Re: [secdir] [Curdle] 答复: Secdir review of draft-ietf-curdle-cms-eddsa-signatures-06

Russ Housley <housley@vigilsec.com> Thu, 27 July 2017 17:18 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B386C131D10 for <secdir@ietfa.amsl.com>; Thu, 27 Jul 2017 10:18:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fd6SE1DGds85 for <secdir@ietfa.amsl.com>; Thu, 27 Jul 2017 10:18:42 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5CAFB131D0E for <secdir@ietf.org>; Thu, 27 Jul 2017 10:18:42 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 51F8C30056C for <secdir@ietf.org>; Thu, 27 Jul 2017 13:13:42 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id YLJ8g87u8TQw for <secdir@ietf.org>; Thu, 27 Jul 2017 13:13:41 -0400 (EDT)
Received: from a860b60074bd.home (pool-108-45-101-150.washdc.fios.verizon.net [108.45.101.150]) by mail.smeinc.net (Postfix) with ESMTPSA id CDED5300429; Thu, 27 Jul 2017 13:13:40 -0400 (EDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <879E76B64CF340468BF5E4DE504C22420160BC01@dggemi501-mbs.china.huawei.com>
Date: Thu, 27 Jul 2017 13:13:40 -0400
Cc: curdle <curdle@ietf.org>, IESG <iesg@ietf.org>, IETF SecDir <secdir@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <E8D09FCA-3556-4735-B565-42ACC0F8E6C2@vigilsec.com>
References: <879E76B64CF340468BF5E4DE504C22420160B1FA@dggemi501-mbs.china.huawei.com> <CE259DDD-44B7-4B48-950A-A43D3FDDABF5@vigilsec.com> <879E76B64CF340468BF5E4DE504C22420160BC01@dggemi501-mbs.china.huawei.com>
To: zhangdacheng <dacheng.zhang@huawei.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/FIm8MqdrQSOwXAsRkfJ27VFUF2k>
Subject: Re: [secdir] =?utf-8?b?W0N1cmRsZV0g562U5aSNOiBTZWNkaXIgcmV2aWV3IG9m?= =?utf-8?q?_draft-ietf-curdle-cms-eddsa-signatures-06?=
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Jul 2017 17:18:44 -0000

Dacheng:

Trimming the parts where we have reached agreement...

>> 2. In the 4th paragraph of security considerations, ' the same private key SHOULD NOT be used with more than one EdDSA set of parameters.' -> ' the same private key MUST NOT be used with more than one EdDSA set of parameters.' Since we already know that the same private key used for multiple algorithms will cause potential risks, we should use a stronger word here.
> 
> I do not think that there is a problem with using the same private key with PureEdDSA and HashEdDSA.  The prudent advice is to avoid mixing the same private key with different parameter, thus the SHOULD NOT.  I point out that RFC 8032 goes even further:
> 
>   ... Thus, one can use the same
>   key pair for Ed25519, Ed25519ctx, and Ed25519ph and correspondingly
>   with Ed448 and Ed448ph.
> 
> Dacheng: Ok, I see your point. Then, I think it will be good to make some clarification here since the first sentence of this paragraph strongly argues that ' Using the same private key for different algorithms has the potential of allowing an attacker to get extra information about the private key.' Maybe we can change the second sentence to something like ' For this reason, the same private key SHOULD NOT be used with more than one EdDSA set of parameters, although people believe that no security issue will be caused when using the same private key with PureEdDSA and HashEdDSA [RFC8032]. '

How about:

Using the same private key with different algorithms has the potential
to leak extra information about the private key to an attacker.  For
this reason, the same private key SHOULD NOT be used with more than one
set of EdDSA parameters, although people believe that there are no
security concerns when using the same private key with PureEdDSA and
HashEdDSA [EDDSA].

Russ