[jose] Do we have unsafe uses of Ed448 and Ed25519? Fix Ed448?
Phillip Hallam-Baker <phill@hallambaker.com> Tue, 10 September 2024 18:03 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 918E8C13AE28; Tue, 10 Sep 2024 11:03:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.654
X-Spam-Level:
X-Spam-Status: No, score=-6.654 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cwiopyJheSPo; Tue, 10 Sep 2024 11:03:10 -0700 (PDT)
Received: from mail-oa1-f52.google.com (mail-oa1-f52.google.com [209.85.160.52]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BFD66C15106F; Tue, 10 Sep 2024 11:03:10 -0700 (PDT)
Received: by mail-oa1-f52.google.com with SMTP id 586e51a60fabf-27bd815cbf1so40940fac.1; Tue, 10 Sep 2024 11:03:10 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725991390; x=1726596190; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=w0wV6GBBpcOyUo7w33b9SiMFew43DG5Y/a0aldKju7o=; b=mQb+T3Mk/yqcRgFaQ3XxkuFDyfXfTEc3hrb+/pHS40LFsLu9lMCPKMbXu92HFiauG2 QCMezak9Z4GpsJINGpMkoMLzmxWVCEjsqr0nDY0Nz9DDAX4M6GmRXTsvrqo2fp6VkBks msHXbquhYgdTzx3D20mWwXv82CX5H+LsJgAvjjcRV0hOZUvTH5M9oYPMgIL11te2/6Ca dibOyMMO/f/8nTzZITuge7b/sTjYe6FvvdWaXFmYuNEuvWWlMhD2an2obJulW5GoPQjt EfF8RNSRvaCyg3UkykxhijbX8Tv/koH5tS8SPI8iejzw3+ClKQxZzV3ydgeX4JmJYh9J 5IyQ==
X-Forwarded-Encrypted: i=1; AJvYcCUwEWJhVTFJbWkpcaYkyyDt2bxC+/4IaDYr1j0VNe3ZarQ5UUmSHxzeY0gvevUkt+e0QU/nGw==@ietf.org, AJvYcCVNHviuhbd0N/aiaZfEBQD1kJuCD2i5vzjdoWDcCdjOEB1DoWOtbynzrXHBExFcPJpEAShL0g==@ietf.org, AJvYcCWlxJS0DabNWMnavs6OpQCs1M1wSvAYG6zo9493i5AsC4VHOdmqMmpQ/Xv1oiaIdyHsDRgbKg==@ietf.org
X-Gm-Message-State: AOJu0Yw9YekagIXVwEBcr4zWP9bs0MIT4GX60fXWh2bBWGe8LApmeL44 LOixf6YONJewWwGSOV4BGD/C30QykVgksI4Gf3nyIcX6BachLek0rOEdXbW8vkks+CoMYX4nI0F eIsuR/qs2wK3aqPmPKbaoS+Xdsoge0HLs
X-Google-Smtp-Source: AGHT+IGxj5/HGXONjDnUS0RwLjnuH1sSq/KsSK+F5XatE64PG4NtbDZTlN+6Tkz9NRZ/lZUQKwMGCgjnTSFjDfjVbI8=
X-Received: by 2002:a05:6870:f115:b0:277:e838:bdc5 with SMTP id 586e51a60fabf-27be6bbcd20mr1731012fac.17.1725991389625; Tue, 10 Sep 2024 11:03:09 -0700 (PDT)
MIME-Version: 1.0
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Tue, 10 Sep 2024 14:02:57 -0400
Message-ID: <CAMm+Lwhqn4Jb6+ngpn7XgewMPhp_m30sVmHHWpGOzgQL-Jb-Gg@mail.gmail.com>
To: IRTF CFRG <cfrg@irtf.org>, jose@ietf.org, cose WG <cose@ietf.org>, SPASM <SPASM@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000aa06d20621c7af3f"
Message-ID-Hash: SYKZJRKND454TTKA3LEYNBKD2BDRG7BN
X-Message-ID-Hash: SYKZJRKND454TTKA3LEYNBKD2BDRG7BN
X-MailFrom: hallam@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-jose.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [jose] Do we have unsafe uses of Ed448 and Ed25519? Fix Ed448?
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/6Ulg02ebVj6nWs-hemTxbXrZNSY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Owner: <mailto:jose-owner@ietf.org>
List-Post: <mailto:jose@ietf.org>
List-Subscribe: <mailto:jose-join@ietf.org>
List-Unsubscribe: <mailto:jose-leave@ietf.org>
Apologies for crossposting but I am finding it impossible to follow the same conversation with the same set of people split across five different lists. So as I tried to understand the difference between ML-DSA pure and pre-hashed, I realized that we might have a problem in the use of Ed448 and Ed25519 *IN APPLICATIONS* and so I want to explain what I think is a possible hole in some of them. The concern is a downgrade attack where the attacker substitutes a weak digest for a strong one. Some people seem to think this is an implausible attack but it really is not because there is no way for the signer to control the set of digests accepted by the verifier. For example, Alice signs a PDF document and sends it to Bob who checks it using an application that Mallet has added his own digest verifier to. Yes, this assumes a degree of platform compromise but so does every privilege escalation attack and those are something we worry about A LOT. The reason we spent so much time over RSA signature modes was precisely because this is a critical security concern and the RSA padding matters. So the rule is that when you have a signature over a digest value, you MUST always sign the data itself or a manifest that includes the digest value and the digest algorithm. The problem comes in the definition of 'data' because if you are looking at the problem from the application side, well, the digest is data, isn't it? And I am pretty sure this is a problem because we seem to get into a lot of confused discussions whenever the topic is raised. ML-DSA offers two signature mechanisms, 'Pure and preHashed. Pure is the version to use when you are signing the data itself or a manifest such as the one specified in OpenPGP. Jose has the JWS Protected Header and so on. Yes, we do tell people not to roll their own crypto, but that doesn't mean we should make design choices that include landmines because we don't know who is going to walk on 'em. The problem in my view lies with the 'prehashed' version where ML-DSA specifies a drop in replacement for the RSA signature API. RSA can only sign a short message and as Rogaway pointed out, the encryption strength varies over the payload. So we have to use one of the manifest formats specified by a version of PKCS 1. ML-DSA does the job right. A program that was using RSA for signature can easily switch to ML-KEM, all they need to do is to use ML-KEM Prehashed which has the exact same interface as RSA Sign: Message Digest OID, Message Digest Value. Ed448 and Ed25519 specify 'preHash modes' but they do not support the RSA API. They insist that the implementation use a particular digest. Ed25519 isn't that bad because the hash is SHA-2-512 which is the only hash I use for content anyway. But Ed448 uses SHAKE256 which isn't a hash you would use for content except when doing Ed448. The 'Prehash modes of Ed448 and Ed25519 do solve the problem of avoiding the need to stream all the data being signed through the HSM. But from my perspective as the designer of cryptographic protocols, telling me which digest algorithm I am going to use for content is not the job of the signature algorithm designer. The choice of content digest is MY choice and I have to think about other signatures I might be making over the same content. So what I propose is we specify a proper prehash mode for Ed25519 and Ed448 and any other algorithm that doesn't provide binding of a chosen digest to the algorithm used to produce it by specifying a manifest format that can be applied generically. Does not have to be fancy, in fact I would just take the ML-DSA construction: 𝑀′ ← BytesToBits(IntegerToBytes(1, 1) ∥ IntegerToBytes(|𝑐𝑡𝑥|, 1) ∥ 𝑐𝑡𝑥 ∥ OID ∥ PH𝑀) And the only thing I would change there is to replace the ML-DSA version identifier with an OID off an IETF arc to denote the manifest construction. A big advantage of this approach is that we get the context input added into our scheme as well. One area where I disagree with FIPS204 is that I don't think it is a problem to share keys across pre and pure. If that is in fact a problem it is because we have done it all wrong. The real issue is sharing keys across different applications making a semantic substitution attack possible. And the problem there is that we need to come up with a theory of how to use the Context parameter consistently. I will post on that separately.
- [jose] Do we have unsafe uses of Ed448 and Ed2551… Phillip Hallam-Baker
- [jose] Re: [CFRG] Do we have unsafe uses of Ed448… Daniel Huigens
- [jose] Re: [CFRG] Do we have unsafe uses of Ed448… Phillip Hallam-Baker
- [jose] Re: [CFRG] Do we have unsafe uses of Ed448… Daniel Huigens
- [jose] Re: [lamps] Re: [CFRG] Do we have unsafe u… Markku-Juhani O. Saarinen
- [jose] Re: [lamps] Re: [CFRG] Do we have unsafe u… Daniel Huigens