IETF Logo Mail Archive

Re: [Curdle] Comments on draft-housley-cms-eddsa-signatures

"Dang, Quynh (Fed)" <quynh.dang@nist.gov> Tue, 03 May 2016 15:39 UTC

Return-Path: <quynh.dang@nist.gov>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27EB612D966 for <curdle@ietfa.amsl.com>; Tue, 3 May 2016 08:39:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rs75CVEKPOXQ for <curdle@ietfa.amsl.com>; Tue, 3 May 2016 08:39:31 -0700 (PDT)
Received: from gcc01-CY1-obe.outbound.protection.outlook.com (mail-cy1gcc01on0123.outbound.protection.outlook.com [23.103.200.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D14112D529 for <curdle@ietf.org>; Tue, 3 May 2016 08:39:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=YcMFl+UNUHWSMqyK7ECmceU8Q/0zwXY9qg2c+4aTefQ=; b=sE3UC07y5fZxJN66v9OxfMpLBEOv2zpXmBwqCpQWZ/RYG8+cbrQu1MfMIycndnrHkJ5z9DjMERbJSaigHZH83X+e5ATY8VinkREtDz7SDp13lJaE4HdK7KJ1eRB4+DbULKmtUp6ZJrllM+6DxNItLWK4a1iSrgAzMO8xMxxJ9sI=
Received: from BN1PR09MB124.namprd09.prod.outlook.com (10.255.200.27) by BN1PR09MB123.namprd09.prod.outlook.com (10.255.200.25) with Microsoft SMTP Server (TLS) id 15.1.477.8; Tue, 3 May 2016 15:39:29 +0000
Received: from BN1PR09MB124.namprd09.prod.outlook.com ([10.255.200.27]) by BN1PR09MB124.namprd09.prod.outlook.com ([10.255.200.27]) with mapi id 15.01.0477.015; Tue, 3 May 2016 15:39:29 +0000
From: "Dang, Quynh (Fed)" <quynh.dang@nist.gov>
To: Jim Schaad <ietf@augustcellars.com>, 'Russ Housley' <housley@vigilsec.com>
Thread-Topic: [Curdle] Comments on draft-housley-cms-eddsa-signatures
Thread-Index: AQHRpJiiUMFvavyrw02yfEgwrMzH1p+l/FuAgAFU+4E=
Date: Tue, 03 May 2016 15:39:29 +0000
Message-ID: <BN1PR09MB12415B5CCF9173EDBAA4437F37A0@BN1PR09MB124.namprd09.prod.outlook.com>
References: <086701d1a0e4$965f2320$c31d6960$@augustcellars.com> <9458BE75-3657-4726-949C-6C9D7511AF21@vigilsec.com>, <0c7301d1a4a2$cc47a680$64d6f380$@augustcellars.com>
In-Reply-To: <0c7301d1a4a2$cc47a680$64d6f380$@augustcellars.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: augustcellars.com; dkim=none (message not signed) header.d=none; augustcellars.com; dmarc=none action=none header.from=nist.gov;
x-originating-ip: [129.6.218.45]
x-ms-office365-filtering-correlation-id: a1f75076-427c-48d4-794f-08d373691db9
x-microsoft-exchange-diagnostics: 1; BN1PR09MB123; 5:gcX3sI62mRxo8FdACi74EI+7BBT7gZQ54j3kt+4/zW1f3zWFuZrSJN3t1elRwx4RH1eYfXGhe59EdcSNOVWclN35YwNWSn4D084yuUqXXmDH8zlBbCzm2k7MoJct0V5LO0CKkMIFgPcigiHrpq29dg==; 24:B+57NkAAYwFaBvEwgfrv5qJwAeX0kHPCPxkcHLBBtniQQjHHvXPIJ2XldmhZiXinofwsjmMFxraZMRi+BzpsoDdhDHw+qzI5ND40uxTxSrg=; 7:0atPzlpKAR0otcCjlRdDUPdPUN1oq2lyr/1ydmtWnKAxUwimUcZMqSF/MaONbtjzLih+nkaKpRhRG1V6E/UDhiuZUyiQqOvLk+FHt64Mu3g/WNQDIN6F5SZpboFi0EixyklwkyJ++iW6re4PAteHF0vp3T++Zdk198HvTFNnSOLRZCUFybmYN+9qVRsz+5pJ
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN1PR09MB123;
x-microsoft-antispam-prvs: <BN1PR09MB12359D04009A2660AB1AADCF37A0@BN1PR09MB123.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(9101521096)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026); SRVR:BN1PR09MB123; BCL:0; PCL:0; RULEID:; SRVR:BN1PR09MB123;
x-forefront-prvs: 0931CB1479
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(13464003)(377454003)(1220700001)(5001770100001)(102836003)(3846002)(6116002)(19580405001)(19580395003)(106116001)(10400500002)(54356999)(5004730100002)(33656002)(92566002)(99286002)(122556002)(230783001)(81166005)(87936001)(5008740100001)(189998001)(586003)(86362001)(4326007)(5002640100001)(3280700002)(9686002)(50986999)(5003600100002)(76176999)(76576001)(15975445007)(77096005)(74316001)(11100500001)(8936002)(5890100001)(66066001)(2950100001)(3660700001)(2900100001); DIR:OUT; SFP:1102; SCL:1; SRVR:BN1PR09MB123; H:BN1PR09MB124.namprd09.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 May 2016 15:39:29.0732 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1PR09MB123
Archived-At: <http://mailarchive.ietf.org/arch/msg/curdle/jJNKI3oltX4UJrXB__5KfERKEVQ>
Cc: "curdle@ietf.org" <curdle@ietf.org>
Subject: Re: [Curdle] Comments on draft-housley-cms-eddsa-signatures
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 May 2016 15:39:34 -0000

Hi Jim, Russ and all,

NIST currently plans to allow the SHAKEs to be used. Please see the document attached to the email John Kelsey sent out on 4/8/2016 with the email titled Customized shake. The uses of SHAKE256 in the EdDSA with Ed448 are good (prehash and without prehash versions).

SHAKE256 is used as a prf in the PureEdDSA with ed448 and a prf produces different output sizes depending on the needs.

If an OID for SHAKE256 with some specific output length is needed, NIST can help, just let us know!

Regards,
Quynh.

________________________________________
From: Curdle <curdle-bounces@ietf.org> on behalf of Jim Schaad <ietf@augustcellars.com>
Sent: Monday, May 2, 2016 2:45:19 PM
To: 'Russ Housley'
Cc: curdle@ietf.org
Subject: Re: [Curdle] Comments on draft-housley-cms-eddsa-signatures

Russ,

Comments inline.

jim

-----Original Message-----
From: Curdle [mailto:curdle-bounces@ietf.org] On Behalf Of Russ Housley
Sent: Monday, May 02, 2016 10:32 AM
To: Jim Schaad <ietf@augustcellars.com>
Cc: curdle@ietf.org
Subject: [Curdle] Comments on draft-housley-cms-eddsa-signatures

Jim Schaad sent me some comments on this document.  Since I have asked this
working group to adopt this draft, I have gotten Jim's permission to respond
to the comments on list.

> 1.  I am not sure that I see a great deal of benefits for doing both the
> pre-hash version and pure version of EdDSA.   Specifically, the use of the
> pre-hash version really only seems to make sense if one does not use
> signed attributes.  However, I think that this is a case which would
> never occur for this signature algorithm.

Right.  Since signed attributes are the most common use with CMS, it is
probably better to just make use of PureEdDSA.

I suggest adding this text to Section 2 of the document:

   One of the parameters of the EdDSA algorithm is the "prehash"
   function.  This may be the identity function, resulting in an
   algorithm called PureEdDSA, or a collision-resistant hash function,
   resulting in an algorithm called HashEdDSA.  In most situations the
   CMS SignedData includes signed attributes, including the message
   digest of the content.  Since HashEdDSA offers no benefit when signed
   attributes are present, only PureEdDSA is used with the CMS.

And, then change Section 2.1 like this:

   When the id-EdDSAPublicKey onject identifier is used, the
   AlgorithmIdentifier parameters field MUST contain EdDSAParameters to
   specify a particular set of EdDSA parameters:

      EdDSAParameters ::= ENUMERATED {
        ed25519   (1),    -- PureEdDSA
        ed25519ph (2),    -- HashEdDSA; not used in the CMS
        ed448     (3),    -- PureEdDSA
        ed448ph   (4) }   -- HashEdDSA; not used in the CMS

[JLS] Both of those changes look very reasonable.


> 2.  We need to get a definition of how to use SHAKE256 from someplace
> if we are going to say use the same hash algorithm throughout as that
> is what
> Ed448 uses.  It would be worthwhile to specify what hash algorithms
> should be used with each of the different signature algorithms given
> that it is not clear from the name of the algorithm identifier.

This document references draft-irtf-cfrg-eddsa-05, and that document
includes this reference for SHAKE256:

   [FIPS202]  National Institute of Standards and Technology, U.S.
              Department of Commerce, "SHA-3 Standard: Permutation-Based
              Hash and Extendable-Output Functions", FIPS 202, August
              2015.

I'm not sure what more you think is needed.

[JLS] To start with, I think we need to get a reference for an OID for the
SHAKE256 algorithm from NIST (or internally) since that is needed as one of
the authenticated attributes.

I worry that since we have changed this set of identifiers from saying X
with Y to just saying X that there is going to be a degree of people missing
which algorithm is being used as a hash algorithm for this.

A second worry is that SHAK256 is defined as being an XOF function and not a
hash function.  I think it might make more sense to say that we should be
using SHA3-256 rather than SHAKE256.  In any event the OID assigned on the
NIST web site does not make any statements about the size of output of
SHAKE256 and if we are going to use it as a hash algorithm here we need to
do that.  Suffice it to say that I don't think that using SHAKE256 as a hash
algorithm here is sufficiently defined.

> 3.  In section 3 para 2: This sentence does not necessarily make sense
> for the pure version of EdDSA.  In some sense there is no hash
> function which is used on the signedAttribute value.  I don't know
> that it needs to be fixed, but it might be somewhat confusing.

You are talking about this paragraph:

   The same one-way hash function SHOULD be used for computing the
   message digest on both the eContent and the signedAttributes value if
   signedAttributes are present.

I think the principle is correct.  I'm not sure how to address your comment.

[JLS] Yeah, I am not sure how to address my comment here either.  The
problem as stated above is that there is no explicit hash function that is
used as a pre-hash to the signature so people might not know what hash
algorithm to be using here.


> 4.  In section 4, the problem with EdDSA is worse for the use of
> different algorithms than what you are stating.  It is possible to do
> some interesting forgeries if you cross between the pre-hash and not
> pre-hash versions with the Ed25519 curve since there is no context
> difference between them.  This has to be forbidden not just strongly
suggested.

Does the removal of HashEdDSA resolve this one?

[JLS] Yes that would deal with this issue.  However, given that currently
the difference is just a field in the enumeration it should probably have a
security consideration about it.  If we can change the PKXI draft so that
the pre-hash and pure versions using different OID identifiers, then this
because much cleaner and less of a worry.  It would currently be potentially
necessary to make a RFC 2119 statement about the enumeration which is not
proposed above.

Russ

_______________________________________________
Curdle mailing list
Curdle@ietf.org
https://www.ietf.org/mailman/listinfo/curdle

_______________________________________________
Curdle mailing list
Curdle@ietf.org
https://www.ietf.org/mailman/listinfo/curdle

v2.23.0 | Report a Bug | By Email