IETF Logo Mail Archive

Re: [pkix] Edwards/DJB curves - New PKI(X) work?

Michael StJohns <mstjohns@comcast.net> Sun, 17 August 2014 03:16 UTC

Return-Path: <mstjohns@comcast.net>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C55BF1A068E for <pkix@ietfa.amsl.com>; Sat, 16 Aug 2014 20:16:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.171
X-Spam-Level:
X-Spam-Status: No, score=-2.171 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MISSING_MID=0.497, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PFBcYMmsnPI5 for <pkix@ietfa.amsl.com>; Sat, 16 Aug 2014 20:16:20 -0700 (PDT)
Received: from qmta03.emeryville.ca.mail.comcast.net (qmta03.emeryville.ca.mail.comcast.net [IPv6:2001:558:fe2d:43:76:96:30:32]) by ietfa.amsl.com (Postfix) with ESMTP id C98EE1A0690 for <pkix@ietf.org>; Sat, 16 Aug 2014 20:16:20 -0700 (PDT)
Received: from omta12.emeryville.ca.mail.comcast.net ([76.96.30.44]) by qmta03.emeryville.ca.mail.comcast.net with comcast id ffFk1o0010x6nqcA3fGLEJ; Sun, 17 Aug 2014 03:16:20 +0000
Received: from Mike-T530ssd.comcast.net ([68.34.113.195]) by omta12.emeryville.ca.mail.comcast.net with comcast id ffGJ1o00F4D0RQL8YfGK1P; Sun, 17 Aug 2014 03:16:20 +0000
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Sat, 16 Aug 2014 23:16:24 -0400
To: Johannes Merkle <johannes.merkle@secunet.com>, Anders Rundgren <anders.rundgren.net@gmail.com>, pkix@ietf.org
From: Michael StJohns <mstjohns@comcast.net>
In-Reply-To: <53EDB8F3.3020400@secunet.com>
References: <53EC3F1F.6090706@gmail.com> <53EC9E72.8030701@bbn.com> <53EC9F34.7090403@gmail.com> <53ECCCE4.2060603@secunet.com> <53ECDE4F.6020009@gmail.com> <53EDB8F3.3020400@secunet.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1408245380; bh=KkWvT2Nceun+oNxowoxEPwx9zA61DuLySTXnBtZvnqo=; h=Received:Received:Date:To:From:Subject:Mime-Version:Content-Type; b=HdBsU+XoW7YVHM8f3YhCnL0oIBe9ONeBG9yq2qhtMhBPTHDHOvoAVd/DoiMooNjTL XnFOz1eM2U+JTlekVXnCGvsbNGDR8KivL7PHwSv3rx9wlOv/dmgRkH7YH9aQnye9nB BXA8BHU7Bh6MuVtMQhLWbvt+PHiCvaeSgPTEg495EfIUmnMa1th39mNQn1mjlLgv2W KBivyll/v0owXmsqXjCtfJD/A+IXz6RDP8XXzWTh1zw/vmCq1vhOGBnnwj70D1s99v EB21hl14Z7NExPg23WH6QBURwECwac1m6N/riLbIC5aGOgYPZdOkcjBJ+/Z6j88u2N 0p4qJ7gtZoqQQ==
Archived-At: http://mailarchive.ietf.org/arch/msg/pkix/ErfPSKAFQcb2q52HxsjK89tGmaQ
Subject: Re: [pkix] Edwards/DJB curves - New PKI(X) work?
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Aug 2014 03:16:21 -0000
X-Message-ID:
Message-ID: <20140817031624.2266.90204.ARCHIVE@ietfa.amsl.com>

At 03:38 AM 8/15/2014, Johannes Merkle wrote:
>The usage of ECDSA-SHA256 within PKIX is already fully specified in RFC 5758. The curve (more specifically, the elliptic
>curve parameters) are a property of the public key not of the digital signature, DH value or cipher text.
>In order to use other curves, you just need to replace the OID for the named curve which is a parameter of the
>SubjectPublicKeyInfo according to RFC 5480.


If I had to make a guess as to whether this is correct or not I'd say that it mostly isn't.  Starting with PKIX public key representation, the OID for the AlgorithmIdentifier.algorithm type idEcPublicKey specifies how the public key is formatted; the curve OID (included in the parameters field) merely describes the curve parameters by reference.   (Section 2.2 of RFC5480 - but other places as well).  So you can't really reuse that algorithm type identifier.

Then there's the actual verification process.  The code I use for example looks first at the SignatureAlgorithm field of a certificate.  When it sees "SHA256withECDSA",  it instantiates a Signature object of that specific type *before* grabbing the appropriate public key to initialize the verification operation.   In other words, I'm stuck with  FIPS186-3 compliant signature function trying to parse a DJB curve key.

Basically, while you're correct that the key  curve is going to determine how you verify the signature, I would be surprised if any code checks the key curve first as the current understanding is that ECDSA means SECG1/X9.62/NISP FIPS186-3 (which are basically the same math and representations).  

For PKIX at least for signatures you need:

1) An ASN1 public key representation (and the appropriate OID).  Since there's only one DJB curve(?is that correct or are two needed for signature and ecdh?), you could get away with just a new OID for AlgorithmIdentifier.algorithm.
2) The format of the bitstring that represents a signature 
3) One or more signature algorithms (e.g. SHA256withX, SomeOtherHashWithX, etc) and their OIDs.

I think that any attempt to use the current set of EC code points  for DJB curve data is going to lead to really bad interactions with existing code (included but not limited to PKIX, TLS and IPSEC).  Better to assign new code points where necessary.

Later, Mike

v2.23.0 | Report a Bug | By Email