Re: [TLS] Updated EdDSA/Ed25519 PKIX document
Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Thu, 24 September 2015 12:27 UTC
Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26EDA1A9145; Thu, 24 Sep 2015 05:27:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.301
X-Spam-Level:
X-Spam-Status: No, score=-1.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_47=0.6, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U3N_1TZRQyiJ; Thu, 24 Sep 2015 05:27:50 -0700 (PDT)
Received: from emh06.mail.saunalahti.fi (emh06.mail.saunalahti.fi [62.142.5.116]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CBF571A913D; Thu, 24 Sep 2015 05:27:49 -0700 (PDT)
Received: from LK-Perkele-VII (a91-155-194-207.elisa-laajakaista.fi [91.155.194.207]) by emh06.mail.saunalahti.fi (Postfix) with ESMTP id AA0D4699FB; Thu, 24 Sep 2015 15:27:47 +0300 (EEST)
Date: Thu, 24 Sep 2015 15:27:47 +0300
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Simon Josefsson <simon@josefsson.org>
Message-ID: <20150924122747.GA10461@LK-Perkele-VII>
References: <878u7xtu06.fsf@latte.josefsson.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <878u7xtu06.fsf@latte.josefsson.org>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/LgV0_QHJ0_010VWDWquXQ5QkKik>
Cc: pkix@ietf.org, tls@ietf.org
Subject: Re: [TLS] Updated EdDSA/Ed25519 PKIX document
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Sep 2015 12:27:52 -0000
On Wed, Sep 23, 2015 at 10:33:29AM +0200, Simon Josefsson wrote: > Hi all, > > I have pushed out a new version of the document describing EdDSA public > keys, signatures and certificates for PKIX. The change in -03 include > the addition of the prehash mode, test vectors generated by GnuTLS, and > a section recommending certain human readable names. > > https://tools.ietf.org/html/draft-josefsson-pkix-eddsa-03 > > I've started a thread to discuss whether it is wortwhile to be able to > use the same Ed25519 key for both PureEdDSA mode and HashEdDSA signing, > and I'd appreciate feedback on whether people are interested in this and > generally if it is a good idea or not. The complexity involved make me > shy away a bit from it, but it is fun to consider. The thread is here: > https://moderncrypto.org/mail-archive/curves/2015/000630.html Some comments: 1) Taking private key example and decoding the ASN.1 yields: 0 37: SEQUENCE { 2 1: ENUMERATED 1 5 32: OCTET STRING : D4 EE 72 DB F9 13 58 4A D5 B6 D8 F1 F7 69 F8 AD : 3A FE 7C 28 CB F1 D4 FB E0 97 A8 8F 44 75 58 42 : } What is that ENUMERATED 1 for? The text description has algorithm of SHA512-Ed25519, which would AFAICT be ENUMERATED 2 if private keys use the same kind enumeration as public keys. 2) AFAICT, EdDSA-20150704 calls the signature without prehash, with 25519 curve and SHA-512 hash "Ed25519-SHA-512" (and the corresponding version with SHA-512 prehash "SHA-512-Ed25519-SHA-512"). The first of those is AFAIK the same as the old "Ed25519" signature primitive. One problem with those names is that those things might get rather nasty to read when '-' both appears inside hash names and component separator. 3) Using the same key for both PureEdDSA and HashEdDSA sounds like a bad idea. However, it would be technically possible to alter the internal subkey derivation so that different prehashes give logically separate keys. Such change would only affect signing, not verification (since verifier sees the change as different public key). 4) For TLS PoP signatures, does it make sense to use HashEdDSA at all? Another way would to always use PureEdDSA and perform hash separtion from TLS side (e.g. sign(privkey, hash_func_id|H(tbs_data))). The certificate signatures are different matter tho, since CAs use HSMs for signing (those HSMs tend to be rather beefy, but still). Then there are CRLs. I would imagine those are so large that one rather uses prehashing. -Ilari
- [TLS] Updated EdDSA/Ed25519 PKIX document Simon Josefsson
- Re: [TLS] [pkix] Updated EdDSA/Ed25519 PKIX docum… Manger, James
- Re: [TLS] Updated EdDSA/Ed25519 PKIX document Simon Josefsson
- Re: [TLS] [pkix] Updated EdDSA/Ed25519 PKIX docum… Nikos Mavrogiannopoulos
- Re: [TLS] Updated EdDSA/Ed25519 PKIX document Ilari Liusvaara
- Re: [TLS] Updated EdDSA/Ed25519 PKIX document Nikos Mavrogiannopoulos
- Re: [TLS] Updated EdDSA/Ed25519 PKIX document Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Updated EdDSA/Ed25519 PKIX document Ilari Liusvaara
- Re: [TLS] Updated EdDSA/Ed25519 PKIX document Nikos Mavrogiannopoulos