IETF Logo Mail Archive

Re: [TLS] Require deterministic ECDSA

Geoffrey Keating <geoffk@geoffk.org> Sat, 23 January 2016 20:16 UTC

Return-Path: <geoffk@geoffk.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90DFC1AD0B9 for <tls@ietfa.amsl.com>; Sat, 23 Jan 2016 12:16:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1V5Jag20jvsV for <tls@ietfa.amsl.com>; Sat, 23 Jan 2016 12:16:32 -0800 (PST)
Received: from dragaera.releasedominatrix.com (dragaera.releasedominatrix.com [198.0.208.83]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE79F1AD0B8 for <tls@ietf.org>; Sat, 23 Jan 2016 12:16:31 -0800 (PST)
Received: by dragaera.releasedominatrix.com (Postfix, from userid 501) id 162E833D239; Sat, 23 Jan 2016 20:16:30 +0000 (UTC)
Sender: geoffk@localhost.localdomain
To: Joseph Birr-Pixton <jpixton@gmail.com>
References: <CACaGAp=-xJZN=L3av+DX_WQcki_k=L-_tc5dZnJNtM=M0W8MnQ@mail.gmail.com> <CAGwT64i5v+0xXLzQYFO5JVKs302x6BgZYN+ffYzMVesgbB9biA@mail.gmail.com> <CACaGApnF7fM2cQdbG9PK7uZaiUkhXiYqKVkzFuk2teD9B5et9w@mail.gmail.com>
From: Geoffrey Keating <geoffk@geoffk.org>
Date: Sat, 23 Jan 2016 12:16:29 -0800
In-Reply-To: <CACaGApnF7fM2cQdbG9PK7uZaiUkhXiYqKVkzFuk2teD9B5et9w@mail.gmail.com>
Message-ID: <m2vb6koxuq.fsf@localhost.localdomain>
Lines: 60
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.4
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/ISODVZrKTrcYZcYPv-Z1UM-KmrQ>
Cc: Jacob Maskiewicz <jmaskiew@eng.ucsd.edu>, tls@ietf.org
Subject: Re: [TLS] Require deterministic ECDSA
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Jan 2016 20:16:33 -0000

[I guess we're top-posting...]

Another benefit is that if it turns out the entropy source is broken,
then if client/server random or IV is guessable, that's something that
affects one connection and can be addressed for future connections by
fixing the entropy source.  But if k generation is broken, then that
leaks the key permanently and you need to get a new one and revoke the
old one, which may be difficult.

Perhaps the RFC should say something to that effect?  I think there's
already a section in the security considerations about random number
generators.

Joseph Birr-Pixton <jpixton@gmail.com> writes:

> Hi,
> 
> The other benefit is being able to test that a critical code path
> produces the correct answers. With randomised k, this is not really
> possible. For instance, you can choose k with the top bit clear
> without any obvious or externally-testable effects, except effectively
> publishing your long-term private key after a large number of
> signatures[1].
> 
> Given the history of these things, I would perhaps challenge the
> assumption that all TLS stacks will have a bug-free, thread-safe,
> fork-safe, high quality, uncompromised, backdoor-free, unbiased random
> number generator :)
> 
> Cheers,
> Joe
> 
> [1]: http://people.rennes.inria.fr/Jean-Christophe.Zapalowicz/papers/asiacrypt2014.pdf
> 
> On 23 January 2016 at 19:27, Jacob Maskiewicz <jmaskiew@eng.ucsd.edu> wrote:
> > The main argument I see from the RFC for deterministic ECDSA is computing k
> > on systems without high quality entropy sources. But any system running a
> > TLS stack is already going to have a high quality entropy source for
> > client/server randoms and IVs and such, so what's the benefit of
> > deterministic ECDSA here?
> >
> > -Jake M
> >
> > On Jan 23, 2016 11:13 AM, "Joseph Birr-Pixton" <jpixton@gmail.com> wrote:
> >>
> >> Hi,
> >>
> >> I'd like to propose that TLS1.3 mandates RFC6979 deterministic ECDSA.
> >>
> >> For discussion, here's a pull request with possible language:
> >>
> >> https://github.com/tlswg/tls13-spec/pull/406
> >>
> >> Cheers,
> >> Joe
> >>
> >> _______________________________________________
> >> TLS mailing list
> >> TLS@ietf.org
> >> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email