IETF Logo Mail Archive

Re: [TLS] Require deterministic ECDSA

Brian Smith <brian@briansmith.org> Sun, 24 January 2016 05:20 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 654071B3D65 for <tls@ietfa.amsl.com>; Sat, 23 Jan 2016 21:20:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AThZ60Tb--tO for <tls@ietfa.amsl.com>; Sat, 23 Jan 2016 21:20:49 -0800 (PST)
Received: from mail-ob0-x229.google.com (mail-ob0-x229.google.com [IPv6:2607:f8b0:4003:c01::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C41A1B3D64 for <tls@ietf.org>; Sat, 23 Jan 2016 21:20:49 -0800 (PST)
Received: by mail-ob0-x229.google.com with SMTP id is5so93238291obc.0 for <tls@ietf.org>; Sat, 23 Jan 2016 21:20:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=briansmith-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=9LX5I4NOHesE/6AeDBfeJwHxqFRaxlSP2qQRo5SnFIk=; b=C4BiCuwcqKnEjCimby92nBEvt0LNRguVWk79yUgs0Oecpn7JxPQVYZ7073FPGxZkAa p9tg4LRg8CO9Sxhsl6kYrYxDaSfIsgbHKD96AIdBdCnDN9jrFELn+yHdmP//S++Vb0Aq 8HPquL/gtHTbfZWXtvU2BP27OqdfUZNdepqsvDYnKx18PfL136HFQ87EQAHnj/4nrNFx WEnNRhcytgK6EA0WwQTwi0yh0P9X0feSKkBZw5wu0xjod0SO6bVrvtsOii9l+cScwLmd l92csIT+TaPeKPc0bO/fP0FqOgOGcZtIv5hY/sEQcOVvBBppFxgFk8keY7Q3BlEEKYZV sY8Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=9LX5I4NOHesE/6AeDBfeJwHxqFRaxlSP2qQRo5SnFIk=; b=mvmRFXo1LV7PFGRdPZqmORjuLDt31vXDuMdu78k5bydfSagwHvpOHO2ZfLUhr9mOIF zgetOtMqMA4c5tHV3cOKpfHtubzsngzQumgRw4jDcDM2vpibKNRdH2xfzWGQQ5m64AK+ o86TIqISSV9K4dmYCRQ1r4ZABHAyzfan/E39bB18xHg2PKsK00ypWPm3CFoPJ42Cq+CH gI4S0v0ZTK60u0R2byVwP/IP1g2w0IWzJO7g8hy7L8d8hUj54EEFfXmNotUlac+6VQHd Rtvu9lg60KxUU2STBNRPZ8MZMJ2Ms2iMnB88AGCkV7kbMrLM8Zjp/s5YLz4WNrftU2jj HEpA==
X-Gm-Message-State: AG10YOQ8vIDb5UO3xHBmp5PjGjcbsVIX/vGFLYWoz8pe9kmd5mUIq3+SOkCX48Dpl/nfVKOBESKXM5Dfmi1pXw==
MIME-Version: 1.0
X-Received: by 10.182.120.3 with SMTP id ky3mr8441488obb.17.1453612848700; Sat, 23 Jan 2016 21:20:48 -0800 (PST)
Received: by 10.76.3.197 with HTTP; Sat, 23 Jan 2016 21:20:48 -0800 (PST)
In-Reply-To: <CACaGAp=-xJZN=L3av+DX_WQcki_k=L-_tc5dZnJNtM=M0W8MnQ@mail.gmail.com>
References: <CACaGAp=-xJZN=L3av+DX_WQcki_k=L-_tc5dZnJNtM=M0W8MnQ@mail.gmail.com>
Date: Sat, 23 Jan 2016 19:20:48 -1000
Message-ID: <CAFewVt6fh=Li9DbAisFmHi3CHd1wJJ7MCxG0q0hdA6LJSjJg+w@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Joseph Birr-Pixton <jpixton@gmail.com>
Content-Type: multipart/alternative; boundary="089e01229de07cf9a2052a0d9d77"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/DdjW9iXNNecNGzH581Ig-1O6BLY>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Require deterministic ECDSA
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Jan 2016 05:20:50 -0000

Joseph Birr-Pixton <jpixton@gmail.com> wrote:

> I'd like to propose that TLS1.3 mandates RFC6979 deterministic ECDSA.
>

What about the way BoringSSL (and OpenSSL, I think) does it? It
incorporates all the inputs that RFC6979 does, but using SHA-512 instead of
HMAC. And, it also includes a random element in the SHA-512 hash.

Ed25519 uses SHA-512 instead of HMAC for the same purpose and people seem
to think it works fine.

Also hashing in some randomness seems like it would help avoid some side
channel leakage. Note that most (all the ones I've looked at for more than
5 minutes) open-source ECDSA implementations have side-channel issues of
various levels of significance.

Anyway, I do think that implementations should do something *like this* to
avoid problems when the RNG is bad, but I think prescribing RFC 6979 as the
solution is overly-specific, especially when it doesn't even seem to be the
best way to accomplish the goal in many cases.

Cheers,
Brian

v2.23.0 | Report a Bug | By Email