IETF Logo Mail Archive

Re: [Lake] Ways forward on MTI cipher suite text (was: Re: Ambiguous text on Mandatory to Implement suite)

Rene Struik <rstruik.ext@gmail.com> Tue, 25 January 2022 15:19 UTC

Return-Path: <rstruik.ext@gmail.com>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CA0F3A09DC for <lake@ietfa.amsl.com>; Tue, 25 Jan 2022 07:19:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.812
X-Spam-Level:
X-Spam-Status: No, score=-2.812 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.714, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7Jt2sSTvXGr9 for <lake@ietfa.amsl.com>; Tue, 25 Jan 2022 07:19:53 -0800 (PST)
Received: from mail-qt1-x835.google.com (mail-qt1-x835.google.com [IPv6:2607:f8b0:4864:20::835]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 355483A09D9 for <lake@ietf.org>; Tue, 25 Jan 2022 07:19:48 -0800 (PST)
Received: by mail-qt1-x835.google.com with SMTP id g12so986192qto.13 for <lake@ietf.org>; Tue, 25 Jan 2022 07:19:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:date:mime-version:user-agent:content-language:from:to :references:subject:in-reply-to:content-transfer-encoding; bh=qZ85Usp7ff68Ez8xY+Z8iqWEp1Fh/5O3ApOcWjBEEHA=; b=EpqOe95fI++X/5619Kl5r6wHL8cz2JcNaX0DPGX3KumZrhlTupCVesWIlDLQg6JK9c GrPoqtK6DeMaQQCQe5JFCDLg6qu+Th9cano4GhqwQUCpb8M7ELNU745w80rQFWjl6fXQ 2bc2K/8E0FcZ4XI896e0NWp0t9BLLNj2yL0KS62zenG1uZJXW4gdCgRhlCFiqLCcmuP2 8AiqK9SE9XeqaaLNyL0fnDTCHUeIWsZaHK2M88qRZr6lEYdOPrQsBzysWeLEbHuj5Anb Hn1KmgFwoG+LNb3A3IbygtdTzzRlTPR3ZYMocHqsh+VamF9zKAQpFrfGLhbtZBv3ZUBA CrTA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent :content-language:from:to:references:subject:in-reply-to :content-transfer-encoding; bh=qZ85Usp7ff68Ez8xY+Z8iqWEp1Fh/5O3ApOcWjBEEHA=; b=VJpjkng+RHV/cGtG3yUc/SsprOEEWzEZiMy5BUo0IyccIKBaY04GuRy5Rf9zeVZWks 025ojPI6t6gHdy8ODs+7UQ6rw0oD/KMv0YRglhGIY1pujhr7+uVrqeSj0IBSKs+lRIVo att5TnjaTnMAHtMJ5S2ieKMkkKhNaT7AwgyHUbEFDC+IwlooEIbVuuHYjcqK3GfHvDYs v3Ske1M2UsrzJJ4QO7kYjZkytYhDJZLO6B3ql+/ROSmAtP2029bchfWIjOB4MZpenSAm 5aw2c+UjG9Mk8wlFyrIpIvtBnHcuzuiIw6WGkAE/vRUsYM9XMUralVttiX+3CakwFOY0 +/sw==
X-Gm-Message-State: AOAM53101ukMTBvejlXZ7HdT5TUd6y2H7jzuMJO2cl1KQgw+9zsFa7X+ j38mshpIUT6drXL43LbGFmlrot45jBQ=
X-Google-Smtp-Source: ABdhPJyDuGM5TieThaZRDmgDnZqS5xfnDkwFrVDP1AQZruw/RUqG+a444tpW6+QXt3qnWD+ai8eZOw==
X-Received: by 2002:a05:622a:1181:: with SMTP id m1mr16644845qtk.582.1643123985752; Tue, 25 Jan 2022 07:19:45 -0800 (PST)
Received: from ?IPV6:2607:fea8:8a0:1397:c8e2:1d49:bb0b:1730? ([2607:fea8:8a0:1397:c8e2:1d49:bb0b:1730]) by smtp.gmail.com with ESMTPSA id l17sm561386qtu.79.2022.01.25.07.19.44 for <lake@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 25 Jan 2022 07:19:45 -0800 (PST)
Message-ID: <a2dd61ce-c562-6783-3a58-3fc0cd148844@gmail.com>
Date: Tue, 25 Jan 2022 10:19:43 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0
Content-Language: en-US
From: Rene Struik <rstruik.ext@gmail.com>
To: lake@ietf.org
References: <F2A9BC47-A179-43CF-BA02-18BCBD83FF2C@inria.fr> <487f30c8-392e-d2ae-1c6b-72e254c2b607@gmail.com>
In-Reply-To: <487f30c8-392e-d2ae-1c6b-72e254c2b607@gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/0-9X6McGoQCoqZ0q2v97eH9i4iY>
Subject: Re: [Lake] Ways forward on MTI cipher suite text (was: Re: Ambiguous text on Mandatory to Implement suite)
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jan 2022 15:19:58 -0000

Dear colleagues:

I would like to come back to my earlier email of Dec 16, 2021, in which 
I suggested that EdDSA is insecure in the environments this WG targets.

Implementation security concerns related to deterministic discrete-log 
signature schemes (such as EdDSA [RFC8032] and det-ECDSA [RFC 6979]) are 
reasonably summarized in [1], as mentioned in my Dec 16, 2021 note (and 
had been known well before RFC8032 came to be!). Here, a single-fault 
attack on EdDSA, where the same message is signed twice and where a 
computational error is caused during the second signing operation, would 
often suffice to be able to reconstruct the entire private signing key 
(essentially by solving a system of two linear equations in two 
variables, which are trivial to compute efficiently). With IoT-style 
devices, such errors can be quite easily created (via so-called 
glitches). Moreover, these errors can be created in such a way that, 
even if one were to only release a signature that was just produced 
after first checking this via ordinary signature verification (at ~3x 
the signing cost)), this would still not help: the attack can be tweaked 
to foil this countermeasure. The culprit here is the determinism in the 
signing operation. There are non-fault attacks as well, but single-fault 
attacks are the most lethal, since do not require any SCA-attack 
expertise except putting a computational error spoke in the wheel.

While most fault attacks described in the literature assume physical 
access to the device, some can be carried out remotely (e.g., spin-offs 
of the so-called Rowhammer attack). Most attacks are non-destructive, 
i.e., can be carried out without destroying the device at all: in other 
words, equipment users would not necessarily notice.

It will carry too far to try and summarize implementation security 
research to-date (I have 500+ papers on the topic on my machine), but 
the message should be clear: one should not ignore this issue.

In my mind, the Lake WG cannot really use Ed25519 as is and can either 
abandon any CFRG curve (i.e., use P-256 and ECDSA w/P-256/SHA-256), use 
Wei25519 and ECDSA25519 (i.e., still have the speedier Curve25519 under 
the hood, but use ECDSA instead of Ed25519), or fix the specification of 
Ed25519 with CFRG and, after reviewing whether this is a real fix and 
getting this sealed, still consider Ed25519. To me, it is puzzling that 
the last option was not taken for over two years now, so - right now - 
the path of least resistance is either going for slower NISTp curves or 
for ECDSA25519.

I do realize that some people have a strong desire to use Ed25519 no 
matter what. This is fine, except the "no matter what": if so, stop 
pretending, roll up your sleeves and solve security issues that have 
been known for over 5 years by now.

Best regards, Rene

On 2021-12-16 10:23 a.m., Rene Struik wrote:
> Hi Malisa:
>
> If one has to implement both Suites #0 and #2, one has to implement 
> both SHA-512 and SHA-256 (since EdDSA uses SHA-512 under the hood).
>
> I still do believe EdDSA is insecure in the environments this WG is 
> targeting and should be ditched. How can one still possibly defend 
> including a deterministic signature scheme in a specification that 
> clearly contravenes the stability and side-channel resistance 
> stipulations for MTI algorithms of BCP 201/RFC 7696, despite dozens of 
> publications about trivial implementation attacks? Please also see my 
> email of  a year ago, Dec 18, 2020, on Guidance on MTI algorithms [1].
>
> It is too bad that nobody ever pursued attempts to rectify this (such 
> as in 
> https://datatracker.ietf.org/doc/draft-mattsson-cfrg-det-sigs-with-noise/, 
> originally suggested two years ago, on Dec 17, 2019). Pretending that 
> the issue is going away is without action is, however, not credible. 
> {Of course, one could still try and stick an RFC 8032 label on 
> something that isn't, but I wonder whether IETF would then devalue to 
> simply a marketing label issuing body, where an external shadow spec 
> would have to redefine things to make specs work. }
>
> Currently, the only secure signature scheme that uses Curve25519 under 
> the hood is ECDSA25519, as specified in the lwig curve document [2]. 
> This scheme also uses SHA256 as hash function, thereby obviating the 
> need to implement two hash functions if one were to have to implement 
> both the "NIST" suite and another one.
>
> Side question: whatever happened with the suggestion in John Mattson's 
> Feb 11, 2021 email re including ECDSA25519 in the formal analysis [3]?
>
> Ref:
> [1]https://mailarchive.ietf.org/arch/msg/lake/_sy7LSHk8idGAV_408JQOafi6LQ/ 
>
> [2] 
> https://datatracker.ietf.org/doc/html/draft-ietf-lwig-curve-representations-22#section-4.3
> [3] 
> https://mailarchive.ietf.org/arch/msg/lake/UYaV56yxz_zUWOqU32SoVozSw4I/
>
>
> On 2021-12-16 4:19 a.m., Mališa Vučinić wrote:
>> All,
>>
>> (chair hat off)
>>
>> As discussed during the interim yesterday, the current text in -12 on 
>> MTI requirements (Section 7) reads as follows:
>>
>>>     For many constrained IoT devices it is problematic to support more
>>>     than one cipher suite.  Existing devices can be expected to support
>>>     either ECDSA or EdDSA.  To enable as much interoperability as we 
>>> can
>>>     reasonably achieve, less constrained devices SHOULD implement both
>>>     cipher suite 0 (AES-CCM-16-64-128, SHA-256, 8, X25519, EdDSA, AES-
>>>     CCM-16-64-128, SHA-256) and cipher suite 2 (AES-CCM-16-64-128, SHA-
>>>     256, 8, P-256, ES256, AES-CCM-16-64-128, SHA-256). Constrained
>>>     endpoints SHOULD implement cipher suite 0 or cipher suite 2.
>>>     Implementations only need to implement the algorithms needed for
>>>     their supported methods.
>> I see two issues here: 1) imprecise language; 2) normative text that 
>> implies interoperability only in case when both peers implement both 
>> suites 0 and 2.
>>
>> When it comes to the devices and their capabilities, we have so far 
>> been using the precisely defined terms from RFC 7228. This is not the 
>> case here and we use terms such as “less constrained devices”, 
>> “constrained endpoints”. This is all very confusing. Why endpoint and 
>> not device? What does “less constrained device” actually mean in 
>> terms of RFC 7228?
>>
>> Assuming that the “constrained endpoint” is a typo and instead means 
>> “constrained device”, the normative statement in this text, i.e. 
>> implementing 0 OR 2, implies that we can achieve interoperability 
>> only in the case when both peers implement both 0 and 2 cipher 
>> suites. Requiring the implementation of two cipher suites on each 
>> device to achieve interoperability is far from the lightweight aspect 
>> of LAKE, so I would like to hear what are the working group’s 
>> thoughts on this.
>>
>> Mališa
>>
>

-- 
email: rstruik.ext@gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 287-3867

v2.23.0 | Report a Bug | By Email