Re: [IPsec] draft-ietf-ipsecme-eddsa-01 pre-hash SHOULD NOT or MUST NOT
Yoav Nir <ynir.ietf@gmail.com> Sun, 09 April 2017 05:30 UTC
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1CE91292D3; Sat, 8 Apr 2017 22:30:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hQzNuyQl7tZP; Sat, 8 Apr 2017 22:30:47 -0700 (PDT)
Received: from mail-wr0-x231.google.com (mail-wr0-x231.google.com [IPv6:2a00:1450:400c:c0c::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A89A91292F4; Sat, 8 Apr 2017 22:30:46 -0700 (PDT)
Received: by mail-wr0-x231.google.com with SMTP id o21so101760730wrb.2; Sat, 08 Apr 2017 22:30:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=Weecz2Xkss4w3SecCuOFNOXc3H+qBORJzIp2KgmyLeg=; b=qj4d+5qluDdlemc2AKc3R1GTU9avIXPzfHQfIfevXnfai+7DPZ+mHx8v/kHwb+BQ1o ymZo3eLRsB5/RGpo5Z/L6AzAU2kt+h6UTYtiZOK2DPt4T2xRm0xE3ZWSViJdWE+HFjAE 6C3XhelRy5ZcTAhJGly/tQ40u1BeYjdM9ZWd6M5qLIVHFe4XvyXlLSYr8+BF+IUP1L1P op8ueZWZ2V58cLhbEgsKSZMNX0S5KmV3ilGsmtzYqKsVMWeNYYTvejXTvJ8U+Z0TsA2y IbedldX9CpZ9Qb5TM986xXHZB9MjHzxC1fITos3mgnHjKxWtAnu3OGTwNymYVjfXVUUJ ppMQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=Weecz2Xkss4w3SecCuOFNOXc3H+qBORJzIp2KgmyLeg=; b=rXR7gUViyzUH/XlFiGI74g1XTRjE51gS5VaPrZWJ0RZhZLROLRxnCX1bTlcZuR/dDf AHBVHA4MdAWOMF6d/Mnyp6IlDCRVMjLKd+QZrkj/c6Xpu8hNMnVpXlXScsXj7Z9CxcKt VRgP37VPYLlw0FNP8T+9ZMq/AAJpChzTrSJZOoj54a4PUJb1QdnHex1EgcenOF1W2RIm OWqc0By8LfkRiSAUsMdbA+GvcRyHkHm3zfHm9JmVHufamzbAX8QOsa8+dLuYx5y6/GNm vi65MeAB3gFZlfdkr2p/Iqrd9lVIUl5NWXxyYm91HqSapGAyog6y0XR8gKtA0KBNjzi+ o87A==
X-Gm-Message-State: AN3rC/56FIDrKxweoNKJK1cNDRBjh2NxnlCIO6tgvASfETBGCax4XRVDxGYj5/fGQZIXsg==
X-Received: by 10.223.151.150 with SMTP id s22mr12188988wrb.123.1491715845117; Sat, 08 Apr 2017 22:30:45 -0700 (PDT)
Received: from users-mbp.mshome.net ([176.12.184.254]) by smtp.gmail.com with ESMTPSA id m14sm12283935wrb.13.2017.04.08.22.30.42 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 08 Apr 2017 22:30:44 -0700 (PDT)
From: Yoav Nir <ynir.ietf@gmail.com>
Message-Id: <21C127DF-D0BF-4B53-B17A-7CA0E43BB6D9@gmail.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_997B9D91-E95F-4E09-8118-78F94D9B0D52"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Sun, 09 Apr 2017 08:30:40 +0300
In-Reply-To: <22756.61602.820418.641692@fireball.acr.fi>
Cc: draft-ietf-ipsecme-eddsa.all@ietf.org, ipsec@ietf.org
To: Tero Kivinen <kivinen@iki.fi>
References: <22756.61602.820418.641692@fireball.acr.fi>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/zGWGlUh-2hWxSryfUk5bktem8gM>
Subject: Re: [IPsec] draft-ietf-ipsecme-eddsa-01 pre-hash SHOULD NOT or MUST NOT
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Apr 2017 05:30:49 -0000
> On 5 Apr 2017, at 16:26, Tero Kivinen <kivinen@iki.fi> wrote: > > Now the pre-hash algorithms are SHOULD NOT: > > The pre-hashed versions of Ed25519 and Ed448 (Ed25519ph and Ed448ph > respectively) SHOULD NOT be used in IKE. > > I think we could say MUST NOT be used. As it turns out they cannot be used, because the latest CURDLE draft removed the definitions of OIDs for the pre-hashed versions. Still, I’m not comfortable proscribing one algorithm in a document about a different (although related) algorithm. How about: OLD: The pre-hashed versions of Ed25519 and Ed448 (Ed25519ph and Ed448ph respectively) SHOULD NOT be used in IKE. NEW: This document describes the use of the non pre-hashed versions of Ed25519 and Ed448 only. > I.e, say that pre-hash versions MUST NOT be used, and that Ed25519 and > Ed448 MUST be used with "Identity" hash identifier, and none of the > other currently defined signature algorithms MUST NOT use "Identity" > hash.. OLD: Ed25519 and Ed448 are only defined with the Identity hash, and MUST NOT be sent to a receiver that has not indicated support for the "Identity" hash. NEW: Ed25519 and Ed448 are only defined with the Identity hash, and MUST NOT be sent to a receiver that has not indicated support for the "Identity" hash. No other signature algorithm is currently defined that should use the Identity hash, so this hash MUST NOT be used with any current algorithm. > The following part of the security considerations might also need > updating: > > On the other hand there is > no good reason to pre-hash the inputs where the signature algorithm > either does not require it or performs a hash internally. > > This sentence would indicate that if the RSA key is large enough so we > can actually sign the full data without pre-hashing, that would be > something we would prefer. I do not think we actually want to allow > that. We should say that Identity hash identifier MUST only be used > when using signature algorithms specifically supporting it. > > For this > reason implementations SHOULD have the "Identity" value in the > SIGNATURE_HASH_ALGORITHMS notification when they support EdDSA. > Implementations SHOULD NOT have other hash algorithms in the > notification if all signature algorithms have this property. > > If implementation supports EdDSA then it is policy decision whether it > wants to use it, and wheter it wants ot include "Identity" as one of > the hash algorithms. How about: 3. Security Considerations The new "Identity" value is needed only for signature algorithms that accept an arbitrary-sized input. It MUST NOT be used if none of the supported and configured algorithms have this property. On the other hand there is no good reason to pre-hash the inputs where the signature algorithm has that property. For this reason implementations MUST have the "Identity" value in the SIGNATURE_HASH_ALGORITHMS notification when EdDSA is supported and configured. Implementations SHOULD NOT have other hash algorithms in the notification if all supported and configured signature algorithms have this property. > -- > kivinen@iki.fi