IETF Logo Mail Archive

Re: [Curdle] Comments on draft-housley-cms-eddsa-signatures

"Dang, Quynh (Fed)" <quynh.dang@nist.gov> Fri, 06 May 2016 11:16 UTC

Return-Path: <quynh.dang@nist.gov>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F052A12D5A1 for <curdle@ietfa.amsl.com>; Fri, 6 May 2016 04:16:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KoFdKMXURd6S for <curdle@ietfa.amsl.com>; Fri, 6 May 2016 04:16:18 -0700 (PDT)
Received: from gcc01-CY1-obe.outbound.protection.outlook.com (mail-cy1gcc01on0133.outbound.protection.outlook.com [23.103.200.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C076612D0F7 for <curdle@ietf.org>; Fri, 6 May 2016 04:16:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=zsYXAGHoV61TdBymi3oxHHMvH+FoRKRhz2NIX8YiRKo=; b=1pgycgO/NLIjBOPTKr2WZLs9U+fMAZGHil1zQVXqEjHmyf5iyNUBJMBUCmi1JHZhOI32D9ByTWHQQwitECdt83dPoeeyM2EG1z2vn2Rt0FCX1YZurfZOzClf1AQ2qB/wHZhMfi4bKAgFrGoFVykjG+nHvFBG8o9EQZ91A6L94qQ=
Received: from BN1PR09MB124.namprd09.prod.outlook.com (10.255.200.27) by BN1PR09MB124.namprd09.prod.outlook.com (10.255.200.27) with Microsoft SMTP Server (TLS) id 15.1.477.8; Fri, 6 May 2016 11:16:15 +0000
Received: from BN1PR09MB124.namprd09.prod.outlook.com ([10.255.200.27]) by BN1PR09MB124.namprd09.prod.outlook.com ([10.255.200.27]) with mapi id 15.01.0477.017; Fri, 6 May 2016 11:16:15 +0000
From: "Dang, Quynh (Fed)" <quynh.dang@nist.gov>
To: Jim Schaad <ietf@augustcellars.com>, 'Russ Housley' <housley@vigilsec.com>
Thread-Topic: [Curdle] Comments on draft-housley-cms-eddsa-signatures
Thread-Index: AQHRpJiiUMFvavyrw02yfEgwrMzH1p+l/FuAgATNYQCAAAurAIAAOBsAgAAI6ICAAKy1OA==
Date: Fri, 06 May 2016 11:16:15 +0000
Message-ID: <BN1PR09MB1247156C24CEC4B06712C9BF37D0@BN1PR09MB124.namprd09.prod.outlook.com>
References: <086701d1a0e4$965f2320$c31d6960$@augustcellars.com> <9458BE75-3657-4726-949C-6C9D7511AF21@vigilsec.com> <0c7301d1a4a2$cc47a680$64d6f380$@augustcellars.com> <B0C9A58C-2BDB-4CB5-867E-CE6FE02F9AA4@vigilsec.com> <106f01d1a70f$4d5c07c0$e8141740$@augustcellars.com> <549A2D33-98AF-4935-98A3-2EF475904B78@vigilsec.com>, <10a001d1a72f$cece40a0$6c6ac1e0$@augustcellars.com>
In-Reply-To: <10a001d1a72f$cece40a0$6c6ac1e0$@augustcellars.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=nist.gov;
x-originating-ip: [74.96.246.53]
x-ms-office365-filtering-correlation-id: db04bb65-5364-431e-faff-08d3759fd6e3
x-microsoft-exchange-diagnostics: 1; BN1PR09MB124; 5:iZrnP8ej/39XWv0iL1U51ZsaxxxW5dnX3pIt5EYCuLC9V2SEbczbsIgl8PdTYRAlqTSPTJs1qJGxeP6ZhVIVBDfyrbqbay1SnrRH5D8xxclpi55B8xN+VQwT8evnxk9h7kRg6xJ3fxLR66xwVO7xMQ==; 24:yw+COtm6ft5UaAdeU+Avs3jMFJyCVzAqR/o1KZm190WZL9kOLNUTa8bUL65avsXe9ZpB1qZ2teDIKzHOeXQEAzB72k11xTYgrgNmxEWt/6A=; 7:OHSGTx/d0bIRmKE1C9zIo9CPiz820urnun5cYjxWlHJ0OwDZKsRbSEXtmTKrsILrerbhOhc6pnTKEDnaXIZ9xpfyZLm9VKAjY7vSl8mteZFbcLAKZ9J3aTGHJY0SNpJmDHIlr6t23U5LZTGaTdgA51GSDwJGwb5o9VAIDZczjiUWuGCnWXv0S3HiiqIpIv7e
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN1PR09MB124;
x-microsoft-antispam-prvs: <BN1PR09MB1244B2DFBE769C91801F73FF37D0@BN1PR09MB124.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026); SRVR:BN1PR09MB124; BCL:0; PCL:0; RULEID:; SRVR:BN1PR09MB124;
x-forefront-prvs: 09347618C4
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(377454003)(24454002)(13464003)(15975445007)(2950100001)(10400500002)(5008740100001)(230783001)(77096005)(54356999)(2900100001)(19580395003)(50986999)(76176999)(19580405001)(122556002)(11100500001)(5004730100002)(66066001)(3280700002)(106116001)(99286002)(3660700001)(3900700001)(92566002)(76576001)(1220700001)(9686002)(102836003)(586003)(3846002)(6116002)(93886004)(86362001)(5002640100001)(5003600100002)(74316001)(8936002)(81166005)(87936001)(4326007)(2906002)(33656002)(5001770100001)(189998001); DIR:OUT; SFP:1102; SCL:1; SRVR:BN1PR09MB124; H:BN1PR09MB124.namprd09.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 May 2016 11:16:15.1449 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1PR09MB124
Archived-At: <http://mailarchive.ietf.org/arch/msg/curdle/7JKj2p7-wPGtacqkSyr6RHLS-Ro>
Cc: "curdle@ietf.org" <curdle@ietf.org>
Subject: Re: [Curdle] Comments on draft-housley-cms-eddsa-signatures
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 May 2016 11:16:21 -0000

Hi Jim,

To hash the signedAttributes value, SHAKE256/512 would be great.

For ed25519 and ed448 EdDSA signatures, hash algorithm OID should be null/absent. For ed25519ph and ed448ph, the hash algorithm is the prehash function: SHA512 for ed25519ph and SHAKE256/512 for ed448ph. 

Regards,
Quynh. 



________________________________________
From: Curdle <curdle-bounces@ietf.org> on behalf of Jim Schaad <ietf@augustcellars.com>
Sent: Thursday, May 5, 2016 8:39 PM
To: 'Russ Housley'
Cc: curdle@ietf.org
Subject: Re: [Curdle] Comments on draft-housley-cms-eddsa-signatures

-----Original Message-----
From: Russ Housley [mailto:housley@vigilsec.com]
Sent: Thursday, May 05, 2016 5:08 PM
To: Jim Schaad <ietf@augustcellars.com>
Cc: curdle@ietf.org
Subject: Re: [Curdle] Comments on draft-housley-cms-eddsa-signatures


On May 5, 2016, at 4:47 PM, Jim Schaad <ietf@augustcellars.com> wrote:

>> A second worry is that SHAK256 is defined as being an XOF function
>> and not a hash function.  I think it might make more sense to say
>> that we should be using SHA3-256 rather than SHAKE256.  In any event
>> the OID assigned on the NIST web site does not make any statements
>> about the size of output of
>> SHAKE256 and if we are going to use it as a hash algorithm here we
>> need to do that.  Suffice it to say that I don't think that using
>> SHAKE256 as a hash algorithm here is sufficiently defined.
>
> Doesn't this need to be addressed in draft-irtf-cfrg-eddsa?
>
> [JLS] No, I am not worried about how SHAKE256 is being used in the
> EdDSA process (it is fully defined there), I am looking at the use of
> SHAKE256 when it is placed in the digestAlgorithm attribute of the
> SignerInfo structure.  In this case the length of the output needs to
> be specified (i.e. how long is the message digest signed attribute).
> This is defined for hash algorithms, but is not defined for XOF functions.

I was not understanding you issue until now.

You are worried about this:

       Compute SHAKE256(dom(F, C) || prefix || M, 114), where M is the
       message to be signed, .

Maybe we just make M = SHA512(ValueOnly(DER(SignedAttrs)))

Russ

[JLS]  No that is not what I am worried about.  What I am worried about is

  SignerInfo ::= SEQUENCE {
      version CMSVersion, --  == 1 or 3
      sid SignerIdentifier,  -- Identifier of the signer
      digestAlgorithm DigestAlgorithmIdentifier,  --- AlgorithmIdentifier(
{hashAlgs 12}, absent )
      signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL, { contains
Attribute{ aa-messageDigest, SET OF { OCTET STRING { SHAKE256(Message Body)
}}
      signatureAlgorithm SignatureAlgorithmIdentifier,  -- id-edDSA
      signature SignatureValue, -- cryptographic result of eddsa with
                --  SHAKE256(dom(F, C) || prefix || DER(SignedAttrs), 114)
                --      where DER(SignedAttrs) = M just as would be
expected.
      unsignedAttrs [1] IMPLICIT Attributes
          {{UnsignedAttributes}} OPTIONAL }


The length of SHAKE256(Message Body) is not defined nor is there any place
for it to be specified by a parameter.   Specifically one needs to be able
to say that the messageDigest = SHAKE256(Message Body, 114)  (Or maybe just
57? If you want to do some type of size matching since the EdDSA uses a
double width hash algorithm internally)


Jim


_______________________________________________
Curdle mailing list
Curdle@ietf.org
https://www.ietf.org/mailman/listinfo/curdle

v2.23.0 | Report a Bug | By Email