Re: [lamps] AD Review: draft-ietf-lamps-cms-hash-sig-08
Russ Housley <housley@vigilsec.com> Fri, 12 July 2019 19:59 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 398BD120091 for <spasm@ietfa.amsl.com>; Fri, 12 Jul 2019 12:59:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2YDzkIu25BZp for <spasm@ietfa.amsl.com>; Fri, 12 Jul 2019 12:59:48 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 071751200A4 for <spasm@ietf.org>; Fri, 12 Jul 2019 12:59:48 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id BABB9300AA3 for <spasm@ietf.org>; Fri, 12 Jul 2019 15:40:29 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id X-PQ7Opjh_Js for <spasm@ietf.org>; Fri, 12 Jul 2019 15:40:27 -0400 (EDT)
Received: from a860b60074bd.fios-router.home (unknown [138.88.156.37]) by mail.smeinc.net (Postfix) with ESMTPSA id 8663630065E; Fri, 12 Jul 2019 15:40:27 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <359EC4B99E040048A7131E0F4E113AFC01B33CD760@marchand>
Date: Fri, 12 Jul 2019 15:59:44 -0400
Cc: "spasm@ietf.org" <spasm@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <AB48616C-F819-486D-AD94-C4EE6EAC621A@vigilsec.com>
References: <359EC4B99E040048A7131E0F4E113AFC01B33CD760@marchand>
To: "Roman D. Danyliw" <rdd@cert.org>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/Tp7XAVOFeUon1OpvX0DQsr2ciKw>
Subject: Re: [lamps] AD Review: draft-ietf-lamps-cms-hash-sig-08
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jul 2019 19:59:51 -0000
Roman:
Thanks for the careful review. There are a couple of places where I do not understand your comment, but I have implemented the others in my edit buffer. I hope we can sort out the others quickly.
> The following is my AD review of draft-ietf-lamps-cms-hash-sig-08. Given the substance of these comments, it can be handled with IETF LC comments.
>
> (1) Section 1.3. Per the paragraph starting with "Today, RSA is often used to digitally sign software updates", why is this discussion about software updates in this draft? If this is to motivate the weakness of these algorithms? If so, why not also talk certificates? An example using DSS? IMO, this paragraph isn't needed.
This paragraph used to be in the security considerations. It was suggested that the paragraph provides more of a motivation for why someone might want to implement the algorithm, so it was moved here. I would like to keep the linkage for RFC 4108, but the rest of the paragraph can probably go away. I suggest the linkage to RFC 4108 can be added to the 4th paragraph, which would result in:
The HSS/LMS signature algorithm does not depend on the difficulty of
discrete logarithm or factoring, as a result these algorithms are
considered to be post-quantum secure. One use of post-quantum secure
signatures is the protection of software updates, perhaps using the
format described in [FWPROT], to enable deployment of software that
implements new cryptosystems.
> (2) Section 2.2. Per "... a typecode indicating the particular LMS algorithm ...", where is typecode defined?
To make this clear, I suggest adding "As specified in [HASHSIG]," to the front of that paragraph.
> (3) Section 2.3, when describing the components of the LM-OTS signature value, y[] is not explained
To be explicit, I suggest: ... and a sequence of hash values (y[0] through y[p-1]) that correspond to the elements of the public key ...
> (4) Section 5. How is the object identifier should be used for the content-type?
I do not understand this question. None of the object identifiers in this document are used as to identify a content type. There is a signature algorithm identifier and an ASN.1 module identifier. The content type would be set depending on what is being signed. As a result, this algorithm-specific document has nothing to say about content type.
> (5) Editorial matters
>
> ** Abstract. Typo. s/the the/the/
Fixed.
> ** Abstract and Section 1. Expand HSS/LMS on first use
Fixed.
> ** Abstract. Editorial. It seems odd to wait till the third paragraph to explain what is HSS/LMS. Perhaps sentence one should be what is HSS/LMS (sentence 1).
The Abstract is only one paragraph, and the very first sentence does say that HSS/LMS is a hash-based signature algorithm:
This document specifies the conventions for using the the HSS/LMS
hash-based signature algorithm with the Cryptographic Message Syntax
(CMS). In addition, the algorithm identifier and public key syntax
are provided. The HSS/LMS algorithm is one form of hash-based
digital signature; it is described in RFC 8554.
Likewise, as modified by the suggestion above, the first sentence of the Introduction also says that HSS/LMS is a hash-based signature algorithm:
This document specifies the conventions for using the Hierarchical
Signature System (HSS) / Leighton-Micali Signature (LMS) hash-based
signature algorithm with the Cryptographic Message Syntax (CMS) [CMS]
signed-data content type.
> ** Section 1.3. Would this section be better titled as "Motivation"?
Yes, I like that better.
> ** Section 1.3. Editorial (remove colloquialism). s/some researchers/researcher/
Changed.
> ** Section 1.3. FWIW, I didn't find the quote compelling contextually. Six years ago it suggests significant changes are coming but there is no follow-up on whether they were correct with the benefit of hindsight. Likewise, the relevant advances in quantum computers isn't cited.
>
> The reference is helpful. Perhaps I would have just said:
>
> "There have been recent advances in cryptoanalysis [BH2013] and in the development of quantum computers [insert ref]. Each of these advances pose a threat to widely deployed digital signature algorithms. There is a need to prepare for a day that cryptosystems such as RSA and DSA that depend on discrete logarithm and factoring cannot be depended upon."
I suggest:
Recent advances in cryptoanalysis [BH2013] and progress in the
development of quantum computers [NAS2019] pose a threat to widely
deployed digital signature algorithms. As a result, there is a need
to prepare for a day that cryptosystems such as RSA and DSA that
depend on discrete logarithm and factoring cannot be depended upon.
and:
[NAS2019] National Academies of Sciences, Engineering, and Medicine,
"Quantum Computing: Progress and Prospects", The National
Academies Press, DOI 10.17226/25196, 2019.
> ** Section 1.3. The text "Hash-based signatures [HASSIG] are currently defined ... An IANA registry is defined ..." is duplicated almost verbatim again in Section 2. Why is it needed twice. IMO, it can be removed here.
Agree. It is removed.
> ** Section 1.3. LM-OTS signature generation needs a reference.
That paragraph was removed based on the previous comment.
> ** Section 2. Provide a reference to the IANA registry.
Reference added for:
https://www.iana.org/assignments/leighton-micali-signatures/leighton-micali-signatures.xhtml
> ** Section 2.1. Per "Otherwise, generation of the entire tree might take weeks on longer", perhaps add "on a current <insert system type>".
The number of hash computations is huge to construct the entire tree, that is why HSS breaks it into manageable chunks. The system type is not the issue at all.
> ** Section 2.1. Cite the functions (i.e., u32str() is from [HASHSIG]) and string notation (i.e., "||" is concat)
On first use of these, I added:
where, u32str() and || are used as defined in [HASHSIG].
> ** s/in Section 3.3/in struct signed_public_key in Section 3.3/
I suggest:
where, as defined in Section 3.3 of [HASHSIG], the signed_public_key
structure contains the lms_signature over the public key followed by
the public key itself.
Russ
- [lamps] AD Review: draft-ietf-lamps-cms-hash-sig-… Roman Danyliw
- Re: [lamps] AD Review: draft-ietf-lamps-cms-hash-… Russ Housley
- Re: [lamps] AD Review: draft-ietf-lamps-cms-hash-… Roman Danyliw
- Re: [lamps] AD Review: draft-ietf-lamps-cms-hash-… Russ Housley