Re: [lamps] [EXTERNAL] Re: LAMPS Virtual Interim in Sept. 2022
Ilari Liusvaara <ilariliusvaara@welho.com> Fri, 16 September 2022 17:44 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20A92C1524C3 for <spasm@ietfa.amsl.com>; Fri, 16 Sep 2022 10:44:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VHDlDs0lUXPy for <spasm@ietfa.amsl.com>; Fri, 16 Sep 2022 10:44:33 -0700 (PDT)
Received: from welho-filter1.welho.com (welho-filter1b.welho.com [83.102.41.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 959B2C14CF10 for <spasm@ietf.org>; Fri, 16 Sep 2022 10:44:32 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id 0E1AD211F8; Fri, 16 Sep 2022 20:44:31 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id 24VQt4C_B8EG; Fri, 16 Sep 2022 20:44:30 +0300 (EEST)
Received: from LK-Perkele-VII2 (87-92-216-160.rev.dnainternet.fi [87.92.216.160]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id BD3BD2315; Fri, 16 Sep 2022 20:44:28 +0300 (EEST)
Date: Fri, 16 Sep 2022 20:44:28 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: LAMPS <spasm@ietf.org>, "cfrg@irtf.org" <cfrg@irtf.org>
Message-ID: <YyS1/HUoSjRA/8Lb@LK-Perkele-VII2.locald>
References: <4026D3B2-9390-484F-8A10-43E135441998@vigilsec.com> <CADqLbzJjBpPF+6bZ2E2r_eXKFmzCcd5i8H_ZV7O0Dg9Kg+i1xw@mail.gmail.com> <AB126236-D280-4922-A711-CE4C2948C6B3@vigilsec.com> <CADqLbzJF1YYPMpHF3q4NfD-VMG6UM3QdtT33WcL7QE7D8mUvTA@mail.gmail.com> <CADqLbz+ZgNvynnOOH0g13GKMegKrgAghJmTJr=C2pAtYo45X5Q@mail.gmail.com> <02E791EC-13CF-4C23-9BAD-A29938C9B2CF@vigilsec.com> <CADqLbzJtuxY9wdPE1iC3O=NFS8JnojuspbJBXN_=FZ2=4dfg=Q@mail.gmail.com> <D49B24A7-10D1-424E-B1C6-6202343F99F3@vigilsec.com> <68F68C22-B0DC-452D-B8BC-CE4B8B53B664@vigilsec.com> <CH0PR11MB57397348405207DC6733877E9F489@CH0PR11MB5739.namprd11.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CH0PR11MB57397348405207DC6733877E9F489@CH0PR11MB5739.namprd11.prod.outlook.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/ym1JkvR68kiYSqtHCJBdL7AFhjo>
Subject: Re: [lamps] [EXTERNAL] Re: LAMPS Virtual Interim in Sept. 2022
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Sep 2022 17:44:39 -0000
On Fri, Sep 16, 2022 at 04:44:55PM +0000, Mike Ounsworth wrote: > + CFRG as this is request for crypto security review > > > Issue summary: > > - Needing to stream your entire message to your crypto module is > dumb (think streaming an entire firmware image to your network HSM > for code-signing, or to your TPM for secure boot validation; yuck). > - You want to send just a hash. > - Both Dilithium and Falcon have, as their first internal step' a > hash of the message prepended with a nonce (the pubkey for > Dilithium, and a random r for Falcon), I assume in order to block > pre-computed collision attacks. > - If you, for example, do SHA256(m) before calling Dilithium.sign(), > then you have re-introduced that collision attack. > - You can externalize that first hashing step of the Dilithium / > Falcon sign / verify algs outside of the crypto module without > breaking interop, but doing so will need to be mentioned in the > standards, and will need security review. An alternative to just sending a hash is defining a structure that represents a salted hash of piece of data and then signing that structure. As far as I understand, the X.509 signature algorithm model is sufficiently flexible that this could be done by defining a special X.509 signature algorithm. However, at least in some contexts, there are very nontrivial related considerations. E.g., COSE "hash-once-sign-twice" stuff. With SPHINCS+, these constructions are even more useful, as externalization is not possible, and (unsalted) prehashing leads to a security issue. Furthermore, SPHINCS+ is currently the only trustworthy PQ signature algorithm: Currently Dilithium and Falcon are definitely not trustworthy (NSA effectively endorsing level 5 Dilithium nonwithstanding). And as for purpose of that prepending, for Dilithium, it indeed looks to be to block precomputed collision attacks. However, for Falcon, the primary purpose seems to be to block a possible attack (which might be catastrophic) if the same message is signed twice; blocking collision attacks seems to be a side effect. Dilthium looks straightforward to externalize: Have interface that passes in mu instead of m. Getting it wrong breaks interop, so it does not look to be too bad interface. However, Falcon is completely another matter. The lesser problem is that one needs to pass in (block-aligned) SHAKE-256 state, and not a hash. The serious problem is that since getting generation of r wrong might have catastrophic consequences, it is not possilble to pass that in to any sort of security module. One would have to have some sort of two-pass interface, which is quite radical deperture from usual sort of one-pass signature interface. -Ilari
- [lamps] DRAFT LAMPS Agenda for IETF 114 Russ Housley
- Re: [lamps] DRAFT LAMPS Agenda for IETF 114 Brockhaus, Hendrik
- Re: [lamps] DRAFT LAMPS Agenda for IETF 114 Dmitry Belyavsky
- Re: [lamps] DRAFT LAMPS Agenda for IETF 114 Russ Housley
- Re: [lamps] DRAFT LAMPS Agenda for IETF 114 Dmitry Belyavsky
- [lamps] LAMPS Virtual Interim in Sept. 2022 Russ Housley
- Re: [lamps] LAMPS Virtual Interim in Sept. 2022 Russ Housley
- Re: [lamps] [EXTERNAL] Re: LAMPS Virtual Interim … Mike Ounsworth
- Re: [lamps] [CFRG] [EXTERNAL] Re: LAMPS Virtual I… Orie Steele
- Re: [lamps] [EXTERNAL] Re: LAMPS Virtual Interim … Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] [EXTERNAL] Re: LAMPS Virtual Interim … Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: LAMPS Virtual Interim … Ilari Liusvaara
- Re: [lamps] LAMPS Virtual Interim in Sept. 2022 Russ Housley
- Re: [lamps] [EXTERNAL] Re: LAMPS Virtual Interim … Ilari Liusvaara
- Re: [lamps] LAMPS Virtual Interim in Sept. 2022 Russ Housley
- Re: [lamps] LAMPS Virtual Interim in Sept. 2022 Hubert Kario
- Re: [lamps] LAMPS Virtual Interim in Sept. 2022 Russ Housley
- Re: [lamps] LAMPS Virtual Interim in Sept. 2022 Brockhaus, Hendrik
- Re: [lamps] LAMPS Virtual Interim in Sept. 2022 Hubert Kario