IETF Logo Mail Archive

Re: [lamps] Last Call: draft-ietf-lamps-cms-hash-sig-03

"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Thu, 14 February 2019 22:38 UTC

Return-Path: <sfluhrer@cisco.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57CA3131223 for <spasm@ietfa.amsl.com>; Thu, 14 Feb 2019 14:38:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id utsin1E4OGbq for <spasm@ietfa.amsl.com>; Thu, 14 Feb 2019 14:38:00 -0800 (PST)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E26C131215 for <spasm@ietf.org>; Thu, 14 Feb 2019 14:38:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=20368; q=dns/txt; s=iport; t=1550183880; x=1551393480; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=5gFfdZL5ycyEJshjKFRqqv5YgePh5hvY+hBlYTSGbbE=; b=Ef6pfAwxNb4B6L2x2HYZGa0TUvLZicoBayYOKfpzLSq7bmFxsTF6c/T9 hotKbkU6MzWjvJqy+WhPZmL36wx/KnPGPJKzyLSak7uRi4nmuIRUhULN4 c9PU/bz4nfkA2fl2SI3dKejYsGDlmpCtSpAk6+iTGbWljLRQWnJAm0L1K Y=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ADAADu7GVc/5pdJa1kGQEBAQEBAQEBAQEBAQcBAQEBAQGBUQQBAQEBAQsBgQ11Z4EDJwqDfIgai3CCDZIkhW+BewsBARgBCoRJAheDTCI0CQ0BAwEBAgEBAm0cDIVKAQEBAQMBARsGCkELEAIBCBEEAQEoAwICAiULFAkIAQEEDgUIgxmBDmQPqyWBL4owBYxEF4FAP4ERgxKDHgEBgXgfglOCVwKJYYZCkwsJApJKIYFuhVSDPoY9gTaJapJBAhEUgScfOIFWcBU7gmyCJxiIX4U/QTGPPYEfAQE
X-IronPort-AV: E=Sophos;i="5.58,370,1544486400"; d="scan'208,217";a="237841895"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by alln-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 14 Feb 2019 22:37:59 +0000
Received: from XCH-RTP-010.cisco.com (xch-rtp-010.cisco.com [64.101.220.150]) by rcdn-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id x1EMbwJ7003824 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 14 Feb 2019 22:37:58 GMT
Received: from xch-rtp-006.cisco.com (64.101.220.146) by XCH-RTP-010.cisco.com (64.101.220.150) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Thu, 14 Feb 2019 17:37:57 -0500
Received: from xch-rtp-006.cisco.com ([64.101.220.146]) by XCH-RTP-006.cisco.com ([64.101.220.146]) with mapi id 15.00.1395.000; Thu, 14 Feb 2019 17:37:58 -0500
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: Russ Housley <housley@vigilsec.com>
CC: Tim Hollebeek <tim.hollebeek@digicert.com>, SPASM <spasm@ietf.org>
Thread-Topic: [lamps] Last Call: draft-ietf-lamps-cms-hash-sig-03
Thread-Index: AdS40GKoFYXnwsS1QwKY9DVE0d/aRgABY5rQADS+pgACwrctkA==
Date: Thu, 14 Feb 2019 22:37:57 +0000
Message-ID: <13aac7fd60a04eb2b56507808b4d17c9@XCH-RTP-006.cisco.com>
References: <BN6PR14MB1106523B8FE0E5FFDA2C3D5483900@BN6PR14MB1106.namprd14.prod.outlook.com> <d07ed88179514efd848f3a98e6ef5129@XCH-RTP-006.cisco.com> <29800B65-CE39-4BA4-B6D1-F2E6F870E1D6@vigilsec.com>
In-Reply-To: <29800B65-CE39-4BA4-B6D1-F2E6F870E1D6@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.86.251.167]
Content-Type: multipart/alternative; boundary="_000_13aac7fd60a04eb2b56507808b4d17c9XCHRTP006ciscocom_"
MIME-Version: 1.0
X-Outbound-SMTP-Client: 64.101.220.150, xch-rtp-010.cisco.com
X-Outbound-Node: rcdn-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/ZJnHLMAsi8229TWUiDZUMN0noFM>
Subject: Re: [lamps] Last Call: draft-ietf-lamps-cms-hash-sig-03
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Feb 2019 22:38:03 -0000

Sorry for being late, but I was just re-reviewing the draft, and I noticed something odd:

You define id-alg-hss-lms-hashsig-with-sha384 (and sha512); with the comment that this specifies the use SHA-384 to hash the content.

That’s not how LMS is designed to work; currently, it uses the same hash function to hash the message as it does for all its internal hashes.  If you were to replace the initial SHA-256 hash with something larger, well, you’d need to tweak the size of the LM-OTS signature (to accomendate the larger value being signed), and so that wouldn’t be clean at all.

For that matter, iLMS doesn’t do a straight hash of the message; instead, it includes a prefix (the point of the prefix, which is randomized, is to avoid relying on the collision resistance of SHA-256).

Now, I suppose you could SHA-384 hash the message, and then turn around and do an LMS signature generate/verify on that hash (which would, with the currently defined LMS parameter sets, immediately prepend the prefix, and that SHA-256 hash it).  However, if something that nonobvious is specified, you need to call it out explicitly (and also what do you do with id-alg-hss-lms-hashsig-with-sha256; would that also do an initial SHA-256 hash?).

My suggestion would be to combine all three algorithm identifiers into a single id-alg-hssms-hashsig (and have the parameter set indicator within the LMS public key specify which hash is to be used).

And, since someone brought up XMSS, well, that’d have pretty much the same issues (and for the same reasons…)

From: Russ Housley <housley@vigilsec.com>
Sent: Thursday, January 31, 2019 11:07 AM
To: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>
Cc: Tim Hollebeek <tim.hollebeek@digicert.com>; SPASM <spasm@ietf.org>
Subject: Re: [lamps] Last Call: draft-ietf-lamps-cms-hash-sig-03

Scott:

Thanks for the careful read.  I have made these changes in my edit buffer.

Russ



On Jan 30, 2019, at 3:04 PM, Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com<mailto:sfluhrer@cisco.com>> wrote:

Just two spelling corrections…

Nit: in the first line of section 4: “for an HHS/LMS public key” should be “for an HSS/LMS public key”

Nit: in the first line of section 6.2: “on the current sate” should be “on the current state”



From: Spasm <spasm-bounces@ietf.org<mailto:spasm-bounces@ietf.org>> On Behalf Of Tim Hollebeek
Sent: Wednesday, January 30, 2019 2:25 PM
To: SPASM <spasm@ietf.org<mailto:spasm@ietf.org>>
Subject: [lamps] Last Call: draft-ietf-lamps-cms-hash-sig-03


This is the LAMPS WG Last Call for “Use of the HSS/LMS Hash-based Signature Algorithm in the Cryptographic Message Syntax (CMS)” <draft-ietf-lamps-cms-hash-sig-03>.

Please review the document and send your comments to the list by 14 February 2019.

If no concerns are raised, the document will be forwarded to the IESG with a request for publication as Proposed Standard.

-Tim

_______________________________________________
Spasm mailing list
Spasm@ietf.org<mailto:Spasm@ietf.org>
https://www.ietf.org/mailman/listinfo/spasm

v2.23.0 | Report a Bug | By Email