site does not make any statements about the size of output of > SHAKE256 and if we are going to use it as a hash algorithm here we need to > do that. Suffice it to say that I don't think that using SHAKE256 as a hash > algorithm here is sufficiently defined. Doesn’t this need to be addressed in draft-irtf-cfrg-eddsa? >> 4. In section 4, the problem with EdDSA is worse for the use of >> different algorithms than what you are stating. It is possible to do >> some interesting forgeries if you cross between the pre-hash and not >> pre-hash versions with the Ed25519 curve since there is no context >> difference between them. This has to be forbidden not just strongly >> suggested. > > Does the removal of HashEdDSA resolve this one? > > [JLS] Yes that would deal with this issue. However, given that currently > the difference is just a field in the enumeration it should probably have a > security consideration about it. If we can change the PKXI draft so that > the pre-hash and pure versions using different OID identifiers, then this > because much cleaner and less of a worry. It would currently be potentially > necessary to make a RFC 2119 statement about the enumeration which is not > proposed above. Hopefully the direction for this will emerge from the discussion on the other thread. Russ
- [Curdle] Comments on draft-housley-cms-eddsa-sign… Russ Housley
- Re: [Curdle] Comments on draft-housley-cms-eddsa-… Jim Schaad
- Re: [Curdle] Comments on draft-housley-cms-eddsa-… Dang, Quynh (Fed)
- Re: [Curdle] Comments on draft-housley-cms-eddsa-… Jim Schaad
- Re: [Curdle] Comments on draft-housley-cms-eddsa-… Dang, Quynh (Fed)
- Re: [Curdle] Comments on draft-housley-cms-eddsa-… Russ Housley
- Re: [Curdle] Comments on draft-housley-cms-eddsa-… Jim Schaad
- Re: [Curdle] Comments on draft-housley-cms-eddsa-… Russ Housley
- Re: [Curdle] Comments on draft-housley-cms-eddsa-… Jim Schaad
- Re: [Curdle] Comments on draft-housley-cms-eddsa-… Dang, Quynh (Fed)
- Re: [Curdle] Comments on draft-housley-cms-eddsa-… Dang, Quynh (Fed)
- Re: [Curdle] Comments on draft-housley-cms-eddsa-… Martin Thomson
- Re: [Curdle] Comments on draft-housley-cms-eddsa-… Jim Schaad