IETF Logo Mail Archive

Re: [TLS] Require deterministic ECDSA

Watson Ladd <watsonbladd@gmail.com> Sun, 24 January 2016 16:25 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41DA31A1AC1 for <tls@ietfa.amsl.com>; Sun, 24 Jan 2016 08:25:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UtELlQ8XjLhV for <tls@ietfa.amsl.com>; Sun, 24 Jan 2016 08:25:02 -0800 (PST)
Received: from mail-yk0-x236.google.com (mail-yk0-x236.google.com [IPv6:2607:f8b0:4002:c07::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79C931A1ADB for <tls@ietf.org>; Sun, 24 Jan 2016 08:25:02 -0800 (PST)
Received: by mail-yk0-x236.google.com with SMTP id a85so137436938ykb.1 for <tls@ietf.org>; Sun, 24 Jan 2016 08:25:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=1O2MvmgGvneWi6KGUp3xJwdH1VRTMZkmyQBAbjd9Tj8=; b=BpRfsWOGewzAllMB/DJX8Pr6sBzjqXXvEJ0ktoK6UfdE0WaZ6eVWmhENb+6f/v7cA5 LpLn54b2algZ8QaFJApz+PLW/nL3t/dphF0RyrU3V762f5eHtyeDRHnTZdAbCMHc+trO J1WQYXkXaH4wxC7YChr0hhWwlF7Lx2AV3W7x1p4sg9Ebv/C8gppr81E7VSZOoHD5OXwc UF8JhPzUmFEQS0Ttjpdrr9wwlX/1M7ScnPvSvW69Wf3UZA6PyruWW/3tYJ0fhizK9Wk9 mc24lX4OXQYsIJ+VON2lt784DlXzS2/mUf0uZP3J88lll45ctcLMeLw+KZWqSMXckNdX yH0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=1O2MvmgGvneWi6KGUp3xJwdH1VRTMZkmyQBAbjd9Tj8=; b=GWfqveNXJJU6swdwZ5rJ9YOLam9BA41iEbSf9O5Zfysp2VMV+Mcjt32JvwA9FIB3R5 YoxdBtG0tfhXi6yRZsiblN5KcvoLVTtTjZFf5Pc6zyI2ovvJG3zPDjOfI6w7owZa1RoH Z63cj3O50gzXqEcWJ/j+rwNOkKwQ/9uyN+RM6idni1Rbk6uOf4a0ZnXhJwW+A/IwE+Gu e2saNvgHE+6JIIKfE2ymH2+VVk+g5xS3PVw0vx7ctfW94lQ/YbMFyUr6z9uQGsLWybdx 6I3T602Ukbax4LzR6dsmTBmlr0bRrY/JOPx6QCgfWn8gIOh39Yu13UpZLxtRb+cByN4Q wDxA==
X-Gm-Message-State: AG10YORR3HaUjJibFTqGnLu8+Z11xQ1jsuH9VZuidi0PfaY0gaGx+BCjlrgGNUSYyWfkHrQ3IOC8x61u1YzQ4w==
MIME-Version: 1.0
X-Received: by 10.129.57.135 with SMTP id g129mr6211110ywa.244.1453652701470; Sun, 24 Jan 2016 08:25:01 -0800 (PST)
Received: by 10.13.216.150 with HTTP; Sun, 24 Jan 2016 08:25:01 -0800 (PST)
In-Reply-To: <F819D2BB-53B0-4DD9-AAE4-856AAEDD0A8A@gmail.com>
References: <CACaGAp=-xJZN=L3av+DX_WQcki_k=L-_tc5dZnJNtM=M0W8MnQ@mail.gmail.com> <CAGwT64i5v+0xXLzQYFO5JVKs302x6BgZYN+ffYzMVesgbB9biA@mail.gmail.com> <CACaGApnF7fM2cQdbG9PK7uZaiUkhXiYqKVkzFuk2teD9B5et9w@mail.gmail.com> <07742742-5517-4A94-9462-E41F4C3EB6FD@gmail.com> <56A42097.5010802@nthpermutation.com> <F819D2BB-53B0-4DD9-AAE4-856AAEDD0A8A@gmail.com>
Date: Sun, 24 Jan 2016 08:25:01 -0800
Message-ID: <CACsn0cn1o2xVFMfHp5+-LaXFR9dRT9q7V4hPrgyRoYPOW3RGUQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/NOgbqyznHNyVDQyOz9cJtD462GY>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Require deterministic ECDSA
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Jan 2016 16:25:04 -0000

On Sun, Jan 24, 2016 at 2:12 AM, Yoav Nir <ynir.ietf@gmail.com> wrote:
> Hi, Mike
>
>> On 24 Jan 2016, at 2:53 AM, Michael StJohns <msj@nthpermutation.com> wrote:
>>
>> On 1/23/2016 7:17 PM, Yoav Nir wrote:
>>> Also if the signatures are done in a separate hardware module, that module is even less likely to have a good random source.
>>>
>>> And if we make it rely on external input for the random, that’s a good way of getting it to reveal information about the private key, whereas keeping the private key secret forever was the whole point of using a hardware module.
>>>
>>> So that’s another argument in favor of deterministic signatures.
>>>
>>> Yoav
>>
>> I tried to parse the above into meaningful A implies B logic and failed.
>>
>> If you have an HSM, the key that's generating the signature tends to be generated inside the HSM.  If your HSM has a bad RNG, then the key generation is going to be a problem well before the signature generation RNG problem kicks in.   And to clarify, a key generated inside an HSM tends to use that HSM's signature mechanism, not something in a separate module.
>>
>> I don't think your argument holds.
>>
>> "If we make it rely on external input for the random"???   Isn't that exactly what the RFC uses in the form of the hashed message?
>
> Yeah, it was way past midnight when I wrote that. Only so much coherence in those hours.
>
> The HSM has enough entropy to generate (once) a 256-bit (or 384-bit or 521-bit) key. When working as part of a TLS server using regular ECDSA it would need to generate a random k for each full handshake, and many such servers routinely handle tens of thousands of such handshakes per second. So it’s hundreds of kilobytes per second, for an HSM that has no network input, no I/O of any kind other than the signature requests, this may be a problem. I’ve seen people claim this in the past.

Standard conjectures in cryptography imply that counter mode for short
messages is indistinguishable from random data. A device with 256
random bits can create a long random key . Maybe the issue is the HSM
isn't made by people who know the first thing about cryptography, who
believe the widely peddled nonsense about entropy.

>
> That last sentence there. If we’re using regular ECDSA, the HSM can either generate its own k or receive a k from the caller. For our software’s FIPS certification we had to support both modes to be able to produce a predictable ECDSA. I don’t know, but I imagine hardware would be required to support this as well. If you run the HSM in production with the external random input, you’re making it possible for an attacker who has compromised the system to discover the key bits by repeatedly calling the HSM with same k’s for different inputs. This is negated by using deterministic ECDSA where the k is a function of the input.

The whole point of HSMs is to protect keys, by denying the ability to
use the API in ways that reveal keys. Providing k along with the
message breaks that entirely.

>
> Yoav
>
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls



-- 
"Man is born free, but everywhere he is in chains".
--Rousseau.

v2.23.0 | Report a Bug | By Email