IETF Logo Mail Archive

Re: [pkix] Question about Curve P-192

Michael StJohns <msj@nthpermutation.com> Fri, 11 May 2018 04:52 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7451712D871 for <pkix@ietfa.amsl.com>; Thu, 10 May 2018 21:52:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bYOQvLMWy_IG for <pkix@ietfa.amsl.com>; Thu, 10 May 2018 21:52:05 -0700 (PDT)
Received: from mail-wm0-x230.google.com (mail-wm0-x230.google.com [IPv6:2a00:1450:400c:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A9721200E5 for <pkix@ietf.org>; Thu, 10 May 2018 21:52:04 -0700 (PDT)
Received: by mail-wm0-x230.google.com with SMTP id l1-v6so817667wmb.2 for <pkix@ietf.org>; Thu, 10 May 2018 21:52:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=VmXr2Gb6g6Q/en5WPGtesMrfe6pBV7rchudZBInrzFk=; b=XUnSebmT8eyYCNf/FRTlrR14CcEbo/2/AqaKw4cW91TO7M8+tBHTN9Ij4uAJiBL5g0 RKMeYRG7PlKkgdp+53Fl1TiHPbC7zSpc/g7Bhv+pNqh2oou2CrFAVKKxa8DYSaKk7W10 WRuNNTbgRyXmpxwGGVes/BzQhRptbH2MxCqFjKKeuI33jKQ54jEw7oQfU2hYa3lNPcPb +up1wSQqtOqX9LCZC82l5uiX5VpR9GqcfmYYYuo1CYbzkbmiTb9yjjMYJhMAubKDVH2t TWVqqQvnI6GWixMXUsuayFBRChW3jBY8H+HfKoLOkLYdGqaZ+ncOBt12RT8L64wb/fVp dTvQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=VmXr2Gb6g6Q/en5WPGtesMrfe6pBV7rchudZBInrzFk=; b=Du9dpd2Khs4Rz3o8tXqZZSeDrqzRhAfo7TK/RRblLnnwUJdPGBm5au+uIq5O+nrgMa 51/B/hyewhAPRJtksMNE6skYAwLqXTMmxwDskw71Y/Y5uPhEDrEdXjN2j56Yx9MxHS7G tC+hzwf1U+K9stwuVEtT+g/Xa4hhelUUNctKIxNAEvQKP/VG/TrMjkJVjQgBSMDFsfbw 8p2zTFUziXrkJbevYrKflnNjD0IWVkkgLtuM4pIp1xvFobqPBTxxWQ6Mez+6HKOGOZxJ dq2mUZoF7baOUjEMEPzpTQXJKYTj462ct67HD6k3p6D4G1rvL7dFaFjobEhIA09415pC 0hPg==
X-Gm-Message-State: ALKqPwcxu4Hn+VvfzqIGAwjN8UXsDW3mYGERCQr6Pmhdl1lOEj+9stnW BL4GNXXb7N0qHecN3rIR44bAP8q/tQ5vDSYsXtx6JQ==
X-Google-Smtp-Source: AB8JxZqp4ZNmXio3LRd5IHAPJVgHRD0pMgntxuZJXLw5w2YFx9KVuqI2P8RTh0LkE7wLEgh+Fx6aJysnLKAz7EyDE7k=
X-Received: by 2002:a1c:a95:: with SMTP id 143-v6mr829116wmk.134.1526014323051; Thu, 10 May 2018 21:52:03 -0700 (PDT)
MIME-Version: 1.0
References: <5481b2bb-25cc-6d1f-d255-16403f2221de@free.fr> <38461622-c7e9-58f4-acd2-5451c37408ba@informatik.hu-berlin.de> <9721F6F1-BA0F-4A86-A1C9-7910003D00E8@vigilsec.com> <810C31990B57ED40B2062BA10D43FBF501C71CBD@XMB116CNC.rim.net> <77eb0920-c6a2-2697-46d0-b0ab0366d9da@free.fr>
In-Reply-To: <77eb0920-c6a2-2697-46d0-b0ab0366d9da@free.fr>
From: Michael StJohns <msj@nthpermutation.com>
Date: Fri, 11 May 2018 00:51:52 -0400
Message-ID: <CANeU+ZDJYqGJZrVk2GzfJ-TZYc+=ptqj1-+8Ko0s3TvK_jHLhw@mail.gmail.com>
To: Denis <denis.ietf@free.fr>
Cc: pkix@ietf.org
Content-Type: multipart/alternative; boundary="000000000000a5e0fe056be6e59c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/QruSBbPNBOVB8famHw7LoV9BGf8>
Subject: Re: [pkix] Question about Curve P-192
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 May 2018 04:52:07 -0000

Actually see RFC5480.  It describes a set of suggested pairings of
signature strengths and hashes and includes recommendations for P-192.

Re Russ’s comment, the ECDSAWithShaxxx identifiers can be used with any
curve, (but follow the 5480 and other similar document pairing
recommendations)   so it’s not exactly correct that there are no algorithm
identifiers.

Lastly, AFAICT NIST didn’t originally define the P192 curve - it just
incorporated a previously defined curve in a set of acceptable parameters
when it was NISTifying EC cryptography.

Mike

On Thu, May 10, 2018 at 17:47 Denis <denis.ietf@free.fr> wrote:

> Hi Ernst, Russ and Dan,
>
> Thank your for your replies. This is what I feared : there is no
> cryptographic suite defined for P-192.
> Quite strange that NIST defined the algorithm and didn't defined a hash
> function to go with it.
>
> Key sizes need to be appreciated relative to the environment where they
> are used.
>
> P-192 would be used in a constrained environment where the size of the
> digital signature matters (i.e. the smaller, the better).
>
> The verification of the digital signature would be real time. The private
> key should resist one year, because it would be changed every year.
>
> P-192 seems to be a good trade-off between the security level and the size
> of the digital signature.
>
> A SHA-192 function has been defined in a paper available at:
> http://www.ijctee.org/files/VOLUME2ISSUE3/IJCTEE_0612_24.pdf.
> The title of this paper is : Performance Analysis of SHA Algorithms (SHA-1
> and SHA-192): A Review
> However, I don't believe that any crypto-library supports it.
>
> So Ernst's method would certainly be one way to do it, but why not take
> the 192 low bits ?
>
> The last question would be for Ernst who wrote:
>
> The corresponding signature suite can be defined with ISO 14888-3, which
> allows the specification of the algo
>
> (e.g. EC-DSA, EC-KCDSA or whatsoever), the curve and the hash function.
>
> What would the OID or the URI for this suite, if we take the 192 left bits
> ? Same question if we take the 192 low bits ?
>
>
> Denis
>
> Hi Denis,
>
>
>
> Please, do not use P-192, unless there are some severe constraints.
>
>
>
> Even if you credit EC with a very generous 16 extra bits in security
> (compared to hashes & ciphers), P-192 would only reach 96+16=112-bit
> security, which does not meet the current best practice of 128 bit security.
>
>
>
> History as I understand it: NIST P-192 was meant for the 80-bit level
> (though it looks like 96-bit). This low security level has been widely
> deprecated since 2010, at least informally - to what extent it is formally
> deprecated, I don’t recall off-hand. I recall added text to ANSI X9.62/63
> deprecating this security level.
>
> Anyway, originally, the idea was to use P-192 with SHA-1, P-224 with
> SHA-224, etc.
>
> I think that there were also OIDs for P-192, e.g. secp192k1, and OIDs for
> ECDSA-with-SHA1, which could be combined in some ways.  I do not recall how
> far these OIDs made into IETF, i.e. as algorithm identifiers.
>
> Using 160-bit hash in ECDSA with P-192 renders the EU-CMA security to 80
> bits, which is waste considering that P-192 potentially provides 96-bit
> security.  As noted in the thread below, the standards have options to
> truncate a longer hash, which should correct this.
>
>
>
> Arguably, the security of P-192 has fared far better than SHA-1 in some
> ways, yet SHA-1 is probably much more widely used than P-192, though
> admittedly hashes are considered a general purpose tool.
>
>
>
> Best regards,
>
> Dan
>
>
>
>
>
> *From:* pkix [mailto:pkix-bounces@ietf.org <pkix-bounces@ietf.org>] *On
> Behalf Of *Russ Housley
> *Sent:* Thursday, May 10, 2018 1:30 PM
> *To:* Ernst G Giessmann <giessman@informatik.hu-berlin.de>
> <giessman@informatik.hu-berlin.de>
> *Cc:* IETF PKIX <pkix@ietf.org> <pkix@ietf.org>
> *Subject:* Re: [pkix] Question about Curve P-192
>
>
>
> Ernst:
>
>
>
> Of course, this technique works.  That said, I am not aware of any
> algorithm identifiers that make use of the P-192 curve for digital
> signature or key agreement.
>
>
>
> Russ
>
>
>
>
>
> On May 10, 2018, at 1:24 PM, Ernst G Giessmann <
> giessman@informatik.hu-berlin.de> wrote:
>
>
>
> Yes, there is a standardized way:
> Pick up a corresponding hash function, in case of P-192 it should be
> SHA-224 and take the 192 left most bits of the hash value as the input to
> the EC sign primitive.
> The correspondig signature suite can be defined with ISO 14888-3, which
> allows the specification of the algo (e.g. EC-DSA, EC-KCDSA or whatsoever),
> the curve and the hash function.
> Kind regards,
> /Ernst.
>
> Am 2018-05-10 um 19:07 schrieb Denis:
>
> Hello everybody,
>
> Curve P-192 is specified in FIPS PUB 186-4 (Digital Signature Standard
> (DSS)).
>
> There is no "SHA-192" hash function defined in FIPS PUB 180-4 (Secure Hash
> Standard (SHS)).
>
> Is there any standardized way to use a hash function with Curve P-192 ?
>
> Is there any RFC or any another document that specifies a cryptographic
> suite for Curve P-192 ?
>
> Denis
>
>
>
>
>
>
>
> _______________________________________________
>
> pkix mailing list
>
> pkix@ietf.org
>
> https://www.ietf.org/mailman/listinfo/pkix
>
>
>
> _______________________________________________
> pkix mailing list
> pkix@ietf.org
> https://www.ietf.org/mailman/listinfo/pkix
>
>
>
>
> _______________________________________________
> pkix mailing listpkix@ietf.orghttps://www.ietf.org/mailman/listinfo/pkix
>
>
> _______________________________________________
> pkix mailing list
> pkix@ietf.org
> https://www.ietf.org/mailman/listinfo/pkix
>

v2.23.0 | Report a Bug | By Email