IETF Logo Mail Archive

Re: [lamps] Question on draft-ietf-lamps-cms-hash-sig

Jim Schaad <ietf@augustcellars.com> Sun, 17 March 2019 11:39 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E716D127978; Sun, 17 Mar 2019 04:39:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lZpn3J1K9py2; Sun, 17 Mar 2019 04:39:44 -0700 (PDT)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B77D51275E9; Sun, 17 Mar 2019 04:39:43 -0700 (PDT)
Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Sun, 17 Mar 2019 04:39:15 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: 'Russ Housley' <housley@vigilsec.com>, 'Daniel Van Geest' <Daniel.VanGeest@isara.com>
CC: draft-ietf-lamps-cms-hash-sig@ietf.org, 'SPASM' <spasm@ietf.org>
References: <00d701d4da95$425dc1d0$c7194570$@augustcellars.com> <13C0F2A6-8D71-4B67-B53A-A706125D65BD@isara.com> <D745A123-6600-456D-A646-487A892AD4C9@vigilsec.com>
In-Reply-To: <D745A123-6600-456D-A646-487A892AD4C9@vigilsec.com>
Date: Sun, 17 Mar 2019 04:39:13 -0700
Message-ID: <000101d4dcb6$0d34cdf0$279e69d0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0002_01D4DC7B.60D72E70"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQEM1Y28iLV3mVbkBi2mvYQFmQFueAGxOkwAAaZQ9VSnhPwcQA==
Content-Language: en-us
X-Originating-IP: [73.180.8.170]
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/Kzo7Q54Gs0LNvRDsUbdUb0zLxEY>
Subject: Re: [lamps] Question on draft-ietf-lamps-cms-hash-sig
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Mar 2019 11:39:47 -0000

I don't know what Jim is arguing.  I think that I am trying to say that
there may be some language that is not clear at some point in the future
although it is perfectly fine today (mostly).  I do not remember ever seeing
any language in any of the hash signature documents that say that the same
hash function should be used from top to bottom.  I also think that there
will be some push in the not so near future to have some other hash
functions be permitted because of things like the better efficiency of
SHA-512 in many cases or the move to SHAKE as a different hash function.  I
worry that this means that the same hash function may not be used from top
to bottom in a hash signature key.  I also worry that my current code base
does not have any way to get the parameters for the bottom of the tree and
the same thing may be true for an HSM.  The top algorithms can be retrieved
from the public key, but not the bottom algorithms.

 

Jim

 

 

From: Russ Housley <housley@vigilsec.com> 
Sent: Saturday, March 16, 2019 4:33 PM
To: Daniel Van Geest <Daniel.VanGeest@isara.com>
Cc: Jim Schaad <ietf@augustcellars.com>;
draft-ietf-lamps-cms-hash-sig@ietf.org; SPASM <spasm@ietf.org>
Subject: Re: [lamps] Question on draft-ietf-lamps-cms-hash-sig

 

Daniel:

 

I believe that Jim is arguing that the same hash function should always be
used for both the content and the HSS/LMS tree,

 

Russ

 





On Mar 15, 2019, at 3:30 PM, Daniel Van Geest <Daniel.VanGeest@isara.com
<mailto:Daniel.VanGeest@isara.com> > wrote:

 

My thoughts,

 

On 2019-03-14, 2:39 PM, "Spasm on behalf of Jim Schaad" <
<mailto:spasm-bounces@ietf.org> spasm-bounces@ietf.org on behalf of
<mailto:ietf@augustcellars.com> ietf@augustcellars.com> wrote:

 

I was tossing together some code to look at producing some samples and I

ended up with a pair of questions:

 

1.  If I have a hash signature tree which uses multiple different hash

algorithms in it, which of those hash algorithms am I to placed in the

digestAlgorithm field?  For example, suppose that I am using an LMS type

with a hash of SHAKE128 and an LMOTS type with a hash of SHA256.  Or as a

different example, suppose that I have a two deep tree and the top level

uses SHA512 in both places but the next level down uses SHAH256 in both

places?  

 

RFC 5652 section 5.3 defines the digestAlgorithm member of SignerInfo as:

      digestAlgorithm identifies the message digest algorithm, and any

      associated parameters, used by the signer.  The message digest is

      computed on either the content being signed or the content

      together with the signed attributes using the process described in

      Section 5.4.

 

In HSS, the hash algorithm used to digest the content is the one in the
LMOTS type of the bottom-most tree.  The other hash algorithms are used to
hash within the Merkle tree, or to hash the LMS public key of a lower tree.
So in both your examples the answer would be SHA256.

 

2.  If there are signed attributes present, then it t required that the body

digest algorithm match that of the hash signature tree or can it be

different.  If it is different, is that not the value that should be placed

in the digestAlgorithm field?  Consider digesting the body with SHA512, but

only using SHA256 in the hash function on the assumption that the random

field in the signing operation provides a higher level of security and thus

a weak attempt is being made to match them together.  (I am sure that this

is not the correct pairing for matching, just demonstrating a point.)

 

cms-hash-sigs says:

      digestAlgorithm MUST contain the one-way hash function used to in

         the HSS/LMS tree.

This statement plus the one I quoted from RFC 5652 would imply that the body
digest algorithm must match that of the HSS algorithm.

 

However, you are correct that the random field added during signing
increases the collision resistance of the signature and so using the same
algorithm to create the message-digest attribute in the signed attributes
would reduce the collision resistance of the system.  If you wanted to allow
a different hash algorithm in the signed attributes message digest, I think
cms-hash-sigs would need to be modified to further specify signed-data
conventions with/without signed attributes, similar to RFC 8419.

 

Daniel

 

Jim

 

 

_______________________________________________

Spasm mailing list

 <mailto:Spasm@ietf.org> Spasm@ietf.org

 <https://www.ietf.org/mailman/listinfo/spasm>
https://www.ietf.org/mailman/listinfo/spasm

v2.23.0 | Report a Bug | By Email