Re: [Curdle] Review of draft-ietf-curdle-cms-eddsa-signatures-03
Russ Housley <housley@vigilsec.com> Mon, 10 April 2017 18:59 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00F9D129A96 for <curdle@ietfa.amsl.com>; Mon, 10 Apr 2017 11:59:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W6rfQycQLzbQ for <curdle@ietfa.amsl.com>; Mon, 10 Apr 2017 11:59:57 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B29C7127369 for <curdle@ietf.org>; Mon, 10 Apr 2017 11:59:57 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 1DE67300436 for <curdle@ietf.org>; Mon, 10 Apr 2017 14:59:57 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 3UTxIfvnvym0 for <curdle@ietf.org>; Mon, 10 Apr 2017 14:59:55 -0400 (EDT)
Received: from new-host-2.home (pool-108-45-101-150.washdc.fios.verizon.net [108.45.101.150]) by mail.smeinc.net (Postfix) with ESMTPSA id E106A300229; Mon, 10 Apr 2017 14:59:55 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <059e01d2a8a4$270b2370$75216a50$@augustcellars.com>
Date: Mon, 10 Apr 2017 14:59:55 -0400
Cc: curdle <curdle@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <22ECDDA1-CBDC-406C-B6CB-0B0BA526030F@vigilsec.com>
References: <059e01d2a8a4$270b2370$75216a50$@augustcellars.com>
To: Jim Schaad <ietf@augustcellars.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/jPRXtbrz9BRzyfZ9B2tfnZA8ltc>
Subject: Re: [Curdle] Review of draft-ietf-curdle-cms-eddsa-signatures-03
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Apr 2017 18:59:59 -0000
Jim:
Sorry, I flagged this message in my inbox, and then I missed it when I made the update earlier today.
> Section 3.1 - I would like to have a brief discussion on the integer value
> that is being used with the id-shake256-len OID when it is being used as a
> digest algorithm. The value of 512 means that the signature security is
> going to be the same as is currently setup for Ed25519. To have the same
> dynamic as Ed25519 does, this should be 448*2 so that after birthday attacks
> the same size of value would be provided.
RFC 8032 uses SHAKE256(x, 114) every place that SHAKE256 is used. Reading a bit more carefully, I see that the output is 114 octets or 912 bits.
I suggest that we align with these values. That is:
When signing with Ed448, the message digest
algorithm MUST be SHAKE256 [FIPS202] with a 912-bit output value.
and
When using the id-shake256-len algorithm identifier, the parameters
MUST be present, and the parameter MUST contain 912, encoded as a
positive integer value.
> Section 4 - I thing that it should also be highlighted that this is a
> greater problem for when using the Signed-data without signed attributes as
> the value signed is more constrained in the other case.
I suggest:
4. Implementation Considerations
The EdDSA specification [EDDSA] includes the following warning. It
deserves highlighting, especially when signed-data is used without
signed attributes and the content to be signed might be quite large:
PureEdDSA requires two passes over the input. Many existing APIs,
protocols, and environments assume digital signature algorithms
only need one pass over the input, and may have API or bandwidth
concerns supporting anything else.
Russ
- Re: [Curdle] Review of draft-ietf-curdle-cms-edds… Jim Schaad
- Re: [Curdle] Review of draft-ietf-curdle-cms-edds… Russ Housley
- Re: [Curdle] Review of draft-ietf-curdle-cms-edds… Ilari Liusvaara
- Re: [Curdle] Review of draft-ietf-curdle-cms-edds… Jim Schaad
- Re: [Curdle] Review of draft-ietf-curdle-cms-edds… Russ Housley
- [Curdle] Review of draft-ietf-curdle-cms-eddsa-si… Jim Schaad