Re: [TLS] Strawman on EdDSA/Ed25519 in TLS
Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Sat, 30 May 2015 06:43 UTC
Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53F7A1A92AD for <tls@ietfa.amsl.com>; Fri, 29 May 2015 23:43:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EnpxLoae7NRl for <tls@ietfa.amsl.com>; Fri, 29 May 2015 23:43:06 -0700 (PDT)
Received: from emh01.mail.saunalahti.fi (emh01.mail.saunalahti.fi [62.142.5.107]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C31161A9142 for <tls@ietf.org>; Fri, 29 May 2015 23:43:05 -0700 (PDT)
Received: from LK-Perkele-VII (a91-155-194-207.elisa-laajakaista.fi [91.155.194.207]) by emh01.mail.saunalahti.fi (Postfix) with ESMTP id B1A9A9004B; Sat, 30 May 2015 09:43:03 +0300 (EEST)
Date: Sat, 30 May 2015 09:43:03 +0300
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Simon Josefsson <simon@josefsson.org>
Message-ID: <20150530064303.GA20551@LK-Perkele-VII>
References: <1432142087.2946.11.camel@josefsson.org> <20150520203011.GA25549@LK-Perkele-VII> <87pp5jw0g0.fsf@latte.josefsson.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <87pp5jw0g0.fsf@latte.josefsson.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/ZBxpY0XJOowIXMm--nv4wZB8kO8>
Cc: tls@ietf.org
Subject: Re: [TLS] Strawman on EdDSA/Ed25519 in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 May 2015 06:43:09 -0000
On Fri, May 29, 2015 at 11:14:39PM +0200, Simon Josefsson wrote: > Ilari Liusvaara <ilari.liusvaara@elisanet.fi> writes: > > > On Wed, May 20, 2015 at 07:14:47PM +0200, Simon Josefsson wrote: > >> > > > > More ciphersuites? The signature algorithm negotiation (extension 13) > > doesn't work in practice? > > Yoav suggested reusing the ECDSA ciphersuites with (I assume) a new > extension 13 value for eddsa. Actually, looking at TLS specs, one needs the codepoint useable with extension 13 anyway for TLS 1.2 (and 1.3-editorscopy). (This won't work with 1.0/1.1, but who really cares). Then there is the hash algorithm field. There are basically three choices here: 1) Don't use it for anything. Internal hash is fixed to SHA-512, no pre-hashing is performed. 2) Hash algorithm field determines pre-hash. Internal hash is fixed to SHA-512. 3) Hash algorithm field determines internal hash, no pre-hashing. With 3), the hash algorithm pretty much has to have 512-bit output. While pre-hashing is not a great idea for TLS 1.2 server certificate and TLS 1.3 server/client certificate, it could be useful for TLS 1.2 client certificate, since that covers data from number of flights. > > Reading the PKIX specs, it seems like there are two ways: > > > > 1) Use algorithm "Unresricted" and use a new point format to > > denote LE edwards points. > > > > 2) Define new algorithm (OID) for EdDSA, put the curve OID > > as parameter and the LE edwards point as the key. > > I prefer 2). Given that EdDSA is not applicable to arbitrary curves, > you might want to allocate a new algorithm OID for Ed25519 directly with > no parameters. This will reduce complexity a bit. (Nit: s/EdDSA/Ed25519/) Yeah, agreed. Also, new algorithm lets one define what is in the BIT STRING field containing the key data. I actually read PKIX again, and noticed something I did not notice before: There actually are two kinds of OIDs relevant to a new signature algorithm 1) What OID(s) are allowed as key algorithms for that signature algorithm. This also sets the format of keys (and what parameters if any there are). E.g. ECDSA uses unrestricted EC point, which specifies the standard SEC1 encoding, and curve OID as a parameter. 2) What OID does the actual signature algorithm, when combined with hash algorithm use. This sets the parameters given, if any and the signature format. E.g. ECDSA uses multiple OIDs, one for each allowed hash function (e.g. one for ECDSA/SHA-256, another for ECDSA/SHA-384 and another for ECDSA/SHA-512). Given that Ed25519 fixes the hash, it would technically (in the sense that the protocol works) work to use the same OID for both, but I have no idea how existing PKIX software handles that sort of thing. Also, given that EdDSA public keys are only usable with one single hash algorithm (since hash algorithm is part of public key derivation), it would make sense to limit the keys to just single hash. So there would be Ed25519 key type and Ed25519 signature algorithm. As said I have no idea if these two can be the same OID (these always appear in different contexts) or not. -Ilari
- [TLS] Strawman on EdDSA/Ed25519 in TLS Simon Josefsson
- Re: [TLS] Strawman on EdDSA/Ed25519 in TLS Nico Williams
- Re: [TLS] Strawman on EdDSA/Ed25519 in TLS Ilari Liusvaara
- Re: [TLS] Strawman on EdDSA/Ed25519 in TLS Peter Bowen
- Re: [TLS] Strawman on EdDSA/Ed25519 in TLS Simon Josefsson
- Re: [TLS] Strawman on EdDSA/Ed25519 in TLS Simon Josefsson
- Re: [TLS] Strawman on EdDSA/Ed25519 in TLS Rob Stradling
- Re: [TLS] Strawman on EdDSA/Ed25519 in TLS Kurt Roeckx
- Re: [TLS] Strawman on EdDSA/Ed25519 in TLS Ilari Liusvaara
- Re: [TLS] Strawman on EdDSA/Ed25519 in TLS Peter Bowen
- Re: [TLS] Strawman on EdDSA/Ed25519 in TLS Rob Stradling
- Re: [TLS] Strawman on EdDSA/Ed25519 in TLS Yoav Nir
- Re: [TLS] Strawman on EdDSA/Ed25519 in TLS Rob Stradling
- Re: [TLS] Strawman on EdDSA/Ed25519 in TLS Rick Andrews
- Re: [TLS] Strawman on EdDSA/Ed25519 in TLS Simon Josefsson
- Re: [TLS] Strawman on EdDSA/Ed25519 in TLS Ilari Liusvaara
- Re: [TLS] Strawman on EdDSA/Ed25519 in TLS Simon Josefsson
- Re: [TLS] Strawman on EdDSA/Ed25519 in TLS Ilari Liusvaara