[Lake] (+ref [1] now) Re: Ways forward on MTI cipher suite text (was: Re: Ambiguous text on Mandatory to Implement suite)
Rene Struik <rstruik.ext@gmail.com> Tue, 25 January 2022 15:32 UTC
Return-Path: <rstruik.ext@gmail.com>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92A803A0AEF for <lake@ietfa.amsl.com>; Tue, 25 Jan 2022 07:32:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mfwv_Xr3evN2 for <lake@ietfa.amsl.com>; Tue, 25 Jan 2022 07:32:02 -0800 (PST)
Received: from mail-qv1-xf2a.google.com (mail-qv1-xf2a.google.com [IPv6:2607:f8b0:4864:20::f2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B6D63A0AD1 for <lake@ietf.org>; Tue, 25 Jan 2022 07:32:02 -0800 (PST)
Received: by mail-qv1-xf2a.google.com with SMTP id t7so25602538qvj.0 for <lake@ietf.org>; Tue, 25 Jan 2022 07:32:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:date:mime-version:user-agent:subject:content-language :from:to:references:in-reply-to:content-transfer-encoding; bh=DlkaYz2UNF1ZxUikuV1MxFU4poxUEXnW3RjXvgX2lMY=; b=EJm2FrHifRq4YEc136jJHaTztONgZC1yfSzTpQsQhykU+OM0/Ih78E8nZVrmF7A0yi iJtLrBrdIs5mUvhTXhKDTVZc6Hjd75tc1DAArN5kM6PBu8c64fMkfZGYbHeJBU+TxEYY fWxjRG6iMyZcWlTYE4SPcVDKKoKFzVifAh5Fqup1UG5WwqlmcsKtzcdE238ICl2PPk8a VBzRwJMazyVfxTh16HmKRBWWZODSa0n/Upz4gzDbfgONZk201Vob1+hH7Y7jXnfjS/wT DCmPD7nlA9QmL101KCwBCJki95Uj2/y9FV7sZWm+2USL5w6dIiKiYcyDfZCLFjJ9YNWc Vt0A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:from:to:references:in-reply-to :content-transfer-encoding; bh=DlkaYz2UNF1ZxUikuV1MxFU4poxUEXnW3RjXvgX2lMY=; b=6FPJbk2rHGje/b/+vGSb+OZ+kSC9EgHYSwtOb4c5RIFGGVKNeQA5Ji1c5Gb0Mk8Uie FHgC1/EliA7obzOOd46O7UcfX3U1zaG8lx2KtWLRejZ+gp0kPIhhFgiZiKSHza1S3AxR xGlneXZBLHsh0yeIfqCVquOOuQtPwr2Eld5LrM/LMfQ0xHcyP8uGPaMeXE1uJOfbyubK wzBzYngaAVcsk8o+wMDyua3WX+YV7NnPh8Q9FcUVGdMf+3bTbMuOy/ho4WKaR2OunZ6A d1a0vNGAugbq3+M3pF66Q8EIVMtWL4AxDFOHfNuEE+rROg84mwRXx3MLdhpQ+Rxjn5Rp n0nw==
X-Gm-Message-State: AOAM5322R2K2OnB4352ulHq4+wBc8V8PTHXCndaa6q/GSQhxz9Evw50F r9Wksb8mfVcaRYBpac7vTcx0b5msdT0=
X-Google-Smtp-Source: ABdhPJzYPSS+5OkdauhSaXkhvOs8HrGrsY1HG0e0c4FnSLFb65x+ymxai/YHF2BWOciQQtbhOd4Vug==
X-Received: by 2002:ad4:5c8f:: with SMTP id o15mr17528152qvh.59.1643124719815; Tue, 25 Jan 2022 07:31:59 -0800 (PST)
Received: from ?IPV6:2607:fea8:8a0:1397:c8e2:1d49:bb0b:1730? ([2607:fea8:8a0:1397:c8e2:1d49:bb0b:1730]) by smtp.gmail.com with ESMTPSA id h21sm9009016qth.16.2022.01.25.07.31.59 for <lake@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 25 Jan 2022 07:31:59 -0800 (PST)
Message-ID: <1ff746ee-7c16-4d72-8588-7b5274755342@gmail.com>
Date: Tue, 25 Jan 2022 10:31:57 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0
Content-Language: en-US
From: Rene Struik <rstruik.ext@gmail.com>
To: lake@ietf.org
References: <F2A9BC47-A179-43CF-BA02-18BCBD83FF2C@inria.fr> <487f30c8-392e-d2ae-1c6b-72e254c2b607@gmail.com> <a2dd61ce-c562-6783-3a58-3fc0cd148844@gmail.com>
In-Reply-To: <a2dd61ce-c562-6783-3a58-3fc0cd148844@gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/rux4wL2SrV70YH_Wo2u7_EUjCJ0>
Subject: [Lake] (+ref [1] now) Re: Ways forward on MTI cipher suite text (was: Re: Ambiguous text on Mandatory to Implement suite)
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jan 2022 15:32:07 -0000
Ref [1] fell off my email; my apologies. This is https://datatracker.ietf.org/doc/draft-mattsson-cfrg-det-sigs-with-noise/ On 2022-01-25 10:19 a.m., Rene Struik wrote: > Dear colleagues: > > I would like to come back to my earlier email of Dec 16, 2021, in > which I suggested that EdDSA is insecure in the environments this WG > targets. > > Implementation security concerns related to deterministic discrete-log > signature schemes (such as EdDSA [RFC8032] and det-ECDSA [RFC 6979]) > are reasonably summarized in [1], as mentioned in my Dec 16, 2021 note > (and had been known well before RFC8032 came to be!). Here, a > single-fault attack on EdDSA, where the same message is signed twice > and where a computational error is caused during the second signing > operation, would often suffice to be able to reconstruct the entire > private signing key (essentially by solving a system of two linear > equations in two variables, which are trivial to compute efficiently). > With IoT-style devices, such errors can be quite easily created (via > so-called glitches). Moreover, these errors can be created in such a > way that, even if one were to only release a signature that was just > produced after first checking this via ordinary signature verification > (at ~3x the signing cost)), this would still not help: the attack can > be tweaked to foil this countermeasure. The culprit here is the > determinism in the signing operation. There are non-fault attacks as > well, but single-fault attacks are the most lethal, since do not > require any SCA-attack expertise except putting a computational error > spoke in the wheel. > > While most fault attacks described in the literature assume physical > access to the device, some can be carried out remotely (e.g., > spin-offs of the so-called Rowhammer attack). Most attacks are > non-destructive, i.e., can be carried out without destroying the > device at all: in other words, equipment users would not necessarily > notice. > > It will carry too far to try and summarize implementation security > research to-date (I have 500+ papers on the topic on my machine), but > the message should be clear: one should not ignore this issue. > > In my mind, the Lake WG cannot really use Ed25519 as is and can either > abandon any CFRG curve (i.e., use P-256 and ECDSA w/P-256/SHA-256), > use Wei25519 and ECDSA25519 (i.e., still have the speedier Curve25519 > under the hood, but use ECDSA instead of Ed25519), or fix the > specification of Ed25519 with CFRG and, after reviewing whether this > is a real fix and getting this sealed, still consider Ed25519. To me, > it is puzzling that the last option was not taken for over two years > now, so - right now - the path of least resistance is either going for > slower NISTp curves or for ECDSA25519. > > I do realize that some people have a strong desire to use Ed25519 no > matter what. This is fine, except the "no matter what": if so, stop > pretending, roll up your sleeves and solve security issues that have > been known for over 5 years by now. > > Best regards, Rene > > On 2021-12-16 10:23 a.m., Rene Struik wrote: >> Hi Malisa: >> >> If one has to implement both Suites #0 and #2, one has to implement >> both SHA-512 and SHA-256 (since EdDSA uses SHA-512 under the hood). >> >> I still do believe EdDSA is insecure in the environments this WG is >> targeting and should be ditched. How can one still possibly defend >> including a deterministic signature scheme in a specification that >> clearly contravenes the stability and side-channel resistance >> stipulations for MTI algorithms of BCP 201/RFC 7696, despite dozens >> of publications about trivial implementation attacks? Please also see >> my email of a year ago, Dec 18, 2020, on Guidance on MTI algorithms >> [1]. >> >> It is too bad that nobody ever pursued attempts to rectify this (such >> as in >> https://datatracker.ietf.org/doc/draft-mattsson-cfrg-det-sigs-with-noise/, >> originally suggested two years ago, on Dec 17, 2019). Pretending that >> the issue is going away is without action is, however, not credible. >> {Of course, one could still try and stick an RFC 8032 label on >> something that isn't, but I wonder whether IETF would then devalue to >> simply a marketing label issuing body, where an external shadow spec >> would have to redefine things to make specs work. } >> >> Currently, the only secure signature scheme that uses Curve25519 >> under the hood is ECDSA25519, as specified in the lwig curve document >> [2]. This scheme also uses SHA256 as hash function, thereby obviating >> the need to implement two hash functions if one were to have to >> implement both the "NIST" suite and another one. >> >> Side question: whatever happened with the suggestion in John >> Mattson's Feb 11, 2021 email re including ECDSA25519 in the formal >> analysis [3]? >> >> Ref: >> [1]https://mailarchive.ietf.org/arch/msg/lake/_sy7LSHk8idGAV_408JQOafi6LQ/ >> >> [2] >> https://datatracker.ietf.org/doc/html/draft-ietf-lwig-curve-representations-22#section-4.3 >> [3] >> https://mailarchive.ietf.org/arch/msg/lake/UYaV56yxz_zUWOqU32SoVozSw4I/ >> >> >> On 2021-12-16 4:19 a.m., Mališa Vučinić wrote: >>> All, >>> >>> (chair hat off) >>> >>> As discussed during the interim yesterday, the current text in -12 >>> on MTI requirements (Section 7) reads as follows: >>> >>>> For many constrained IoT devices it is problematic to support more >>>> than one cipher suite. Existing devices can be expected to >>>> support >>>> either ECDSA or EdDSA. To enable as much interoperability as >>>> we can >>>> reasonably achieve, less constrained devices SHOULD implement both >>>> cipher suite 0 (AES-CCM-16-64-128, SHA-256, 8, X25519, EdDSA, AES- >>>> CCM-16-64-128, SHA-256) and cipher suite 2 (AES-CCM-16-64-128, >>>> SHA- >>>> 256, 8, P-256, ES256, AES-CCM-16-64-128, SHA-256). Constrained >>>> endpoints SHOULD implement cipher suite 0 or cipher suite 2. >>>> Implementations only need to implement the algorithms needed for >>>> their supported methods. >>> I see two issues here: 1) imprecise language; 2) normative text that >>> implies interoperability only in case when both peers implement both >>> suites 0 and 2. >>> >>> When it comes to the devices and their capabilities, we have so far >>> been using the precisely defined terms from RFC 7228. This is not >>> the case here and we use terms such as “less constrained devices”, >>> “constrained endpoints”. This is all very confusing. Why endpoint >>> and not device? What does “less constrained device” actually mean in >>> terms of RFC 7228? >>> >>> Assuming that the “constrained endpoint” is a typo and instead means >>> “constrained device”, the normative statement in this text, i.e. >>> implementing 0 OR 2, implies that we can achieve interoperability >>> only in the case when both peers implement both 0 and 2 cipher >>> suites. Requiring the implementation of two cipher suites on each >>> device to achieve interoperability is far from the lightweight >>> aspect of LAKE, so I would like to hear what are the working group’s >>> thoughts on this. >>> >>> Mališa >>> >> > -- email: rstruik.ext@gmail.com | Skype: rstruik cell: +1 (647) 867-5658 | US: +1 (415) 287-3867
- [Lake] Ambiguous text on Mandatory to Implement s… Mališa Vučinić
- Re: [Lake] Ambiguous text on Mandatory to Impleme… Göran Selander
- Re: [Lake] Ambiguous text on Mandatory to Impleme… Blumenthal, Uri - 0553 - MITLL
- Re: [Lake] Ambiguous text on Mandatory to Impleme… Mališa Vučinić
- Re: [Lake] Ambiguous text on Mandatory to Impleme… Rene Struik
- Re: [Lake] Ambiguous text on Mandatory to Impleme… Mališa Vučinić
- Re: [Lake] Ambiguous text on Mandatory to Impleme… Blumenthal, Uri - 0553 - MITLL
- Re: [Lake] Ambiguous text on Mandatory to Impleme… Carsten Bormann
- Re: [Lake] Ambiguous text on Mandatory to Impleme… Michael Richardson
- Re: [Lake] Ambiguous text on Mandatory to Impleme… Blumenthal, Uri - 0553 - MITLL
- Re: [Lake] Ambiguous text on Mandatory to Impleme… Carsten Bormann
- Re: [Lake] Ambiguous text on Mandatory to Impleme… Michael Richardson
- Re: [Lake] Ambiguous text on Mandatory to Impleme… John Mattsson
- Re: [Lake] Ambiguous text on Mandatory to Impleme… Blumenthal, Uri - 0553 - MITLL
- Re: [Lake] Ambiguous text on Mandatory to Impleme… Peter.Blomqvist
- Re: [Lake] Ambiguous text on Mandatory to Impleme… Michael Richardson
- Re: [Lake] Ambiguous text on Mandatory to Impleme… Blumenthal, Uri - 0553 - MITLL
- Re: [Lake] Ways forward on MTI cipher suite text … Rene Struik
- [Lake] (+ref [1] now) Re: Ways forward on MTI cip… Rene Struik
- Re: [Lake] (+ref [1] now) Re: Ways forward on MTI… Rene Struik