IETF Logo Mail Archive

[TLS] Fwd: Re: Require deterministic ECDSA

Michael StJohns <msj@nthpermutation.com> Sun, 24 January 2016 20:04 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 772D91B321E for <tls@ietfa.amsl.com>; Sun, 24 Jan 2016 12:04:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EHhYHeoO3jfz for <tls@ietfa.amsl.com>; Sun, 24 Jan 2016 12:04:50 -0800 (PST)
Received: from mail-qg0-x234.google.com (mail-qg0-x234.google.com [IPv6:2607:f8b0:400d:c04::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E4381B321C for <tls@ietf.org>; Sun, 24 Jan 2016 12:04:50 -0800 (PST)
Received: by mail-qg0-x234.google.com with SMTP id e32so95692318qgf.3 for <tls@ietf.org>; Sun, 24 Jan 2016 12:04:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20150623.gappssmtp.com; s=20150623; h=subject:references:to:from:message-id:date:user-agent:mime-version :in-reply-to:content-type; bh=Vu1nS/FrhbHBiRqMdmMiNrY/RFOJC6v2iyhdhJn/e+w=; b=1PCyznvIQgPaM1NbOX6xibuB/IZWrc8bKoN7NCLiTGs6UbIvCDkjC/DFaLIDAAcOD5 eYXnPXDHp06Yy9HoS47RiSYmFT1q+cr9c75DFiVhG4IgCw4yFEHNTGk5MMPsWM9+dAyh HpHGvBlRY5AoTd77t1VpvGg6sk98VDX3wybYt/2sND+r5xDduF2hCwy2JbP45k+LgdR3 dXectsBHbqXknPwmI35weqjUEnL03ra70Ran1agx6lHjhgMXLVodiOKAZZiJ/pwx6bQR RSI+97fyN090mTNXitEI5jYpwiv+as/C6q2TFKwmNayQpAl7orfcqmG2m2nXgExMG39z sJcg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:references:to:from:message-id:date :user-agent:mime-version:in-reply-to:content-type; bh=Vu1nS/FrhbHBiRqMdmMiNrY/RFOJC6v2iyhdhJn/e+w=; b=U9xc1qPpm8OCJGX7gM8itXU0Y/7+Puw6HqfPL2Ov0HJYjp0P80vzwufoSIYBsO1S2E eu1hQ3IoQGuiKxUbB/2Gait85WlsQtYmaiUsU3zZDbK5W3HZdyspYqQX6NI8iY2OZ421 M1u0Jd4maZRLuJYMUWDSXNcL4K0cEuHAYgFX5CfeiWqboJl3DmHn7qsfWE+Ia3o4nGb2 sMG9ZqwVIGuJM8WdMff2eyDrX1fHNa1/2Tfs+33GocRfY77668hv5KDX+WSmt7pM2rZV e0Z8WyqPKUCy1uYwtQ91+niReD5pB1oZxFS6J3uxw1oZKmMmvEmEGwSQQj1XwDV4ERoa jlmw==
X-Gm-Message-State: AG10YOTlKjzPGtGavdGMQXRjRu+acfuLErQjSMIiO11Z10KIiCfl9fZuq9gFdcWpahcMgw==
X-Received: by 10.140.229.72 with SMTP id z69mr17125598qhb.104.1453665889563; Sun, 24 Jan 2016 12:04:49 -0800 (PST)
Received: from ?IPv6:2601:148:c000:1bb4:49cd:a64a:bc7e:4016? ([2601:148:c000:1bb4:49cd:a64a:bc7e:4016]) by smtp.gmail.com with ESMTPSA id z138sm7352469qhb.7.2016.01.24.12.04.48 for <tls@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 24 Jan 2016 12:04:49 -0800 (PST)
References: <56A42E75.8030108@nthpermutation.com>
To: "tls@ietf.org" <tls@ietf.org>
From: Michael StJohns <msj@nthpermutation.com>
X-Forwarded-Message-Id: <56A42E75.8030108@nthpermutation.com>
Message-ID: <56A52E66.6020202@nthpermutation.com>
Date: Sun, 24 Jan 2016 15:04:54 -0500
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <56A42E75.8030108@nthpermutation.com>
Content-Type: multipart/alternative; boundary="------------030508030806090907070307"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/EhSAvkLtfb5-ig2eP1Uj-kF4FRs>
Subject: [TLS] Fwd: Re: Require deterministic ECDSA
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Jan 2016 20:04:52 -0000

Sorry - I hit the wrong "reply to" button.


-------- Forwarded Message --------
Subject: 	Re: Require deterministic ECDSA
Date: 	Sat, 23 Jan 2016 20:52:53 -0500
From: 	Michael StJohns <msj@nthpermutation.com>
To: 	Geoffrey Keating <geoffk@geoffk.org>



On 1/23/2016 8:05 PM, Geoffrey Keating wrote:
> Michael StJohns <msj@nthpermutation.com> writes:
>
>> On 1/23/2016 2:13 PM, Joseph Birr-Pixton wrote:
>>> Hi,
>>>
>>> I'd like to propose that TLS1.3 mandates RFC6979 deterministic ECDSA.
>>>
>>> For discussion, here's a pull request with possible language:
>>>
>>> https://github.com/tlswg/tls13-spec/pull/406
>>>
>>> Cheers,
>>> Joe
>>>
>>> _______________________________________________
>>> TLS mailing list
>>> TLS@ietf.org
>>> https://www.ietf.org/mailman/listinfo/tls
>>>
>> Correct me if I'm wrong but:
>>
>> 1) A receiver of an deterministic ECDSA signature verifies it EXACTLY
>> like they would a non-deterministic signature.
>> 2) A receiver of an ECDSA signature cannot determine whether or not
>> the signer did a deterministic signature.
>> 3) A TLS implementation has no way (absent repeating signatures over
>> identical data) of telling whether or not a given signature using the
>> client or server private key  is deterministic.
>>
>>    All that suggests that this is a completely unenforceable
>> requirement with respect to TLS.
> A test suite can easily determine, if it knows the private key in use
> by the implementation under test, whether that implementation is
> generating RFC 6979 deterministic signatures or not.  That seems to me
> an adequate enforcement mechanism.

Um.. not really.   The actual worked example is FIPS.   There are lots
of FIPS TLS implementations and they all go through testing (your
proposed enforcement mechanism), and there is exactly NO way for one
FIPS implementation to ensure that it is talking to another FIPS
implementation.  The best they can do is limit the offer and acceptance
of specific crypto suites.

MUST or "Required"  in IETF parlance is usually reserved for choices
that have to be made to have interoperable products.  Neither FIPS nor
deterministic ECDSA rise to that level.    FIPS at least recognizes that
and imposes its requirements on the buyers (US Gov't and US Gov't
contractors) who then ask for FIPS capable products. And people who want
to sell to the government then make FIPS capable products that ... wait
for it... interoperate with non-FIPS products.

 From 2119:
>   In particular, they MUST only be used where it is
>     actually required for interoperation or to limit behavior which has
>     potential for causing harm (e.g., limiting retransmisssions)  For
>     example, they must not be used to try to impose a particular method
>     on implementors where the method is not required for
>     interoperability.

Or would you argue that I'm misinterpreting the above and the impact of
your suggested change?

(Um.. in the above "causing harm" has usually been interpreted to mean
"harm to the network" - not preventing stupidity in implementation).

Later, Mike

v2.23.0 | Report a Bug | By Email