Re: [TLS] [PATCH RFC4492bis] Add EdDSA signature support
Yoav Nir <ynir.ietf@gmail.com> Wed, 21 October 2015 06:12 UTC
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 314E51B35D5 for <tls@ietfa.amsl.com>; Tue, 20 Oct 2015 23:12:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_75=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cyi_NlUX87of for <tls@ietfa.amsl.com>; Tue, 20 Oct 2015 23:11:58 -0700 (PDT)
Received: from mail-wi0-x242.google.com (mail-wi0-x242.google.com [IPv6:2a00:1450:400c:c05::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A69C1B35D7 for <tls@ietf.org>; Tue, 20 Oct 2015 23:11:58 -0700 (PDT)
Received: by wicuv6 with SMTP id uv6so9840822wic.2 for <tls@ietf.org>; Tue, 20 Oct 2015 23:11:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Fj+7pZmXmemCtxoOvOO02X3h1vnVkevoG9fs7D8/0t8=; b=MY1V6Hep+AJyKBHCbX1UZ9sstIj40A4+Op01/K+lHMOtMvo8KVQNHifBCJsyvg/Mu1 YaqEzvJCqSVcQSfqEBzeGGli/DNR8tN5BRdlv34YYri0xtQbz6h5qDjDBVUD8q1ZbDfY QHGxYMrMZFLt7Q5SVl2u+Ff6t95mbK9g6geMFD7QnSxr1FOOmk/e6esYy341mNvd5Z+K eC9se8f+nRQGEwKTkNPgLmW+er/K5eR3wk8jsoN4jbNEZkVbiv38p74FfmSj+VY4p5n1 +eCgr8C/NfGfCvpRc8zhTT4j/yPl5JF2bptG8KImWd2H5n1PewbhuN1pMbfek2Aqd51/ w8yA==
X-Received: by 10.194.24.68 with SMTP id s4mr9163074wjf.12.1445407916864; Tue, 20 Oct 2015 23:11:56 -0700 (PDT)
Received: from yoavs-mbp.mshome.net ([176.12.149.118]) by smtp.gmail.com with ESMTPSA id az6sm22208539wib.12.2015.10.20.23.11.53 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 20 Oct 2015 23:11:55 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 9.0 \(3094\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <1445362518-2482-1-git-send-email-ilari.liusvaara@welho.com>
Date: Wed, 21 Oct 2015 09:11:51 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <F28C3B92-05CE-4AD0-BAD6-097FBE0C7D30@gmail.com>
References: <8FA6E91D-7322-4C73-8333-4FEA82517ED7@gmail.com> <1445362518-2482-1-git-send-email-ilari.liusvaara@welho.com>
To: Ilari Liusvaara <ilari.liusvaara@welho.com>
X-Mailer: Apple Mail (2.3094)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/P7vpdZIfj4ANg66A7spZhi7Ox1I>
Cc: tls@ietf.org
Subject: Re: [TLS] [PATCH RFC4492bis] Add EdDSA signature support
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Oct 2015 06:12:03 -0000
LGTM. Can you push this to GitHub? > On 20 Oct 2015, at 8:35 PM, Ilari Liusvaara <ilari.liusvaara@welho.com> wrote: > > From: Ilari Liusvaara <ilariliusvaara@welho.com> > > --- > On Tue, Oct 20, 2015 at 10:42:14AM +0300, Yoav Nir wrote: >> Hi Ilari >> >>> - Is this document meant to also include the CFRG signatures >>> work? The interfaces to functions are already known. >> >> That is the intention. A PR is welcome. > > Well, here's an attempt at a patch. Comments welcome. > > Idea is to use SignatureAndHash (eddsa, none) for EdDSA signatures, > and have two new curves for it, one for Ed25519{,ph} and the other > for Ed448{,ph}. I shared the ciphersuites and key exchange algorithms > between ECDSA and EdDSA. Turned out to be bit cleaner than I expected > in TLS 1.0/1.1 due to separate curves. > > This also should incorporate the TLS 1.2 changes to signing algorithm > requirements (but I may have missed some). > > Also, the ECDH_fixed client signatures are still there. Should those be, > those definitely destroy FPS and AFAIK aren't used in wild? > > Also, the ciphersuite list looks bad. RC4... Really? > > > draft-ietf-tls-rfc4492bis.xml | 154 ++++++++++++++++++++++++++++-------------- > 1 file changed, 103 insertions(+), 51 deletions(-) > > diff --git a/draft-ietf-tls-rfc4492bis.xml b/draft-ietf-tls-rfc4492bis.xml > index acf1525..0966bb8 100644 > --- a/draft-ietf-tls-rfc4492bis.xml > +++ b/draft-ietf-tls-rfc4492bis.xml > @@ -53,8 +53,8 @@ > <abstract> > <t> This document describes key exchange algorithms based on Elliptic Curve Cryptography (ECC) for the Transport > Layer Security (TLS) protocol. In particular, it specifies the use of Ephemeral Elliptic Curve Diffie-Hellman > - (ECDHE) key agreement in a TLS handshake and the use of Elliptic Curve Digital Signature Algorithm (ECDSA) as > - a new authentication mechanism.</t> > + (ECDHE) key agreement in a TLS handshake and the use of Elliptic Curve Digital Signature Algorithm (ECDSA) and > + Edwards Digital Signature Algorithm (EdDSA) as new authentication mechanisms.</t> > </abstract> > </front> > <!-- > @@ -62,6 +62,8 @@ > * Added mention of TLS 1.2 > * Removed "required reading" for ECC from the Introduction. ECC is not longer "exotic" > * Moved the original authors to the Acknowledgement section. > + * Added EdDSA. > + * Added CFRG curves. > --> > <middle> > <!-- ====================================================================== --> > @@ -119,7 +121,7 @@ > <texttable anchor="tbl2" title="ECC Key Exchange Algorithms"> > <ttcol align="left">Algorithm</ttcol> > <ttcol align="left">Description</ttcol> > - <c>ECDHE_ECDSA</c><c>Ephemeral ECDH with ECDSA signatures.</c> > + <c>ECDHE_ECDSA</c><c>Ephemeral ECDH with ECDSA or EdDSA signatures.</c> > <c>ECDHE_RSA</c><c>Ephemeral ECDH with RSA signatures.</c> > <c>ECDH_anon</c><c>Anonymous ephemeral ECDH, no signatures.</c> > </texttable> > @@ -134,7 +136,7 @@ > <t> Note that there is no structural difference between ECDH and ECDSA keys. A certificate issuer may use > X.509 v3 keyUsage and extendedKeyUsage extensions to restrict the use of an ECC public key to certain > computations. This document refers to an ECC key as ECDH-capable if its use in ECDH is permitted. > - ECDSA-capable is defined similarly. <figure> > + ECDSA-capable and EdDSA-cabable are defined similarly. <figure> > <artwork><![CDATA[ > Client Server > ------ ------ > @@ -166,11 +168,10 @@ > <xref target="clientauth" /> and of the optional ECC-specific extensions (which impact the Hello messages) > until <xref target="tlsext" />.</t> > <section anchor="ecdhe_ecdsa" title="ECDHE_ECDSA"> > - <t> In ECDHE_ECDSA, the server's certificate MUST contain an ECDSA-capable public key and be signed with > - ECDSA.</t> > + <t> In ECDHE_ECDSA, the server's certificate MUST contain an ECDSA-capable or EdDSA-capable public key.</t> > <t> The server sends its ephemeral ECDH public key and a specification of the corresponding curve in the > - ServerKeyExchange message. These parameters MUST be signed with ECDSA using the private key corresponding > - to the public key in the server's Certificate.</t> > + ServerKeyExchange message. These parameters MUST be signed with ECDSA or EdDSA using the private key > + corresponding to the public key in the server's Certificate.</t> > <t> The client generates an ECDH key pair on the same curve as the server's ephemeral ECDH key and sends its > public key in the ClientKeyExchange message.</t> > <t> Both client and server perform an ECDH operation <xref target="alg_computes"/> and use the resultant > @@ -179,7 +180,7 @@ > <section anchor="ecdhe_rsa" title="ECDHE_RSA"> > <t> This key exchange algorithm is the same as ECDHE_ECDSA except that the server's certificate MUST contain > an RSA public key authorized for signing, and that the signature in the ServerKeyExchange message must be > - computed with the corresponding RSA private key. The server certificate MUST be signed with RSA.</t> > + computed with the corresponding RSA private key.</t> > </section> > <section anchor="ecdh_anon" title="ECDH_anon"> > <t> NOTE: Despite the name beginning with "ECDH_" (no E), the key used in ECDH_anon is ephemeral just like > @@ -193,14 +194,9 @@ > its public key in the ClientKeyExchange message.</t> > <t> Both client and server perform an ECDH operation and use the resultant shared secret as the premaster > secret. All ECDH calculations are performed as specified in <xref target="alg_computes"/>.</t> > - <t> Note that while the ECDHE_ECDSA and ECDHE_RSA key exchange algorithms require the server's certificate > - to be signed with a particular signature scheme, this specification (following the similar cases of > - DHE_DSS, and DHE_RSA in the TLS base documents) does not impose restrictions on signature schemes used > - elsewhere in the certificate chain. (Often such restrictions will be useful, and it is expected that this > - will be taken into account in certification authorities' signing practices. However, such restrictions are > - not strictly required in general: Even if it is beyond the capabilities of a client to completely validate > - a given chain, the client may be able to validate the server's certificate by relying on a trusted > - certification authority whose certificate appears as one of the intermediate certificates in the chain.)</t> > + <t> This specification does not impose restrictions on signature schemes used anywhere in the certificate chain. > + The previous version of this document required the signatures to match, but this restriction, originating > + in previous TLS versions is lifted here as it had been in RFC 5246.</t> > </section> > </section> > <section anchor="clientauth" title="Client Authentication"> > @@ -224,7 +220,7 @@ > different type than the server certificate.</t> > <section anchor="ecdsa_sign" title="ECDSA_sign"> > <t> To use this authentication mechanism, the client MUST possess a certificate containing an ECDSA-capable > - public key and signed with ECDSA.</t> > + or EdDSA-capable public key.</t> > <t> The client proves possession of the private key corresponding to the certified key by including a > signature in the CertificateVerify message as described in <xref target="cert_verify"/>.</t> > </section> > @@ -291,9 +287,9 @@ > cipher suites must be negotiated only if the server can successfully complete the handshake while using > the curves and point formats supported by the client (cf. <xref target="server_cert"/> and > <xref target="ske"/>).</t> > - <t> NOTE: A server participating in an ECDHE-ECDSA key exchange may use different curves for the ECDSA > - key in its certificate, and for the ephemeral ECDH key in the ServerKeyExchange message. The server MUST > - consider the extensions in both cases.</t> > + <t> NOTE: A server participating in an ECDHE_ECDSA key exchange may use different curves for the ECDSA or > + EdDSA key in its certificate, and for the ephemeral ECDH key in the ServerKeyExchange message. The server > + MUST consider the extensions in both cases.</t> > <t> If a server does not understand the Supported Elliptic Curves Extension, does not understand the > Supported Point Formats Extension, or is unable to complete the ECC handshake while restricting itself > to the enumerated curves and point formats, it MUST NOT negotiate the use of an ECC cipher suite. > @@ -303,13 +299,15 @@ > <t> RFC 4492 defined 25 different curves in the NamedCurve registry for use in TLS. Only three have seen > any use. This specification is deprecating the rest (with numbers 1-22). This specification also > deprecates the explicit curves with identifiers 0xFF01 and 0xFF02. It also adds the new curves > - defined in <xref target="CFRG-Curves"/>. The end result is as follows:</t> > + defined in <xref target="CFRG-Curves"/> and <xref target="CFRG-EdDSA"/>. The end result is as follows:</t> > <figure><artwork><![CDATA[ > enum { > deprecated(1..22), > secp256r1 (23), secp384r1 (24), secp521r1 (25), > Curve25519(TBD1), > Curve448(TBD2), > + Ed25519(TBD3), > + Ed448(TBD4), > reserved (0xFE00..0xFEFF), > deprecated(0xFF01..0xFF02), > (0xFFFF) > @@ -320,7 +318,8 @@ > curves. The named curves secp256r1, secp384r1, and secp521r1 are specified in SEC 2 > <xref target="SECG-SEC2"/>. These curves are also recommended in ANSI X9.62 > <xref target="ANSI.X9-62.2005"/> and FIPS 186-4 <xref target="FIPS.186-4"/>. Curve25519 and Curve448 > - are defined in <xref target="CFRG-Curves"/>. Values 0xFE00 through 0xFEFF are reserved for private use.</t> > + are defined in <xref target="CFRG-Curves"/>. Ed25519 and Ed448 are signature-only curves defined in > + <xref target="CFRG-EdDSA"/>. Values 0xFE00 through 0xFEFF are reserved for private use.</t> > <t> The NamedCurve name space is maintained by IANA. See <xref target="iana"/> for information on how new > value assignments are added.</t> > <figure><artwork><![CDATA[ > @@ -349,7 +348,7 @@ > ]]></artwork></figure> > <t> Three point formats were included in the definition of ECPointFormat above. This specification > deprecates all but the uncompressed point format. Implementations of this document MUST support the > - uncompressed format for all of their supported curves, and MUST support no other formats for curves > + uncompressed format for all of their supported curves, and MUST NOT support other formats for curves > defined in this specification. For backwards compatibility purposes, the point format list extension > MUST still be included, and contain exactly one value: the uncomptessed point format (0).</t> > <t> The ECPointFormat name space is maintained by IANA. See <xref target="iana"/> for information on how > @@ -449,7 +448,8 @@ > represent an elliptic curve point in uncompressed or compressed format; it MUST conform to what the > client has requested through a Supported Point Formats Extension if this extension was used. For the > Curve25519 and Curve448 curves, the only valid representation is the one specified in > - <xref target="CFRG-Curves"/> - a 32- or 56-octet representation of the u value of the point.</t> > + <xref target="CFRG-Curves"/> - a 32- or 56-octet representation of the u value of the point. This structure > + MUST NOT be used with Ed25519 and Ed448 public keys.</t> > <t> <figure><artwork><![CDATA[ > struct { > ECCurveType curve_type; > @@ -462,9 +462,9 @@ > <t hangText="curve_type:"> This identifies the type of the elliptic curve domain parameters.</t> > <t hangText="namedcurve:"> Specifies a recommended set of elliptic curve domain parameters. All those > values of NamedCurve are allowed that refer to a specific curve. Values of NamedCurve that indicate > - support for a class of explicitly defined curves are not allowed here (they are only permissible in > - the ClientHello extension); this applies to arbitrary_explicit_prime_curves(0xFF01) and > - arbitrary_explicit_char2_curves(0xFF02).</t> > + support for a class of explicitly defined curves or signature-only curves are not allowed here (they are > + only permissible in the ClientHello extension); this applies to Ed25519(TBD3), Ed448(TBD4), > + arbitrary_explicit_prime_curves(0xFF01) and arbitrary_explicit_char2_curves(0xFF02).</t> > <t><figure><artwork><![CDATA[ > struct { > ECParameters curve_params; > @@ -488,20 +488,27 @@ > <t hangText="signed_params:"> A hash of the params, with the signature appropriate to that hash applied. > The private key corresponding to the certified public key in the server's Certificate message is used > for signing.<figure><artwork><![CDATA[ > - enum { ecdsa } SignatureAlgorithm; > + enum { ecdsa(3), eddsa(TBD5) } SignatureAlgorithm; > select (SignatureAlgorithm) { > case ecdsa: > digitally-signed struct { > opaque sha_hash[sha_size]; > }; > + case eddsa: > + digitally-signed struct { > + opaque rawdata[rawdata_size]; > + }; > } Signature; > ServerKeyExchange.signed_params.sha_hash > SHA(ClientHello.random + ServerHello.random + > ServerKeyExchange.params); > + ServerKeyExchange.signed_params.rawdata > + ClientHello.random + ServerHello.random + > + ServerKeyExchange.params; > ]]></artwork></figure></t></list></t> > <t> NOTE: SignatureAlgorithm is "rsa" for the ECDHE_RSA key exchange algorithm and "anonymous" for ECDH_anon. > - These cases are defined in TLS. SignatureAlgorithm is "ecdsa" for ECDHE_ECDSA. ECDSA signatures are > - generated and verified as described in <xref target="alg_computes"/>, and SHA in the above template for > + These cases are defined in TLS. SignatureAlgorithm is "ecdsa" or "eddsa" for ECDHE_ECDSA. ECDSA signatures > + are generated and verified as described in <xref target="alg_computes"/>, and SHA in the above template for > sha_hash accordingly may denote a hash algorithm other than SHA-1. As per ANSI X9.62, an ECDSA signature > consists of a pair of integers, r and s. The digitally-signed element is encoded as an opaque vector > <0..2^16-1>, the contents of which are the DER encoding corresponding to the following ASN.1 > @@ -511,6 +518,9 @@ > s INTEGER > } > ]]></artwork></figure></t> > + <t>EdDSA signatures are generated and verified according to <xref target="CFRG-EdDSA"/>. The digitally-signed > + element is encoded as an opaque vector<0..2^16-1>, the contents of which is the octet string output of > + the EdDSA signing algorithm.</t> > <t> Actions of the sender:</t> > <t> The server selects elliptic curve domain parameters and an ephemeral ECDH public key corresponding to > these parameters according to the ECKAS-DH1 scheme from IEEE 1363 <xref target="IEEE.P1363.1998"/>. > @@ -558,14 +568,14 @@ > certificates as described in <xref target="eccerts"/>.</t> > <t> NOTE: The client's Certificate message is capable of carrying a chain of certificates. The > restrictions mentioned in Table 4 apply only to the client's certificate (first in the chain).</t> > - <texttable anchor="tbl4" title="Client Certificate Types"> > + <texttable anchor="tbl4" title="Client Certificate Types"> > <ttcol align="left">Client Authentication Method</ttcol> > <ttcol align="left">Client Certificate Type</ttcol> > - <c>ECDSA_sign</c><c>Certificate MUST contain an ECDSA-capable public key and be signed with ECDSA.</c> > + <c>ECDSA_sign</c><c>Certificate MUST contain an ECDSA-capable or EdDSA-capable public key.</c> > <c>ECDSA_fixed_ECDH</c><c>Certificate MUST contain an ECDH-capable public key on the same elliptic curve > - as the server's long-term ECDH key. This certificate MUST be signed with ECDSA.</c> > - <c>RSA_fixed_ECDH</c><c>Certificate MUST contain an ECDH-capable public key on the same elliptic curve > - as the server's long-term ECDH key. This certificate MUST be signed with RSA.</c> > + as the server's long-term ECDH key.</c> > + <c>RSA_fixed_ECDH</c><c>The same as ECDSA_fixed_ECDH. The codepoints meant different things, but due to > + changes in TLS 1.2, both mean the same thing now.</c> > </texttable> > <t> Structure of this message:</t> > <t> Identical to the TLS client Certificate format.</t> > @@ -599,9 +609,10 @@ > } ClientECDiffieHellmanPublic; > ]]></artwork></figure></t> > <t hangText="ecdh_Yc:"> Contains the client's ephemeral ECDH public key as a byte string ECPoint.point, > - which may represent an elliptic curve point in uncompressed or compressed format. Here, the format > - MUST conform to what the server has requested through a Supported Point Formats Extension if this > - extension was used, and MUST be uncompressed if this extension was not used.<figure><artwork><![CDATA[ > + which may represent an elliptic curve point in uncompressed or compressed format. Curves Ed25519 and > + Ed448 MUST NOT be used. Here, the format MUST conform to what the server has requested through a Supported > + Point Formats Extension if this extension was used, and MUST be uncompressed if this extension was not > + used.<figure><artwork><![CDATA[ > struct { > select (KeyExchangeAlgorithm) { > case ec_diffie_hellman: ClientECDiffieHellmanPublic; > @@ -625,11 +636,14 @@ > key in the client's Certificate message.</t> > <t> Structure of this message:</t> > <t> The TLS CertificateVerify message and the underlying Signature type are defined in the TLS base > - specifications, and the latter is extended here in <xref target="ske"/>. For the ecdsa case, the signature > - field in the CertificateVerify message contains an ECDSA signature computed over handshake messages > - exchanged so far, exactly similar to CertificateVerify with other signing algorithms:<figure><artwork><![CDATA[ > + specifications, and the latter is extended here in <xref target="ske"/>. For the ecdsa and eddsa cases, the > + signature field in the CertificateVerify message contains an ECDSA or EdDSA (respectively) signature computed > + over handshake messages exchanged so far, exactly similar to CertificateVerify with other signing > + algorithms:<figure><artwork><![CDATA[ > CertificateVerify.signature.sha_hash > SHA(handshake_messages); > + CertificateVerify.signature.rawdata > + handshake_messages; > ]]></artwork></figure></t> > <t> ECDSA signatures are computed as described in <xref target="alg_computes"/>, and SHA in the above > template for sha_hash accordingly may denote a hash algorithm other than SHA-1. As per ANSI X9.62, an > @@ -641,6 +655,9 @@ > s INTEGER > } > ]]></artwork></figure></t> > + <t>EdDSA signatures are generated and verified according to <xref target="CFRG-EdDSA"/>. The digitally-signed > + element is encoded as an opaque vector<0..2^16-1>, the contents of which is the octet string output of > + the EdDSA signing algorithm.</t> > <t> Actions of the sender:</t> > <t> The client computes its signature over all handshake messages sent or received starting at client hello > and up to but not including this message. It uses the private key corresponding to its certified public > @@ -651,8 +668,12 @@ > </section> > <section anchor="eccerts" title="Elliptic Curve Certificates"> > <t> X.509 certificates containing ECC public keys or signed using ECDSA MUST comply with > - <xref target="RFC3279"/> or another RFC that replaces or extends it. Clients SHOULD use the elliptic > - curve domain parameters recommended in ANSI X9.62, FIPS 186-4, and SEC 2 <xref target="SECG-SEC2"/>.</t> > + <xref target="RFC3279"/> or another RFC that replaces or extends it. X.509 certificates containing ECC > + public keys or signed using EdDSA MUST comply with <xref target="PKIX-EdDSA"/>. Clients SHOULD use the > + elliptic curve domain parameters recommended in ANSI X9.62, FIPS 186-4, and SEC 2 > + <xref target="SECG-SEC2"/> or in <xref target="CFRG-EdDSA"/>.</t> > + <t>EdDSA keys using Ed25519 and Ed25519ph algorithms MUST use the Ed25519 curve, and Ed448 and Ed448ph keys > + MUST use the Ed448 curve. Curves Curve25519, Curve448, Ed25519 and Ed448 MUST NOT be used for ECDSA.</t> > </section> > <section anchor="alg_computes" title="ECDH, ECDSA, and RSA Computations"> > <t> All ECDH calculations for the NIST curves (including parameter and key generation as well as the shared > @@ -675,11 +696,15 @@ > signed/verified is hashed, and the result run directly through the ECDSA algorithm with no additional > hashing. The default hash function is SHA-1 <xref target="FIPS.180-2"/>, and sha_size (see > <xref target="ske"/> and <xref target="cert_verify"/>) is 20. However, an alternative hash function, such > - as one of the new SHA hash functions specified in FIPS 180-2 <xref target="FIPS.180-2"/>, may be used instead.</t> > + as one of the new SHA hash functions specified in FIPS 180-2 <xref target="FIPS.180-2"/>, SHOULD be used instead.</t> > + <t> All EdDSA computations MUST be performed according to <xref target="CFRG-EdDSA"/> or its succesors. Data > + to be signed/verified is run through the EdDSA algorithm wih no hashing (EdDSA will internally run the data > + through the PH function).</t> > <t> RFC 4492 anticipated the standardization of a mechanism for specifying the required hash function in the certificate, > perhaps in the parameters field of the subjectPublicKeyInfo. Such standardization never took place, and as a result, > - SHA-1 is used in TLS 1.1 and earlier. TLS 1.2 added a SignatureAndHashAlgorithm parameter to the DigitallySigned struct, > - thus allowing agility in choosing the signature hash.</t> > + SHA-1 is used in TLS 1.1 and earlier (except for EdDSA, which uses identity function). TLS 1.2 added a > + SignatureAndHashAlgorithm parameter to the DigitallySigned struct, thus allowing agility in choosing the > + signature hash. EdDSA signatures MUST have HashAlgorithm of 0 (None).</t> > <t> All RSA signatures must be generated and verified according to <xref target="PKCS1"/> block type 1.</t> > </section> > <section anchor="valid25519" title="Public Key Validation"> > @@ -688,14 +713,16 @@ > key, to the point that they may recover the entire private key in a few requests, if that key is not really > ephemeral.</t> > <t> Curve25519 was designed in a way that the result of Curve25519(x, d) will never reveal information about > - d, provided it was chosen as prescribed, for any value of x.</t> > + d, provided it was chosen as prescribed, for any value of x (the same holds true for Curve448).</t> > <t> Let's define legitimate values of x as the values that can be obtained as x = Curve25519(G, d') for some > d, and call the other values illegitimate. The definition of the Curve25519 function shows that legitimate > - values all share the following property: the high-order bit of the last byte is not set.</t> > + values all share the following property: the high-order bit of the last byte is not set (for Ed448, any bit > + can be set).</t> > <t> Since there are some implementation of the Curve25519 function that impose this restriction on their input > and others that don't, implementations of Curve25519 in TLS SHOULD reject public keys when the high-order bit > of the last byte is set (in other words, when the value of the leftmost byte is greater than 0x7F) in order > to prevent implementation fingerprinting.</t> > + <t>Ed25519 and Ed448 internally do public key validation as part of signature verification.</t> > <t> Other than this recommended check, implementations do not need to ensure that the public keys they receive > are legitimate: this is not necessary for security with Curve25519.</t> > </section> > @@ -770,8 +797,10 @@ > <t> NOTE: IANA, please update the registries to reflect the new policy name.</t> > <t> NOTE: RFC editor please delete these two notes prior to publication.</t> > <t> IANA, please update these two registries to refer to this document.</t> > - <t> IANA is requested to assign two values from the NamedCurve registry with names Curve25519(TBD1) and > - Curve448(TBD2) with this document as reference.</t> > + <t> IANA is requested to assign four values from the NamedCurve registry with names Curve25519(TBD1), > + Curve448(TBD2), Ed25519(TBD3) and Ed448(TBD4) with this document as reference.</t> > + <t> IANA is requested to assign one value from SignatureAlgorithm Registry with name eddsa(TBD5) with this > + document as reference.</t> > </section> > <section anchor="ack" title="Acknowledgements"> > <t> Most of the text is this document is taken from <xref target="RFC4492"/>, the predecessor of this > @@ -785,6 +814,9 @@ > </section> > <section anchor="history" title="Version History for This Draft"> > <t> NOTE TO RFC EDITOR: PLEASE REMOVE THIS SECTION</t> > + <t> Changes from draft-ietf-tls-rfc4492bis-03 to draft-nir-tls-rfc4492bis-05:<list style="symbols"> > + <t> Add support for CFRG curves and signatures work.</t> > + </list></t> > <t> Changes from draft-ietf-tls-rfc4492bis-01 to draft-nir-tls-rfc4492bis-03:<list style="symbols"> > <t> Removed unused curves.</t> > <t> Removed unused point formats (all but uncompressed)</t> > @@ -816,6 +848,26 @@ > <seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-curves-11"/> > <format type="TXT" target="http://www.ietf.org/internet-drafts/draft-irtf-cfrg-curves-11.txt"/> > </reference> > + <reference anchor="CFRG-EdDSA"> > + <front> > + <title>EdDSA: Ed25519 and Ed448</title> > + <author initials="S" surname="Josefsson" fullname="Simon Josefsson"></author> > + <author initials="I" surname="Liusvaara" fullname="Ilari Liusvaara"></author> > + <date month="October" day="8" year="2015"/> > + </front> > + <seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-eddsa-00"/> > + <format type="TXT" target="http://www.ietf.org/internet-drafts/draft-irtf-cfrg-eddsa-00.txt"/> > + </reference> > + <reference anchor="PKIX-EdDSA"> > + <front> > + <title>Using EdDSA in the Internet X.509 Public Key Infrastructure</title> > + <author initials="S" surname="Josefsson" fullname="Simon Josefsson"></author> > + <author initials="N" surname="Mavrogiannopoulos" fullname="Nikos Mavrogiannopoulos"></author> > + <date month="September" day="23" year="2015"/> > + </front> > + <seriesInfo name="Internet-Draft" value="draft-josefsson-pkix-eddsa-03"/> > + <format type="TXT" target="http://www.ietf.org/internet-drafts/draft-josefsson-pkix-eddsa-03"/> > + </reference> > <reference anchor='RFC2246'> > <front> > <title>The TLS Protocol Version 1.0</title> > -- > 2.6.1 > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- [TLS] Fwd: New Version Notification for draft-iet… Yoav Nir
- Re: [TLS] New Version Notification for draft-ietf… Yoav Nir
- Re: [TLS] Fwd: New Version Notification for draft… Ilari Liusvaara
- Re: [TLS] New Version Notification for draft-ietf… Yoav Nir
- Re: [TLS] New Version Notification for draft-ietf… Yoav Nir
- [TLS] [PATCH RFC4492bis] Add EdDSA signature supp… Ilari Liusvaara
- Re: [TLS] [PATCH RFC4492bis] Add EdDSA signature … Yoav Nir
- Re: [TLS] [PATCH RFC4492bis] Add EdDSA signature … Ilari Liusvaara