IETF Logo Mail Archive

Re: [Curdle] Comments on draft-housley-cms-eddsa-signatures

"Jim Schaad" <ietf@augustcellars.com> Thu, 05 May 2016 20:47 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A1FD12D0DA for <curdle@ietfa.amsl.com>; Thu, 5 May 2016 13:47:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dFYfvHuwd_po for <curdle@ietfa.amsl.com>; Thu, 5 May 2016 13:47:14 -0700 (PDT)
Received: from smtp3.pacifier.net (smtp3.pacifier.net [64.255.237.177]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A20512D0C0 for <curdle@ietf.org>; Thu, 5 May 2016 13:47:14 -0700 (PDT)
Received: from hebrews (c-24-21-96-37.hsd1.or.comcast.net [24.21.96.37]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: schaad@nwlink.com) by smtp3.pacifier.net (Postfix) with ESMTPSA id 5587338F16; Thu, 5 May 2016 13:47:13 -0700 (PDT)
From: Jim Schaad <ietf@augustcellars.com>
To: 'Russ Housley' <housley@vigilsec.com>
References: <086701d1a0e4$965f2320$c31d6960$@augustcellars.com> <9458BE75-3657-4726-949C-6C9D7511AF21@vigilsec.com> <0c7301d1a4a2$cc47a680$64d6f380$@augustcellars.com> <B0C9A58C-2BDB-4CB5-867E-CE6FE02F9AA4@vigilsec.com>
In-Reply-To: <B0C9A58C-2BDB-4CB5-867E-CE6FE02F9AA4@vigilsec.com>
Date: Thu, 05 May 2016 13:47:12 -0700
Message-ID: <106f01d1a70f$4d5c07c0$e8141740$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQIfBLXiu/ETDZDECg/NZrmdRKtKuwH6YJMHAx0dd7oCqvUie57R+7PA
Content-Language: en-us
Archived-At: <http://mailarchive.ietf.org/arch/msg/curdle/nxIPgtiKRcE5r9vo-EFfcQrcedE>
Cc: curdle@ietf.org
Subject: Re: [Curdle] Comments on draft-housley-cms-eddsa-signatures
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 May 2016 20:47:16 -0000


-----Original Message-----
From: Russ Housley [mailto:housley@vigilsec.com] 
Sent: Thursday, May 05, 2016 1:05 PM
To: Jim Schaad <ietf@augustcellars.com>
Cc: curdle@ietf.org
Subject: Re: [Curdle] Comments on draft-housley-cms-eddsa-signatures

Jim:

>> 2.  We need to get a definition of how to use SHAKE256 from someplace 
>> if we are going to say use the same hash algorithm throughout as that 
>> is what
>> Ed448 uses.  It would be worthwhile to specify what hash algorithms 
>> should be used with each of the different signature algorithms given 
>> that it is not clear from the name of the algorithm identifier.
> 
> This document references draft-irtf-cfrg-eddsa-05, and that document 
> includes this reference for SHAKE256:
> 
>   [FIPS202]  National Institute of Standards and Technology, U.S.
>              Department of Commerce, "SHA-3 Standard: Permutation-Based
>              Hash and Extendable-Output Functions", FIPS 202, August
>              2015.
> 
> I'm not sure what more you think is needed.
> 
> [JLS] To start with, I think we need to get a reference for an OID for 
> the
> SHAKE256 algorithm from NIST (or internally) since that is needed as 
> one of the authenticated attributes.

Based on other traffic on this list, I hope that NIST will assign the OID.

[JLS] They have assigned an OID for SHAKE256, I just don't know if it was
done "correctly" for our purposes.  We will need to work that out. I still
need to look at and think about Quynh's response to my message.

> I worry that since we have changed this set of identifiers from saying 
> X with Y to just saying X that there is going to be a degree of people 
> missing which algorithm is being used as a hash algorithm for this.

We need to do the same thing with this document and
draft-ietf-curdle-pkix-eddsa.

I have started a separate thread on this mail list.  Let's have the
discussion on that thread, and then put the conclusion in both documents.

> A second worry is that SHAK256 is defined as being an XOF function and 
> not a hash function.  I think it might make more sense to say that we 
> should be using SHA3-256 rather than SHAKE256.  In any event the OID 
> assigned on the NIST web site does not make any statements about the 
> size of output of
> SHAKE256 and if we are going to use it as a hash algorithm here we 
> need to do that.  Suffice it to say that I don't think that using 
> SHAKE256 as a hash algorithm here is sufficiently defined.

Doesn't this need to be addressed in draft-irtf-cfrg-eddsa?

[JLS] No, I am not worried about how SHAKE256 is being used in the EdDSA
process (it is fully defined there), I am looking at the use of SHAKE256
when it is placed in the digestAlgorithm attribute of the SignerInfo
structure.  In this case the length of the output needs to be specified
(i.e. how long is the message digest signed attribute).  This is defined for
hash algorithms, but is not defined for XOF functions.

Russ

v2.23.0 | Report a Bug | By Email