IETF Logo Mail Archive

Re: [TLS] Ecdsa-sig-value in TLS 1.3 – need for erratum?

Dan Brown <danibrown@blackberry.com> Mon, 30 September 2019 14:41 UTC

Return-Path: <danibrown@blackberry.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF367120813 for <tls@ietfa.amsl.com>; Mon, 30 Sep 2019 07:41:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 44NOmRo-pkjX for <tls@ietfa.amsl.com>; Mon, 30 Sep 2019 07:41:15 -0700 (PDT)
Received: from smtp-p01.blackberry.com (smtp-p01.blackberry.com [208.65.78.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7508B1200F9 for <TLS@ietf.org>; Mon, 30 Sep 2019 07:41:15 -0700 (PDT)
Received: from xct102cnc.rim.net ([10.65.161.202]) by mhs211cnc.rim.net with ESMTP/TLS/DHE-RSA-AES256-SHA; 30 Sep 2019 10:40:58 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT102CNC.rim.net ([fe80::2066:5d4f:8c45:af55%17]) with mapi id 14.03.0415.000; Mon, 30 Sep 2019 10:40:58 -0400
From: Dan Brown <danibrown@blackberry.com>
To: Hubert Kario <hkario@redhat.com>, "TLS@ietf.org" <TLS@ietf.org>
Thread-Topic: [TLS] Ecdsa-sig-value in TLS 1.3 – need for erratum?
Thread-Index: AQHVd46CEHEbqnHFwEiFjr5wGFc+y6dEPs3Q
Date: Mon, 30 Sep 2019 14:40:57 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF501E44E12@XMB116CNC.rim.net>
References: <1803994.nvTnDQYtSi@pintsize.usersys.redhat.com>
In-Reply-To: <1803994.nvTnDQYtSi@pintsize.usersys.redhat.com>
Accept-Language: en-US, en-CA
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.252]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_0097_01D5777B.8A5337D0"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/0yxHOBnEOnlnXA0dkzHWOhb8z7Q>
Subject: Re: [TLS] Ecdsa-sig-value in TLS 1.3 – need for erratum?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Sep 2019 14:41:18 -0000

A brief reminder below about 2 new extra elements of ECDSA-Sig-Value.

> -----Original Message-----
> From: TLS <tls-bounces@ietf.org> On Behalf Of Hubert Kario
> Sent: Monday, September 30, 2019 8:56 AM
...
>
> At the same time SEC 1 v2.0[1] defines that structure as follows:
>
>            ECDSA-Sig-Value ::= SEQUENCE {
>                r INTEGER,
>                s INTEGER,
>                a INTEGER OPTIONAL,
>                y CHOICE { b BOOLEAN, f FieldElement } OPTIONAL
>            }

The new a and y values help a verifier recover the point R (where R=kG, and 
r=x(R) mod n, s=(e+dr)/k mod n), if desired.

Of course, it is possible to recover R from r, without a or y, but the 
downside is that such recovery seems to requiring test two different 
candidates for R.

There are a few small benefits of recovering R.

Faster verification: the verifier can verify as tsR=teG+trQ with a value t 
chosen to make both ts and tr small, which can be faster than using r alone.

Public-key recovery: the verifier can compute the signer's public key as Q = 
(1/r)(sR-eG).  The subtle sub-applications of Q-recovery include: 
proof-of-generation (if the message signed contains Q, then Q seems to be 
uniquely tagged), data compression (omitting Q from the cert), assisted key 
generation (a trusted authority adds entropy into Q).

I'm not sure if these applications are relevant to TLS, however.

At the ASN.1 and DER formatting level, the intent was that
 (1) old syntax signatures (r,s only) would be compatible with the new syntax 
since optional fields are DER-encoded as empty strings, to empty string should 
DER-decode (is this right?), and
 (2) a lax, liberal implementation of the old syntax would understand the new 
syntax, simply by ignoring the new values a and y, (and ignoring the total 
length of the DER encoding).

Of course, the strictly proper way to do (2) was to have put an ASN.1 "..." 
placeholder in the old syntax, thereby accommodating for future extensions. 
Alas, this was not put in.  So a strict, literal implementation of the old 
syntax should reject the new syntax.

v2.23.0 | Report a Bug | By Email