IETF Logo Mail Archive

Re: [TLS] Require deterministic ECDSA

Michael StJohns <msj@nthpermutation.com> Sun, 24 January 2016 18:08 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 794DA1A1ACA for <tls@ietfa.amsl.com>; Sun, 24 Jan 2016 10:08:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o8mgjRVy_Bh5 for <tls@ietfa.amsl.com>; Sun, 24 Jan 2016 10:08:36 -0800 (PST)
Received: from mail-qg0-x234.google.com (mail-qg0-x234.google.com [IPv6:2607:f8b0:400d:c04::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44AC11A1A7B for <tls@ietf.org>; Sun, 24 Jan 2016 10:08:35 -0800 (PST)
Received: by mail-qg0-x234.google.com with SMTP id 6so93679118qgy.1 for <tls@ietf.org>; Sun, 24 Jan 2016 10:08:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-type:content-transfer-encoding; bh=5MnTyFJQPTN7T7ZeMbwVJ294yWtJlbHjs833A+yvsx4=; b=z6CUji4z3++dlZJWWMUKwkE6sVjEwuNyWtPTLNFy1BNV1oYk/lnTtr5YOLhrqFqRZf tRPVd7DEPN9nfLikEowrYGSFUR4CjQ6rO8eb7rbeixQTYcBOwMIY+CJe/iVBZ4KQrQfW xxVwZgZv9FcLkwtOUfZJLKVxr3gz9mi/dcdgsQUFOj9PlL9uxcn3V84IXdiKo5MEzJgu gTMPDTHRrfs3nnEtCaTZSWK7UyUC6ddeuVWQbChEQt/P0yL+XFLcfMbZ7F6O7E6rn9Bv VglldzCWdB3hKAWpMSFB6EHLS8LnCXlLqd2xY2vpCR/jl5hJGe+iRP7cPtVQN/gZjnDA MU2A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-type :content-transfer-encoding; bh=5MnTyFJQPTN7T7ZeMbwVJ294yWtJlbHjs833A+yvsx4=; b=MasxyjWhrfezD1Z+0u8B19iCIUJzad5RP9rhpWy2SH6SoFoqT4bQKXE6uNSdwummDY 8f4M49YVDXT9ZfupnumOGhTID3ImjU9GiHzSXngCwsV3yK7eseD4bHsmBZSrQpfT8gc7 xXSYLMqwba/x3L3ve/zcd3YuCmN6lSWI+8OdMyXgohdRRHLduYbfKfyh955jIuSxY4E5 b5ogVPJNF1/yp1AhZPq4MCquxpuGcLnKrPGvjtwAcYgV7kqt8Wz5DWM8LuRMYxoyNJhS XzKqdMeIlGdTZVad71vDyJ6Rq0eJ0AFVqGc2LfzeM2x+/IsBX5hx/x7J8o334DDNNFlD zpWg==
X-Gm-Message-State: AG10YOQc6P7jBQ06r5WyQgMPXJiZmIK87LJP496XaV7od7QvE9tHqJhwvfayfaM/gFMRzg==
X-Received: by 10.140.100.141 with SMTP id s13mr16021999qge.25.1453658915065; Sun, 24 Jan 2016 10:08:35 -0800 (PST)
Received: from ?IPv6:2601:148:c000:1bb4:49cd:a64a:bc7e:4016? ([2601:148:c000:1bb4:49cd:a64a:bc7e:4016]) by smtp.gmail.com with ESMTPSA id e11sm7234891qkb.39.2016.01.24.10.08.34 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 24 Jan 2016 10:08:34 -0800 (PST)
To: Yoav Nir <ynir.ietf@gmail.com>
References: <CACaGAp=-xJZN=L3av+DX_WQcki_k=L-_tc5dZnJNtM=M0W8MnQ@mail.gmail.com> <56A41F0F.70609@nthpermutation.com> <FFB0FFED-841A-4D97-8C09-0DCC6D2A91AE@gmail.com>
From: Michael StJohns <msj@nthpermutation.com>
Message-ID: <56A51327.2020406@nthpermutation.com>
Date: Sun, 24 Jan 2016 13:08:39 -0500
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <FFB0FFED-841A-4D97-8C09-0DCC6D2A91AE@gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Bwxz-oQ_n-qoPCH6JNF8d6rqK7c>
Cc: tls@ietf.org
Subject: Re: [TLS] Require deterministic ECDSA
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Jan 2016 18:08:37 -0000

On 1/24/2016 5:15 AM, Yoav Nir wrote:
>> >Correct me if I'm wrong but:
>> >
>> >1) A receiver of an deterministic ECDSA signature verifies it EXACTLY like they would a non-deterministic signature.
>> >2) A receiver of an ECDSA signature cannot determine whether or not the signer did a deterministic signature.
>> >3) A TLS implementation has no way (absent repeating signatures over identical data) of telling whether or not a given signature using the client or server private key  is deterministic.
> I might be missing something, but if k is deterministic, do we really need to send it? Can’t the receiver figure it out the same way that the sender did?
>
> I know that makes it break compatibility, but since this is TLS 1.3 anyway, that’s not an issue, I think.
>
> Yoav
>

Hi Yoav

If K is known and the signature is known then the private key is known.

The particular method the RFC uses to create the signature is to 
incorporate the signing private key as part of the input to the 
pseudo-random generation of K (along with the message).  The receiver 
doesn't have the private key and so can't derive K (which is a *GOOD* 
thing - see the point above.  :-) )


Mike.

v2.23.0 | Report a Bug | By Email