Re: [lamps] Question on draft-ietf-lamps-cms-hash-sig
Daniel Van Geest <Daniel.VanGeest@isara.com> Sun, 17 March 2019 06:47 UTC
Return-Path: <Daniel.VanGeest@isara.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07E9C128661; Sat, 16 Mar 2019 23:47:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BzAiZ1nbvLpr; Sat, 16 Mar 2019 23:47:04 -0700 (PDT)
Received: from esa2.isaracorp.com (esa2.isaracorp.com [207.107.152.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1041612796D; Sat, 16 Mar 2019 23:47:03 -0700 (PDT)
Received: from unknown (HELO V0501WEXGPR01.isaracorp.com) ([10.5.8.20]) by ip2.isaracorp.com with ESMTP; 17 Mar 2019 06:47:03 +0000
Received: from V0501WEXGPR01.isaracorp.com (10.5.8.20) by V0501WEXGPR01.isaracorp.com (10.5.8.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1466.3; Sun, 17 Mar 2019 02:47:02 -0400
Received: from V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba]) by V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba%7]) with mapi id 15.01.1466.012; Sun, 17 Mar 2019 02:47:02 -0400
From: Daniel Van Geest <Daniel.VanGeest@isara.com>
To: Russ Housley <housley@vigilsec.com>
CC: Jim Schaad <ietf@augustcellars.com>, "draft-ietf-lamps-cms-hash-sig@ietf.org" <draft-ietf-lamps-cms-hash-sig@ietf.org>, SPASM <spasm@ietf.org>
Thread-Topic: [lamps] Question on draft-ietf-lamps-cms-hash-sig
Thread-Index: AdTalFpsRD6NOLyJSie3veGv+fJZHgA0TvYAAEMkC4AABsTm2w==
Date: Sun, 17 Mar 2019 06:47:02 +0000
Message-ID: <ae8la1do9rokcauh3e6bjbp4.1552805213981@isara.com>
References: <00d701d4da95$425dc1d0$c7194570$@augustcellars.com> <13C0F2A6-8D71-4B67-B53A-A706125D65BD@isara.com>, <D745A123-6600-456D-A646-487A892AD4C9@vigilsec.com>
In-Reply-To: <D745A123-6600-456D-A646-487A892AD4C9@vigilsec.com>
Accept-Language: en-CA, en-US
Content-Language: en-CA
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: multipart/alternative; boundary="_000_ae8la1do9rokcauh3e6bjbp41552805213981isaracom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/A1esVw2BV5opthOF2V0MZXTmfjM>
Subject: Re: [lamps] Question on draft-ietf-lamps-cms-hash-sig
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Mar 2019 06:47:07 -0000
That would simplify things, and despite the collision resistance reduction, should be "good enough" against a quantum attacker due to properties of Grover's algorithms like parallallizing poorly. I think we may still mention things like this in the security considerations of the x509-hash-sigs draft despite no longer proposing pre-hashed OIDs. Daniel From: housley@vigilsec.com Sent: March 17, 2019 12:33 AM To: Daniel.VanGeest@isara.com Cc: ietf@augustcellars.com; draft-ietf-lamps-cms-hash-sig@ietf.org; spasm@ietf.org Subject: Re: [lamps] Question on draft-ietf-lamps-cms-hash-sig Daniel: I believe that Jim is arguing that the same hash function should always be used for both the content and the HSS/LMS tree, Russ On Mar 15, 2019, at 3:30 PM, Daniel Van Geest <Daniel.VanGeest@isara.com<mailto:Daniel.VanGeest@isara.com>> wrote: My thoughts, On 2019-03-14, 2:39 PM, "Spasm on behalf of Jim Schaad" <spasm-bounces@ietf.org<mailto:spasm-bounces@ietf.org> on behalf of ietf@augustcellars.com<mailto:ietf@augustcellars.com>> wrote: I was tossing together some code to look at producing some samples and I ended up with a pair of questions: 1. If I have a hash signature tree which uses multiple different hash algorithms in it, which of those hash algorithms am I to placed in the digestAlgorithm field? For example, suppose that I am using an LMS type with a hash of SHAKE128 and an LMOTS type with a hash of SHA256. Or as a different example, suppose that I have a two deep tree and the top level uses SHA512 in both places but the next level down uses SHAH256 in both places? RFC 5652 section 5.3 defines the digestAlgorithm member of SignerInfo as: digestAlgorithm identifies the message digest algorithm, and any associated parameters, used by the signer. The message digest is computed on either the content being signed or the content together with the signed attributes using the process described in Section 5.4. In HSS, the hash algorithm used to digest the content is the one in the LMOTS type of the bottom-most tree. The other hash algorithms are used to hash within the Merkle tree, or to hash the LMS public key of a lower tree. So in both your examples the answer would be SHA256. 2. If there are signed attributes present, then it t required that the body digest algorithm match that of the hash signature tree or can it be different. If it is different, is that not the value that should be placed in the digestAlgorithm field? Consider digesting the body with SHA512, but only using SHA256 in the hash function on the assumption that the random field in the signing operation provides a higher level of security and thus a weak attempt is being made to match them together. (I am sure that this is not the correct pairing for matching, just demonstrating a point.) cms-hash-sigs says: digestAlgorithm MUST contain the one-way hash function used to in the HSS/LMS tree. This statement plus the one I quoted from RFC 5652 would imply that the body digest algorithm must match that of the HSS algorithm. However, you are correct that the random field added during signing increases the collision resistance of the signature and so using the same algorithm to create the message-digest attribute in the signed attributes would reduce the collision resistance of the system. If you wanted to allow a different hash algorithm in the signed attributes message digest, I think cms-hash-sigs would need to be modified to further specify signed-data conventions with/without signed attributes, similar to RFC 8419. Daniel Jim _______________________________________________ Spasm mailing list Spasm@ietf.org<mailto:Spasm@ietf.org> https://www.ietf.org/mailman/listinfo/spasm
- [lamps] Question on draft-ietf-lamps-cms-hash-sig Jim Schaad
- Re: [lamps] Question on draft-ietf-lamps-cms-hash… Daniel Van Geest
- Re: [lamps] Question on draft-ietf-lamps-cms-hash… Russ Housley
- Re: [lamps] Question on draft-ietf-lamps-cms-hash… Daniel Van Geest
- Re: [lamps] Question on draft-ietf-lamps-cms-hash… Jim Schaad
- Re: [lamps] Question on draft-ietf-lamps-cms-hash… Daniel Van Geest
- Re: [lamps] Question on draft-ietf-lamps-cms-hash… Scott Fluhrer (sfluhrer)
- Re: [lamps] Question on draft-ietf-lamps-cms-hash… Jim Schaad
- Re: [lamps] Question on draft-ietf-lamps-cms-hash… Scott Fluhrer (sfluhrer)
- Re: [lamps] Question on draft-ietf-lamps-cms-hash… Jim Schaad
- Re: [lamps] Question on draft-ietf-lamps-cms-hash… Jim Schaad