IETF Logo Mail Archive

Re: [Curdle] AD Review: draft-ietf-curdle-rsa-sha2-07.txt

denis bider <denisbider.ietf@gmail.com> Mon, 21 August 2017 17:36 UTC

Return-Path: <denisbider.ietf@gmail.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18B6F1323C0 for <curdle@ietfa.amsl.com>; Mon, 21 Aug 2017 10:36:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id thKiJwC4dHmx for <curdle@ietfa.amsl.com>; Mon, 21 Aug 2017 10:36:07 -0700 (PDT)
Received: from mail-lf0-x22d.google.com (mail-lf0-x22d.google.com [IPv6:2a00:1450:4010:c07::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D93E01323B8 for <curdle@ietf.org>; Mon, 21 Aug 2017 10:36:06 -0700 (PDT)
Received: by mail-lf0-x22d.google.com with SMTP id y15so69527213lfd.5 for <curdle@ietf.org>; Mon, 21 Aug 2017 10:36:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=eIknO9T4hoeRjdaixHNQ3imVBrmvGZCeoFxmX942rck=; b=d6SUqyWHwLpFBIi6kkSDvPF1R7Z57mD8JiDBqyfwo9CVD93iCCdlU17NC2QlrQZoQT j0eOXMI0ZsS/UJj3YFm/yVClhzqNLQNi0UHTvfAezLGXJqEWmo91+djy+9gciDU23rot tEO+xTJvwd0CN5HmeezlqS0HYzcoLqPjHIa6uvSAIPaPAwNVHehuR0VXnuAEojiODa2u X666wjrMU26VE2ActBtWn/ar5UV9Qs6oe/IwwQhjPaWR6MH24Vbi8QSPG+Hi4Q0cZg9d a6W8O7PDwaV7OgxQMP0uL9j0Zd2FzkS1TD6v+qDGcjMuU0OTyQApQn39TEoQ6NnvzgO4 x8WQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=eIknO9T4hoeRjdaixHNQ3imVBrmvGZCeoFxmX942rck=; b=slbFsgSvk8gWaLinXXF9tj9CUVIj01PIQMiEP4DbJgpwGwAjB0k2QC0u1ly+L9cB81 f2FR5veDI4/AgfWCpK2P98xyM1byDA0P6yLkgHgVcmw8dKW7+zmZuAn4NBYuVccCVUi3 ohkiqeIePmSzFKsPMv7ozQLzFb40pj056Thvgsi9mji81bQbRS4asUt7uMAz9HUO7bM2 L78PEMoBMebuelSWmLdbYJdL//ubcWPblJ2X7ZRcFViR+LCqzw6a7O511HXKqYsKISVj 5pNBQ14+2px+ddPzZjlxgW82YkEITqknheuX1qvY1I7SEhS6PKApyPVD5e4FRn5e7Glj cDGQ==
X-Gm-Message-State: AHYfb5hhcQz86V909UvCmWTFTDTscmofn8wdXMCKHuBFGtggJ+jrLBbc fxU/B1p4mSGlED+evFWe9OaNY+ytrw==
X-Received: by 10.46.5.80 with SMTP id 77mr6494948ljf.91.1503336965041; Mon, 21 Aug 2017 10:36:05 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.179.27.209 with HTTP; Mon, 21 Aug 2017 10:36:04 -0700 (PDT)
In-Reply-To: <CABcZeBO3tafXhMg=-t98XaQswY_fbG_inQvTSe4p9Mi_H9eTyw@mail.gmail.com>
References: <CABcZeBNPQXbS2m6tk6DwB_8YqHD=MObiH+VeXpPZdn7atkfREw@mail.gmail.com> <CADPMZDDh4CiPurv-7aYXt7oT_27xX97ZK-qrdMVJi4uGf-K--Q@mail.gmail.com> <CABcZeBMSmrjaPwMGZofzbAikS2xCzjQMyJAtAHfHbejiOMQiRg@mail.gmail.com> <CADPMZDCPjGhp454NoutcPpWFuC-saf41VhvrVbffiGBY=1A6rw@mail.gmail.com> <CABcZeBP93oaA0CiZ8N3Gzw7TyJHsX7_bHaHdhKN-WC5gaox+uQ@mail.gmail.com> <CABcZeBO3tafXhMg=-t98XaQswY_fbG_inQvTSe4p9Mi_H9eTyw@mail.gmail.com>
From: denis bider <denisbider.ietf@gmail.com>
Date: Mon, 21 Aug 2017 12:36:04 -0500
Message-ID: <CADPMZDC=Ms+jV4dvJ7H1e7Ww9m8fPk+4D_weLUCtbyQmN3qrtw@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: curdle <curdle@ietf.org>
Content-Type: multipart/alternative; boundary="001a114a7264c77736055746e9e4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/yt71b1DAM3WW2JPYlek3PvdfBOM>
Subject: Re: [Curdle] AD Review: draft-ietf-curdle-rsa-sha2-07.txt
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Aug 2017 17:36:10 -0000

Hey!

Apologies, I am currently in the middle of moving to another country again
(for the third, and hopefully final time!). I can still make changes as
necessary to this draft, though.

With respect to the below issue, I'm still not sure how to best phrase it
differently. Maybe we could just remove the paragraph about why we're not
doing DSA? At the time I wrote it, I thought it was a good idea to justify
the removal, but maybe we don't even really need to explain anything there.
Especially if the justification is simply "we don't wanna". :)

denis



On Sat, Aug 19, 2017 at 11:27 AM, Eric Rescorla <ekr@rtfm.com> wrote:

> Ping?
>
> -Ekr
>
>
> On Tue, Jun 20, 2017 at 3:55 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>
>> Usually, I would say "we're getting rid of finite field" :)
>>
>> -Ekr
>>
>>
>> On Tue, Jun 20, 2017 at 7:14 AM, denis bider <denisbider.ietf@gmail.com>
>> wrote:
>>
>>> I agree, but there has to be a reason it's on its way out. :) This is
>>> the one reason I know how to phrase. If there's something else I can do
>>> instead, let me know.
>>>
>>> On Mon, Jun 19, 2017 at 11:11 AM, Eric Rescorla <ekr@rtfm.com> wrote:
>>>
>>>>
>>>>
>>>> On Mon, Jun 19, 2017 at 8:28 AM, denis bider <denisbider.ietf@gmail.com
>>>> > wrote:
>>>>
>>>>> > Either you are using PKCS#1 v1.5 or you are using PSS.
>>>>> > In the former case, there is no mask function and salt.
>>>>>
>>>>> Yikes, thanks. :) This was left over from an early version that
>>>>> specified PSS. This was before PKCS#1 v1.5 was requested. (The change took
>>>>> place before any implementation was released, so all deployed
>>>>> implementations use PKCS#1 v1.5.)
>>>>>
>>>>>
>>>>> > You say in the intro that RSA was defined as 1024 bit
>>>>> > keys. Are these keys of arbitrary length? Is there an
>>>>> > upper or lower limit?
>>>>>
>>>>> I believe this may refer to the following sentence:
>>>>>
>>>>> "In [RFC4253], SSH originally defined the public key algorithms
>>>>> "ssh-rsa" for server and client authentication using RSA with SHA-1, and
>>>>> "ssh-dss" using 1024-bit DSA and SHA-1."
>>>>>
>>>>> Here, 1024-bit refers to DSA. RFC 4253 imposes no limits on RSA key
>>>>> sizes.
>>>>>
>>>>>
>>>>> > > Implementations SHOULD apply PKCS#1 v1.5 padding to the expected
>>>>> > > hash, THEN compare the encoded bytes with the output of [...]
>>>>>
>>>>> > Why "SHOULD?
>>>>>
>>>>> Fair point. Changed as follows:
>>>>>
>>>>> "Verifiers MUST instead apply PKCS#1 v1.5 padding to the expected
>>>>> hash, then compare the encoded bytes with the output of the RSA operation."
>>>>>
>>>>>
>>>>> > This is an odd argument given that ECDSA is often also
>>>>> > implemented with random k.
>>>>>
>>>>> I agree, but that is the main argument that was given by multiple
>>>>> people as the main reason to remove DSA from the original draft (which
>>>>> covered DSA in addition).
>>>>>
>>>>
>>>> How about just "DSA is on its way out" :)
>>>>
>>>>
>>>>>
>>>>>
>>>>> denis
>>>>>
>>>>>
>>>>>
>>>>> On Sat, Jun 17, 2017 at 1:30 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>>>>>
>>>>>> TECHNICAL
>>>>>> S 3.
>>>>>>   Signing and verifying using these algorithms is performed according
>>>>>> to
>>>>>>   the RSASSA-PKCS1-v1_5 scheme in [RFC8017] using SHA-2 [SHS] as hash;
>>>>>>   MGF1 as mask function; and salt length equal to hash size.
>>>>>>
>>>>>> This seems incorrect. Either you are using PKCS#1 v1.5 or you are
>>>>>> using PSS. In the former case, there is no mask function and salt.
>>>>>> Appendix 5.3 suggests that you are not using PSS. In any case,
>>>>>> you need to fix the inconsistency.
>>>>>>
>>>>>> You say in the intro that RSA was defined as 1024 bit keys. Are
>>>>>> these keys of arbitrary length? Is there an upper or lower limit?
>>>>>>
>>>>>>
>>>>>> S 5.3.
>>>>>>   Implementations SHOULD apply PKCS#1 v1.5 padding to the expected
>>>>>> hash,
>>>>>>   THEN compare the encoded bytes with the output of the RSA operation.
>>>>>>
>>>>>> Why "SHOULD?
>>>>>>
>>>>>>
>>>>>> S 6.
>>>>>>   A draft version of this memo also defined an algorithm name for use
>>>>>> of
>>>>>>   2048-bit and 3072-bit DSA keys with a 256-bit subgroup and SHA-2 256
>>>>>>   hashing. It is possible to implement DSA securely by generating "k"
>>>>>>   deterministically as per [RFC6979]. However, a plurality of
>>>>>> reviewers
>>>>>>   were concerned that implementers would continue to use libraries
>>>>>> that
>>>>>>   generate "k" randomly. This is vulnerable to biased "k" generation,
>>>>>>   and extremely vulnerable to "k" reuse. This document therefore
>>>>>>   disrecommends DSA, in favor of RSA and elliptic curve cryptography.
>>>>>>
>>>>>> This is an odd argument given that ECDSA is often also implemented
>>>>>> with random k. Not that I am in favor of adding DSA here.
>>>>>>
>>>>>> -Ekr
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Curdle mailing list
>>>>>> Curdle@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/curdle
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

v2.23.0 | Report a Bug | By Email