Re: [TLS] Updated EdDSA in TLS drafts
Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Tue, 09 June 2015 11:39 UTC
Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F4111A88F3 for <tls@ietfa.amsl.com>; Tue, 9 Jun 2015 04:39:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RenJcHNMextZ for <tls@ietfa.amsl.com>; Tue, 9 Jun 2015 04:38:59 -0700 (PDT)
Received: from emh03.mail.saunalahti.fi (emh03.mail.saunalahti.fi [62.142.5.109]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 973191A1A82 for <tls@ietf.org>; Tue, 9 Jun 2015 04:38:58 -0700 (PDT)
Received: from LK-Perkele-VII (a91-155-194-207.elisa-laajakaista.fi [91.155.194.207]) by emh03.mail.saunalahti.fi (Postfix) with ESMTP id 9AF2E188878; Tue, 9 Jun 2015 14:38:56 +0300 (EEST)
Date: Tue, 09 Jun 2015 14:38:56 +0300
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Simon Josefsson <simon@josefsson.org>
Message-ID: <20150609113856.GA12380@LK-Perkele-VII>
References: <87zj4ah6i0.fsf@latte.josefsson.org> <20150608103940.GA25285@LK-Perkele-VII> <87sia1jn6q.fsf@latte.josefsson.org> <20150609094341.GA11347@LK-Perkele-VII> <87k2vddtoc.fsf@latte.josefsson.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <87k2vddtoc.fsf@latte.josefsson.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Lvox33dJcGMYF8FfU4BNIyNITLE>
Cc: tls@ietf.org
Subject: Re: [TLS] Updated EdDSA in TLS drafts
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jun 2015 11:39:01 -0000
On Tue, Jun 09, 2015 at 01:09:55PM +0200, Simon Josefsson wrote: > Ilari Liusvaara <ilari.liusvaara@elisanet.fi> writes: > > >> Yeah. I think this is actually a larger question: will EdDSA be defined > >> with other curves than Ed25519? If no, the only interesting algorithm > >> to specify is Ed25519. If yes, the parameter choices needs to be > >> encoded somehow. The hash isn't the only parameter to EdDSA. > > > > The requirements of EdDSA are so bizarre that I don't think there are > > realistic curves to use with that besides Edwards form of Curve25519. > > Okay. If that is really the case, we should specify Ed25519 directly > and don't bother with EdDSA. But if there is a chance that we'll see > other curves used with EdDSA, then it would be better to specify EdDSA > and instantiate it for Ed25519 with some parameter choice. > > I believe this is an important question, but I lack knowledge to make a > decision. Also, since this is also brainstorming about adding a new signature primitive (post-RFC5246). The CFRG signature primitive probably will be parameterized by curve and hash function (maybe with restrictions on minimum hash length for each curve). > > (Edwards form of M-379 might come the closest, but the needed 760-bit(!) > > hash function is pretty much unobtabnium). > > Can't you build one with a keyed PRF? Maybe. But that's something I'd rather not mess with. > >> > More ciphersuites. Eew. > >> > >> Yeah. I offer this approach in the rare case that it might actually > >> prove less complex to implement, and that some might find it useful. I > >> suspect it might get shot down during further discussions. > > > > I checked the TLS 1.2 spec: > > - If advertised ciphersuites and signature_algorithms conflict, latter > > takes precedence. > > - If selected ciphersuite and signature algorithm in struct > > DigitallySigned conflict, latter takes percedence. > > > > This means TLS_DHE_RSA_* key exchange can end up being signed with ECDSA, > > if client told it supports ECDSA. > > While a bit ugly, language could be added to the TLS-Ed25519 document > saying what to do in each case. I don't propose to do this, though, > just saying that the problem above could be solved if it was really > important. Why not just follow standard TLS 1.2 rules (which are a bit odd as noted above, but look to be workable)? > >> > Also, in TLS 1.2 Client CertificateVerify (does not apply to server > >> > certificate, nor either certificate in TLS 1.3) signs the entiere > >> > handshake so far. That could be many kilobytes in size, spread over > >> > multiple message. > >> > >> Some implementations buffer the entire handshake to deal with this > >> problem. I'm not sure what to recommend generally, or if this document > >> has to care about this. > > > > I was thinking maybe PRF-hash, since one has that running anyway (for > > session_hash and finished) and it better be secure enough. > > Ah. Would you then sign the PRF-hash with SHA-512 for Ed25519? Yup (if avoiding buffering is important). -Ilari
- [TLS] Updated EdDSA in TLS drafts Simon Josefsson
- Re: [TLS] Updated EdDSA in TLS drafts Ilari Liusvaara
- Re: [TLS] Updated EdDSA in TLS drafts Stephen Farrell
- Re: [TLS] Updated EdDSA in TLS drafts Martin Thomson
- Re: [TLS] Updated EdDSA in TLS drafts Salz, Rich
- Re: [TLS] Updated EdDSA in TLS drafts Simon Josefsson
- Re: [TLS] Updated EdDSA in TLS drafts Simon Josefsson
- Re: [TLS] Updated EdDSA in TLS drafts Simon Josefsson
- Re: [TLS] Updated EdDSA in TLS drafts Ilari Liusvaara
- Re: [TLS] Updated EdDSA in TLS drafts Ilari Liusvaara
- Re: [TLS] Updated EdDSA in TLS drafts Stephen Farrell
- Re: [TLS] Updated EdDSA in TLS drafts Simon Josefsson
- Re: [TLS] Updated EdDSA in TLS drafts Simon Josefsson
- Re: [TLS] Updated EdDSA in TLS drafts Stephen Farrell
- Re: [TLS] Updated EdDSA in TLS drafts Simon Josefsson
- Re: [TLS] Updated EdDSA in TLS drafts Ilari Liusvaara
- Re: [TLS] Updated EdDSA in TLS drafts Simon Josefsson