[TLS] Resolving the Ed448 context issue in RFC4492bis
Yoav Nir <ynir.ietf@gmail.com> Wed, 16 November 2016 01:49 UTC
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56D0D129552 for <tls@ietfa.amsl.com>; Tue, 15 Nov 2016 17:49:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zv73WRRa9mds for <tls@ietfa.amsl.com>; Tue, 15 Nov 2016 17:49:54 -0800 (PST)
Received: from mail-pf0-x22d.google.com (mail-pf0-x22d.google.com [IPv6:2607:f8b0:400e:c00::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 468EC129411 for <tls@ietf.org>; Tue, 15 Nov 2016 17:49:54 -0800 (PST)
Received: by mail-pf0-x22d.google.com with SMTP id i88so39228529pfk.2 for <tls@ietf.org>; Tue, 15 Nov 2016 17:49:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-transfer-encoding:mime-version:subject:message-id:date :to; bh=qEgHIRqnEh+u/sZ9Z828VnlXyygBbqDvCq72QpyIKP8=; b=eCY/Rgwnj0aLBE7FbdIXYlhcE3RMTWNEEIuSRelQwmSVy6Wzb9SsmY5ODCl2w33fy1 /Ill71AE+t5RUORhylcl7nuLSc5gZBp0CcB7oVe3cAzEg9qlJKZhnt/UdigwpALb3kcg fx6veWptzCkvYtW6AHiNuydspH3My+uk3r4i2KKpdzz1X0L4zqOhEvwUKw/IC2gV1QDE u0PiTFwTyKh5harzUiGK/vZb0C9SIVBIqEeELl5V7VXkbw0chU7KE2psI7Hf+KAjy4LF PCAU0p/wbV8FoSmMb6se7BpsLHlPilHMCRy/Mr6CBUzU0oAORIDiFqHs3DLbIlrC5/32 jqGg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:message-id:date:to; bh=qEgHIRqnEh+u/sZ9Z828VnlXyygBbqDvCq72QpyIKP8=; b=Ay/j1DQYNkTqs4yLiGsEW3PStk7dWAZX7EVK8Nmi7i8CtcATM0nMMozezsFa2ISHcA j6WY6CAt8xUkUiCMwIwJSbJWTQdR9GreUJb7DqEsfPBenakAhfCD+ooa0hQaKhXVgxyh 4yPmI+CnmCLbKerLC2NvZa1CkuhT2AMBlkRYAnnIGgea23xuT1We288puhTUAwYT0YO6 rDPTn1rcL7K8y5WikDa5o3bgUlzuMzAPuHUj0b6jS7ST3eAyIHoLf26WUzW0q5yiSTBb OjtNjfHDG6JO6ha/xiRN4Y/ayeYg4aO6INJWqi6VQkYkOKWkV9legfBYIx5o7CA247f3 yZ6g==
X-Gm-Message-State: ABUngvdeXkgKESXpG0LV/ixQrigHFayP1MKFceDJgXlesJ/CI9ibn3FgK03F4oR2KMJDhg==
X-Received: by 10.99.5.21 with SMTP id 21mr2540452pgf.32.1479260993665; Tue, 15 Nov 2016 17:49:53 -0800 (PST)
Received: from t2001067c03700128b0cd002daee86f00.v6.meeting.ietf.org (t2001067c03700128b0cd002daee86f00.v6.meeting.ietf.org. [2001:67c:370:128:b0cd:2d:aee8:6f00]) by smtp.gmail.com with ESMTPSA id c128sm46993356pfc.39.2016.11.15.17.49.52 for <tls@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 15 Nov 2016 17:49:53 -0800 (PST)
From: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 10.1 \(3251\))
Message-Id: <B3CDC6C9-E4C5-4EE5-989B-55FACA3F5C3A@gmail.com>
Date: Wed, 16 Nov 2016 10:49:47 +0900
To: "<tls@ietf.org>" <tls@ietf.org>
X-Mailer: Apple Mail (2.3251)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/8Ec7jQqLr_3FrvQfuclllfozKZk>
Subject: [TLS] Resolving the Ed448 context issue in RFC4492bis
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Nov 2016 01:49:55 -0000
Hi, all
As mentioned in Tuesday's session, Ed448 and Ed25519ctx add a new parameter to the signature function: a context string. Setting this string to a different value for each application (where application could be "PKIX", "TLS", "IKE") leads to different results and thus a signature made in one context does not validate in another context. This reduces the attack surface for attacks involving signing oracles.
The CFRG draft suggests that "contexts SHOULD NOT be used opportunistically, as that kind of use is very error-prone. If contexts are used, one SHOULD require all signature schemes available for use in that purpose support contexts". As I don't think this WG is ready to deprecate RSA, DSA, and ECDSA in one fell swoop, I think we should not use contexts.
So I suggest to add the following sentence at the end of the fifth paragraph section 5.10 ("All EdDSA computations MUST be performed...") of the rfc4492bis draft:
The context parameter for Ed448 MUST be set to the empty string.
Comments?
Yoav