Re: [Curdle] Ed25591ctx
Jim Schaad <ietf@augustcellars.com> Sun, 21 August 2016 19:28 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FDCA12D7DA for <curdle@ietfa.amsl.com>; Sun, 21 Aug 2016 12:28:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Level:
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.548, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id whybkeNoJejj for <curdle@ietfa.amsl.com>; Sun, 21 Aug 2016 12:28:05 -0700 (PDT)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 912B212D7A1 for <curdle@ietf.org>; Sun, 21 Aug 2016 12:28:04 -0700 (PDT)
Received: from hebrews (24.21.96.37) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Sun, 21 Aug 2016 12:39:50 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: ilariliusvaara@welho.com
References: <05fa01d1f806$485b99f0$d912cdd0$@augustcellars.com> <20160817033711.32r5wvmueniqvkk5@LK-Perkele-V2.elisa-laajakaista.fi>
In-Reply-To: <20160817033711.32r5wvmueniqvkk5@LK-Perkele-V2.elisa-laajakaista.fi>
Date: Sun, 21 Aug 2016 12:27:31 -0700
Message-ID: <007901d1fbe2$112d30d0$33879270$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQHmq3PHmJZ1Zt4yMknvAsjdQB0DPgHHRDYKoBwxAxA=
Content-Language: en-us
X-Originating-IP: [24.21.96.37]
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/AVn2s7yv1zGM_RGGtFwSKaNl-yE>
Cc: curdle@ietf.org
Subject: Re: [Curdle] Ed25591ctx
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Aug 2016 19:28:06 -0000
> -----Original Message----- > From: ilariliusvaara@welho.com [mailto:ilariliusvaara@welho.com] > Sent: Tuesday, August 16, 2016 8:37 PM > To: Jim Schaad <ietf@augustcellars.com> > Cc: curdle@ietf.org > Subject: Re: [Curdle] Ed25591ctx > > On Tue, Aug 16, 2016 at 02:36:40PM -0700, Jim Schaad wrote: > > Ilari has done edits on a local draft to respond to my comments and it > > appears he is planning on introducing a new mode to the EdDSA drafts > > for 25519. Specifically one would have: > > > > EdDSA25519 - the traditional signature algorithm EdDSA25519ctx - a new > > mode for 25519 which has a context structure available to it. > > EdDSA25519pre - a pre-hash mode that uses the same structure as > > EdDSSA25519ctx > > The names aren't right (the right ones are 'Ed25519ctx' and 'Ed25519ph'), but > otherewise quite so (assuming contexts will be part of the document!) > > > This means that we would no longer have the huge problem between ctx > > and pre hash modes conflicting quite as much as one could require the > > use of ctx and pre instead. One still has the problems between pure and the > other modes. > > That change also solves the problem of using the same key for Ed25519 and > Ed25519ph. > > However, Ed25519ctx and Ed25519ph can't be computed using standard > Ed25519 software. There is no way to do so while remaining safe to key- share. > Fortunately, the places that are modified are likely not to be too inaccessable > (i.e. written in high-level-language) in practical implementations, if you can > modify one. > > > The questions I have are: > > > > Should we issue an OID for the new ctx mode? > > > > Should we require the use of the ctx mode for signing of certificates? > > > > Should we have any advisory language which says that new usages SHOULD > > use the ctx mode over the pure mode? > > It occurs to me that one could avoid use of prehashed EdDSA variants by adding > OID that is defined to sign a hash object[1] instead of the actual data. If then > one could avoid contexts, one could just use standard-issue > Ed25519 code (which is dime dozen). > > That could be also be used to avoid the potentially annoying SHAK256 hashing if > one wants long-input Ed448. > > > While contexts could help against things like that TLS 1.2 LURK SKI attack EKR > came up with, there are plenty of RSA or ECDSA keys that are unprotected > against such abuse. > > And then there is the issue that contexts are a new input, and many signature > APIs just doesn't have it. > > And with regards to new stuff using contexts, I think it is a bad idea, unless the > stuff used only contextualized signatures. And PKIX fails that criteria. > > > > [1] One rough sketch (excuse me for not using the correct notation): > > SEQUENCE { > OID <some-assigned-oid> > OCTET_STRING zeroes_64octets > AlgorithmIdentifier hash_algorithm > OCTET_STRING hash_value > } > > DER-encode that (easily templateable if you know the hash, which would come > from the signature algorithm OID) and use that as message for algorithm. > > The OID in the beginning is to distinguish it from other ASN.1 structures. > > I threw that zeroes_64octets in there to make it more difficult to abuse with > TLS. > > Specifically, valid TLS 1.3 signatures can't look like that because those start with > 0x20, not 0x30 like that one does. > > Nor can valid TLS 1.2 signatures, because that one presumably has a zero in 65th > and 66th position, which would code curve type 0 > (undefined) for ECDHE and p=0 (division by zero) for DHE. > > One minor problem being that it breaks a SHA-512 block (which is like 2% speed > penalty for signing, less for verfication). This worries me from the following perspective: Ok - this would work if we had just TLS and ASN.1, but I start worrying about this when you also decide to do the same thing for CBOR, XML, JSON and who knows what other formats. YAML anybody? It is easy to potentially avoid the collisions with two, but harder as new people without the same experience as we have decide to do the same type of thing. I would rather tell people to design a content structure that does the prehash thing and sign that content than have fancy structure as part of the signature processing. This is the basic approach I have suggested for signing of large detached files for CBOR and JOSE. It is also similar to how CMS is designed where the content is hashed and that result is part of what is signed. Jim > > > > > -Ilari
- Re: [Curdle] Ed25591ctx Ilari Liusvaara
- Re: [Curdle] Ed25591ctx Jim Schaad
- Re: [Curdle] Ed25591ctx Ilari Liusvaara
- Re: [Curdle] Ed25591ctx Jim Schaad
- Re: [Curdle] Ed25591ctx Ilari Liusvaara
- [Curdle] Ed25591ctx Jim Schaad
- Re: [Curdle] Ed25591ctx Jim Schaad
- Re: [Curdle] Ed25591ctx Jim Schaad
- Re: [Curdle] Ed25591ctx Ilari Liusvaara