[openpgp] Re: pure vs. pre-hash in FIPS 204 and 205
Phillip Hallam-Baker <phill@hallambaker.com> Thu, 29 August 2024 18:19 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A63DCC14CEE4 for <openpgp@ietfa.amsl.com>; Thu, 29 Aug 2024 11:19:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.654
X-Spam-Level:
X-Spam-Status: No, score=-6.654 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aA2C3_pOapDV for <openpgp@ietfa.amsl.com>; Thu, 29 Aug 2024 11:19:07 -0700 (PDT)
Received: from mail-pj1-f51.google.com (mail-pj1-f51.google.com [209.85.216.51]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 091D7C14F6BB for <openpgp@ietf.org>; Thu, 29 Aug 2024 11:19:06 -0700 (PDT)
Received: by mail-pj1-f51.google.com with SMTP id 98e67ed59e1d1-2d3eda6603cso736876a91.3 for <openpgp@ietf.org>; Thu, 29 Aug 2024 11:19:06 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724955546; x=1725560346; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=tWPD5cKRLmnyPSuSLZAyApdk11fZUSYBz4T0Q6YJr/w=; b=GyzwD5QdBCgJRQtY7DZsaorG6MELtiRk/TL35s/aY/5gQ09CU9mxpwupdTFFS/00S4 mFysu7NS40mDX/at9Gap4/QCa276wrg8Bvu5otviSKSIOtpzbizI9AeafxRaXOVlchu5 7gkDE59xHyCZRXS+svBvtgcrYjj1MxlhlmP0vuRLWpdYgV37/xTApV53qEgiAxC+epdg 9RdXaR0o+ZG2fE069PF8+YF5mrzBk3skbMy7e1sdj6Kpe9uwpv4rAmb83ZdJj6FOi7i9 H8iyDvdKw0OnWkFZdwUC/+01yJ8JaA7ZFCfqsYJ3dJ1Neh+Pw2rzPBLeF7x5ZmJY0dWg LaOg==
X-Forwarded-Encrypted: i=1; AJvYcCUtzI7huUUfY4EM02RKp9SJJk68juAG/ZtE3iPIVnI4gJWLfgrZJtwBKCMyxJx2GGqTaSW8iwFH@ietf.org
X-Gm-Message-State: AOJu0YyRKCMfJf/a7A3PDsuVMAd8O9ySFBm25MRj/60HpmRUM6aTannA q9LEFsbRy8nf0mvyeJN1IeZ5P6AuCzXY/QG3e7CxCWQHEwpUDQeToSqGVSRVlnh9h2iDwQBsle2 e5EGWiMV/dKgfzNHsA2XI5K0ivKU=
X-Google-Smtp-Source: AGHT+IHyYFm35ZzRqcJXlsx0y5CuXMG/4nLmodCvluleABo9wyj7wGrFeDWMCsPHa+5jmLTP0sewLKSxvLfAO66Qb3g=
X-Received: by 2002:a17:90b:224e:b0:2cb:55f9:b7c5 with SMTP id 98e67ed59e1d1-2d8561a1482mr3952911a91.12.1724955546214; Thu, 29 Aug 2024 11:19:06 -0700 (PDT)
MIME-Version: 1.0
References: <fb9f748b-2024-4de1-849a-e52880c9a241@mtg.de> <CAMm+Lwh-9yuEs7BYpsA-k9bKWZT8v7ws8BPMdtECj+DgOG6syw@mail.gmail.com> <2027BD57-D6E2-400B-9AA3-8E444FE5372A@andrewg.com>
In-Reply-To: <2027BD57-D6E2-400B-9AA3-8E444FE5372A@andrewg.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Thu, 29 Aug 2024 14:18:53 -0400
Message-ID: <CAMm+Lwg-n8EUkb1feKUYHd1RQx6y4149LsZMg8f3eNzQqO4j+w@mail.gmail.com>
To: Andrew Gallagher <andrewg@andrewg.com>
Content-Type: multipart/alternative; boundary="00000000000095ebcb0620d682ba"
Message-ID-Hash: CSZNDVBRUZPNFAYFODEKRIEQC6GAJKER
X-Message-ID-Hash: CSZNDVBRUZPNFAYFODEKRIEQC6GAJKER
X-MailFrom: hallam@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Falko Strenzke <falko.strenzke@mtg.de>, "openpgp@ietf.org" <openpgp@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [openpgp] Re: pure vs. pre-hash in FIPS 204 and 205
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/Rdr49uzrpd4PJB1PaX25KF26lf4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>
On Thu, Aug 29, 2024 at 1:46 PM Andrew Gallagher <andrewg@andrewg.com> wrote: > On 29 Aug 2024, at 17:21, Phillip Hallam-Baker <phill@hallambaker.com> > wrote: > > > I am also committed to hash-then-encrypt. It is the structure we adopted > long ago and I don't see a good argument for changing. If we have a 1TB Zip > file and it already has a SHA-2-512 digest in the checksum, we want to use > that, not compile another digest. And I think we should use the same > approach for certificates and assertions. > > > I don’t understand this. Do you mean hash-then-sign? And if so, I’m not > sure how a zipfile checksum is relevant…? > Hash then sign. If you sign the zipfile... The manifest approach is actually superior though. Especially for OpenPGP > because we should be signing the content metadata and not just the content. > A semantic substitution attack is a much bigger threat than digest. > Constructing a digest is very hard, constructing a PDF that reads as a > legitimate JPEG is just hard and I can't remember which flip they did but I > am pretty sure I remember an attack of that type. > > > IMO if we want to sign content metadata in a standardised way it should be > done at the OpenPGP layer, via e.g. signature subpackets as we have > discussed previously. This way, it is handled independently of the > underlying signature algorithms. I don’t think combining these two problems > makes either one easier to solve. > If you only want to do ML-DSA, then just use Prehash and make sure you can translate from the OpenPGP identifier to the OID. Which really isn't a huge issue as you already have to do that for RSA. The manifests issue comes up because we whiffed on Ed25519 and Ed448 and the pre-hash version doesn't let you pick the digest which really doesn't fit the hash then sign architecture in OpenPGP. T 8032 tells us: Ed448 is 2. Compute SHAKE256(dom4(F, C) || prefix || PH(M), 114), where M is the message to be signed, F is 1 for Ed448ph, 0 for Ed448, and C is the context to use. Interpret the 114-octet digest as a little-endian integer r. where for pure: PH(x) | x (i.e., the identity function) and for pre Ed448ph is the same but with PH being SHAKE256(x, 64) and phflag being 1, i.e., the input is hashed before signing with Ed448 with a hash constant modified. The problem is that when we were designing this, the requirement for 'prehash' was interpreted being you could use the digest algorithm the spec told you to use to prehash the content so you didn't have to send 3MB of data to an HSM. The real requirement for a prehash is you have to be able to sign a digest that has been precomputed for you using the algorithm they chose. The reason we got here is that we were following DSA which if you recall was welded to SHA-1 in a fundamental fashion. But that didn't really end up kicking us because SHA-1 was our favorite hash algorithm at the time and we stopped using DSA because the keys were too small before we found out about SHA-1. So we don't need to define manifests for ML-DSA, just use Prehash and specify the OID of the algorithm you used to prevent the downgrade attack, it is what it is designed for. We do need to fix Ed25519 and Ed448 for any application that allows use of any algorithm other than SHA-2-152 for Ed25519 or SHAKE for Ed448 unless they already use a manifest to perform digest binding. Simplest distance between the two points is to use the Context input to specify e.g. "OpenPGP v4.2 with SHA-3-512".
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Falko Strenzke
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Daniel Huigens
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Justus Winter
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Falko Strenzke
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Falko Strenzke
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Daniel Huigens
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Falko Strenzke
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Phillip Hallam-Baker
- [openpgp] pure vs. pre-hash in FIPS 204 and 205 Falko Strenzke
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Justus Winter
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Falko Strenzke
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Akhil CM
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Daniel Huigens
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Andrew Gallagher
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Daniel Huigens
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Phillip Hallam-Baker
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Andrew Gallagher
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Daniel Huigens
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Phillip Hallam-Baker
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Phillip Hallam-Baker
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Andrew Gallagher
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Simo Sorce
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Falko Strenzke
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Falko Strenzke
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Andrew Gallagher
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Andrew Gallagher
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Andrew Gallagher
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Daniel Huigens
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Simo Sorce
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Daniel Huigens
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Simo Sorce
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Daniel Huigens
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Simo Sorce
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Simo Sorce