Re: [TLS] Simplifying signature algorithm negotiation

[David Benjamin <davidben@chromium.org>]

On Tue, Jan 19, 2016 at 1:25 PM Hubert Kario <hkario@redhat.com> wrote:

> > > If it does not specify the DH share signed, it doesn't really change
>
> > anything...
> >
> > Why would it need to specify what [DH group's] DH share gets signed?
> > NamedGroup still exists for the key exchange (see step 1). I'm only
> > proposing pulling signature curves out of NamedGroup.
> >
> > (Is the DH share even signed directly? It looks like TLS 1.3 signs via
> > CertificateVerify's handshake context in both directions. Either way,
> > it's just a byte-string message. We could also backport this sort of
> > thing to TLS 1.2 and the signature algorithm still doesn't care about
> > the DH share. That gets encoded into a byte string somehow.)
> >
> > I'm trying to make the decompositions and premultiplications align
> > with how the protocol is structured. TLS 1.2 decomposed algorithm,
> > signing curve, and hash which isn't universal (Ed25519, Ed448, even
> > RSA-PSS's params in full generality aren't the same shape, the
> > definition of "digitally-signed" takes only a byte-string message as
> > input), so they should be premultiplied. Whereas signature algorithm
> > and DH group are cleanly separated in the protocol and needn't be
> > premultiplied.
>
> Problem I am pointing out is that NamedGroup specifies not only what
> curves can be used for signing but also what curves can get signed.
>
> Or are you saying that the NamedGroup would stay, and would now specify
> only the supported parameters for the key exchange, not how they are
> authenticated (as it is now)?
>

Yes.

> On Friday 15 January 2016 20:45:34 David Benjamin wrote:
> 1. Drop eddsa_ed25519(31) and eddsa_ed448(32) from NamedGroup. From now
on, NamedGroup is only used for (EC)DH.

> On Tuesday 19 January 2016 16:50:18 David Benjamin wrote:
> Why would it need to specify what [DH group's] DH share gets signed?
> NamedGroup still exists for the key exchange (see step 1). I'm only
> proposing pulling signature curves out of NamedGroup.


Or to put it other way: what extensions and with what values should I
> sent if I support only TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 with either
> P-256 or P-384 curve, signed with SHA-256, SHA-384 or SHA-512 using RSA?


supported_groups {p256, p384}
supported_signature_algorithms {rsa_pkcs1_sha256, rsa_pkcs1_sha384,
rsa_pkcs1_sha512}
(Or s/rsa_pkcs1_/rsa_pss_/g if you meant that one.)

For your example, nothing on the wire changes at all. Before, you'd end up
sending:
supported_groups {p256, p384}
supported_signature_algorithms {{sha256, rsa}, {sha384, rsa}, {sha512, rsa}}
And rsa_pkcs1_sha256 should be allocated to align with {sha256, rsa}, etc.

The interesting case is Ed25519 and Ed448. You'd currently have to send:
supported_groups {..., eddsa_ed25519, eddsa_ed448}
supported_signature_algorithms {..., {sha512, eddsa}, {shake256[1], eddsa}}

However, this does not capture that {shake256, eddsa} + eddsa_ed25519 isn't
legal. Instead I want:
supported_groups {..., irrelevant to ed25519 and friends}
supported_signature_algorithms {..., eddsa_ed25519, eddsa_ed448}

David

[1] I have not been following the CFRG curve work very closely. Adam tells
me Ed448 is likely to be bound to SHAKE-256. For the sake of discussion,
let's assume that's how it ends up.