Re: [Curdle] Comments on draft-housley-cms-eddsa-signatures
"Dang, Quynh (Fed)" <quynh.dang@nist.gov> Fri, 06 May 2016 11:16 UTC
Return-Path: <quynh.dang@nist.gov>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F052A12D5A1 for <curdle@ietfa.amsl.com>; Fri, 6 May 2016 04:16:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KoFdKMXURd6S for <curdle@ietfa.amsl.com>; Fri, 6 May 2016 04:16:18 -0700 (PDT)
Received: from gcc01-CY1-obe.outbound.protection.outlook.com (mail-cy1gcc01on0133.outbound.protection.outlook.com [23.103.200.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C076612D0F7 for <curdle@ietf.org>; Fri, 6 May 2016 04:16:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=zsYXAGHoV61TdBymi3oxHHMvH+FoRKRhz2NIX8YiRKo=; b=1pgycgO/NLIjBOPTKr2WZLs9U+fMAZGHil1zQVXqEjHmyf5iyNUBJMBUCmi1JHZhOI32D9ByTWHQQwitECdt83dPoeeyM2EG1z2vn2Rt0FCX1YZurfZOzClf1AQ2qB/wHZhMfi4bKAgFrGoFVykjG+nHvFBG8o9EQZ91A6L94qQ=
Received: from BN1PR09MB124.namprd09.prod.outlook.com (10.255.200.27) by BN1PR09MB124.namprd09.prod.outlook.com (10.255.200.27) with Microsoft SMTP Server (TLS) id 15.1.477.8; Fri, 6 May 2016 11:16:15 +0000
Received: from BN1PR09MB124.namprd09.prod.outlook.com ([10.255.200.27]) by BN1PR09MB124.namprd09.prod.outlook.com ([10.255.200.27]) with mapi id 15.01.0477.017; Fri, 6 May 2016 11:16:15 +0000
From: "Dang, Quynh (Fed)" <quynh.dang@nist.gov>
To: Jim Schaad <ietf@augustcellars.com>, 'Russ Housley' <housley@vigilsec.com>
Thread-Topic: [Curdle] Comments on draft-housley-cms-eddsa-signatures
Thread-Index: AQHRpJiiUMFvavyrw02yfEgwrMzH1p+l/FuAgATNYQCAAAurAIAAOBsAgAAI6ICAAKy1OA==
Date: Fri, 06 May 2016 11:16:15 +0000
Message-ID: <BN1PR09MB1247156C24CEC4B06712C9BF37D0@BN1PR09MB124.namprd09.prod.outlook.com>
References: <086701d1a0e4$965f2320$c31d6960$@augustcellars.com> <9458BE75-3657-4726-949C-6C9D7511AF21@vigilsec.com> <0c7301d1a4a2$cc47a680$64d6f380$@augustcellars.com> <B0C9A58C-2BDB-4CB5-867E-CE6FE02F9AA4@vigilsec.com> <106f01d1a70f$4d5c07c0$e8141740$@augustcellars.com> <549A2D33-98AF-4935-98A3-2EF475904B78@vigilsec.com>, <10a001d1a72f$cece40a0$6c6ac1e0$@augustcellars.com>
In-Reply-To: <10a001d1a72f$cece40a0$6c6ac1e0$@augustcellars.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=nist.gov;
x-originating-ip: [74.96.246.53]
x-ms-office365-filtering-correlation-id: db04bb65-5364-431e-faff-08d3759fd6e3
x-microsoft-exchange-diagnostics: 1; BN1PR09MB124; 5:iZrnP8ej/39XWv0iL1U51ZsaxxxW5dnX3pIt5EYCuLC9V2SEbczbsIgl8PdTYRAlqTSPTJs1qJGxeP6ZhVIVBDfyrbqbay1SnrRH5D8xxclpi55B8xN+VQwT8evnxk9h7kRg6xJ3fxLR66xwVO7xMQ==; 24:yw+COtm6ft5UaAdeU+Avs3jMFJyCVzAqR/o1KZm190WZL9kOLNUTa8bUL65avsXe9ZpB1qZ2teDIKzHOeXQEAzB72k11xTYgrgNmxEWt/6A=; 7:OHSGTx/d0bIRmKE1C9zIo9CPiz820urnun5cYjxWlHJ0OwDZKsRbSEXtmTKrsILrerbhOhc6pnTKEDnaXIZ9xpfyZLm9VKAjY7vSl8mteZFbcLAKZ9J3aTGHJY0SNpJmDHIlr6t23U5LZTGaTdgA51GSDwJGwb5o9VAIDZczjiUWuGCnWXv0S3HiiqIpIv7e
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN1PR09MB124;
x-microsoft-antispam-prvs: <BN1PR09MB1244B2DFBE769C91801F73FF37D0@BN1PR09MB124.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026); SRVR:BN1PR09MB124; BCL:0; PCL:0; RULEID:; SRVR:BN1PR09MB124;
x-forefront-prvs: 09347618C4
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(377454003)(24454002)(13464003)(15975445007)(2950100001)(10400500002)(5008740100001)(230783001)(77096005)(54356999)(2900100001)(19580395003)(50986999)(76176999)(19580405001)(122556002)(11100500001)(5004730100002)(66066001)(3280700002)(106116001)(99286002)(3660700001)(3900700001)(92566002)(76576001)(1220700001)(9686002)(102836003)(586003)(3846002)(6116002)(93886004)(86362001)(5002640100001)(5003600100002)(74316001)(8936002)(81166005)(87936001)(4326007)(2906002)(33656002)(5001770100001)(189998001); DIR:OUT; SFP:1102; SCL:1; SRVR:BN1PR09MB124; H:BN1PR09MB124.namprd09.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 May 2016 11:16:15.1449 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1PR09MB124
Archived-At: <http://mailarchive.ietf.org/arch/msg/curdle/7JKj2p7-wPGtacqkSyr6RHLS-Ro>
Cc: "curdle@ietf.org" <curdle@ietf.org>
Subject: Re: [Curdle] Comments on draft-housley-cms-eddsa-signatures
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 May 2016 11:16:21 -0000
Hi Jim, To hash the signedAttributes value, SHAKE256/512 would be great. For ed25519 and ed448 EdDSA signatures, hash algorithm OID should be null/absent. For ed25519ph and ed448ph, the hash algorithm is the prehash function: SHA512 for ed25519ph and SHAKE256/512 for ed448ph. Regards, Quynh. ________________________________________ From: Curdle <curdle-bounces@ietf.org> on behalf of Jim Schaad <ietf@augustcellars.com> Sent: Thursday, May 5, 2016 8:39 PM To: 'Russ Housley' Cc: curdle@ietf.org Subject: Re: [Curdle] Comments on draft-housley-cms-eddsa-signatures -----Original Message----- From: Russ Housley [mailto:housley@vigilsec.com] Sent: Thursday, May 05, 2016 5:08 PM To: Jim Schaad <ietf@augustcellars.com> Cc: curdle@ietf.org Subject: Re: [Curdle] Comments on draft-housley-cms-eddsa-signatures On May 5, 2016, at 4:47 PM, Jim Schaad <ietf@augustcellars.com> wrote: >> A second worry is that SHAK256 is defined as being an XOF function >> and not a hash function. I think it might make more sense to say >> that we should be using SHA3-256 rather than SHAKE256. In any event >> the OID assigned on the NIST web site does not make any statements >> about the size of output of >> SHAKE256 and if we are going to use it as a hash algorithm here we >> need to do that. Suffice it to say that I don't think that using >> SHAKE256 as a hash algorithm here is sufficiently defined. > > Doesn't this need to be addressed in draft-irtf-cfrg-eddsa? > > [JLS] No, I am not worried about how SHAKE256 is being used in the > EdDSA process (it is fully defined there), I am looking at the use of > SHAKE256 when it is placed in the digestAlgorithm attribute of the > SignerInfo structure. In this case the length of the output needs to > be specified (i.e. how long is the message digest signed attribute). > This is defined for hash algorithms, but is not defined for XOF functions. I was not understanding you issue until now. You are worried about this: Compute SHAKE256(dom(F, C) || prefix || M, 114), where M is the message to be signed, . Maybe we just make M = SHA512(ValueOnly(DER(SignedAttrs))) Russ [JLS] No that is not what I am worried about. What I am worried about is SignerInfo ::= SEQUENCE { version CMSVersion, -- == 1 or 3 sid SignerIdentifier, -- Identifier of the signer digestAlgorithm DigestAlgorithmIdentifier, --- AlgorithmIdentifier( {hashAlgs 12}, absent ) signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL, { contains Attribute{ aa-messageDigest, SET OF { OCTET STRING { SHAKE256(Message Body) }} signatureAlgorithm SignatureAlgorithmIdentifier, -- id-edDSA signature SignatureValue, -- cryptographic result of eddsa with -- SHAKE256(dom(F, C) || prefix || DER(SignedAttrs), 114) -- where DER(SignedAttrs) = M just as would be expected. unsignedAttrs [1] IMPLICIT Attributes {{UnsignedAttributes}} OPTIONAL } The length of SHAKE256(Message Body) is not defined nor is there any place for it to be specified by a parameter. Specifically one needs to be able to say that the messageDigest = SHAKE256(Message Body, 114) (Or maybe just 57? If you want to do some type of size matching since the EdDSA uses a double width hash algorithm internally) Jim _______________________________________________ Curdle mailing list Curdle@ietf.org https://www.ietf.org/mailman/listinfo/curdle
- [Curdle] Comments on draft-housley-cms-eddsa-sign… Russ Housley
- Re: [Curdle] Comments on draft-housley-cms-eddsa-… Jim Schaad
- Re: [Curdle] Comments on draft-housley-cms-eddsa-… Dang, Quynh (Fed)
- Re: [Curdle] Comments on draft-housley-cms-eddsa-… Jim Schaad
- Re: [Curdle] Comments on draft-housley-cms-eddsa-… Dang, Quynh (Fed)
- Re: [Curdle] Comments on draft-housley-cms-eddsa-… Russ Housley
- Re: [Curdle] Comments on draft-housley-cms-eddsa-… Jim Schaad
- Re: [Curdle] Comments on draft-housley-cms-eddsa-… Russ Housley
- Re: [Curdle] Comments on draft-housley-cms-eddsa-… Jim Schaad
- Re: [Curdle] Comments on draft-housley-cms-eddsa-… Dang, Quynh (Fed)
- Re: [Curdle] Comments on draft-housley-cms-eddsa-… Dang, Quynh (Fed)
- Re: [Curdle] Comments on draft-housley-cms-eddsa-… Martin Thomson
- Re: [Curdle] Comments on draft-housley-cms-eddsa-… Jim Schaad