Re: [TLS] Require deterministic ECDSA
Michael StJohns <msj@nthpermutation.com> Sun, 24 January 2016 01:00 UTC
Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A61581B2D08 for <tls@ietfa.amsl.com>; Sat, 23 Jan 2016 17:00:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eqKrdTNiyJAV for <tls@ietfa.amsl.com>; Sat, 23 Jan 2016 17:00:37 -0800 (PST)
Received: from mail-qg0-x229.google.com (mail-qg0-x229.google.com [IPv6:2607:f8b0:400d:c04::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DF761B2D07 for <tls@ietf.org>; Sat, 23 Jan 2016 17:00:37 -0800 (PST)
Received: by mail-qg0-x229.google.com with SMTP id e32so85790313qgf.3 for <tls@ietf.org>; Sat, 23 Jan 2016 17:00:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=RwuZOAGpPGW2/8Xt6E3+pCj1k+CUpXSmLiYOIPk0pSg=; b=syhyO2AiS8Q+1Isz//6OMEnON/nQZCILtvdu9hZQuF0vqjy1jiKS5QcE77OgB43QSu AC97M7ha+H0/Aldtza5qVYELtamFeGWKm2z0FjD8r4QFCFF81eOObSe2gqLiQNfRUifT irepD+Wl78kxya45pCO4nqG3qJSabDlC73Ujlr3E+yp9/LN/6xrE0SdaCMOKV5C2YsO9 LMwdadOvoul4IF0Olbt5m21JzuJ+sI41abSFpTsXVghYOBOyV5aSL5gtQVBIJCRTNIvY cMZYymHjOEsDYA2tmtB2dW3pw9nRbULk3pgFiy8vyzX0qL7ON8sz0YgCUb496TFYxlkS JuIQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-type :content-transfer-encoding; bh=RwuZOAGpPGW2/8Xt6E3+pCj1k+CUpXSmLiYOIPk0pSg=; b=jfy82fCsiw5RxJa02keVXETuBzf02quBJng22RRe2FvN7zMxQvZm2pLq+BEBwKDcBq gHR9mEh1GfbCixZNE1OJXzjSK5t6V70UVZ9tcSWJH6YGSWw+Opj+bFA+tJ0SyctEyeTb CqFYrjgMJhn2CBgCIuZ0L6v+qAQAGtE0pjW2GxdHIYG10vGBVPBsai1xRVVEgaPp6KeU DL+zx8xqkPEmYixtdbze3SW3RuPiBOPK0m3+J54UPra5d1k1i75BaU6HBxNmXE37ekXX vH9zE6BjLp+6mWOP1NswcyVqMFRpUasGYWuvmlJ5q4StXKb2M9WdwCPIbvc8kqEAaZ+4 OQYQ==
X-Gm-Message-State: AG10YORl9Z6sGvXiO5lv7dpWKBPyWO7VEmkY3ERRacwAbVQcNmBy4Ldas0BQUiRPEsBmOw==
X-Received: by 10.140.180.80 with SMTP id b77mr13059004qha.67.1453597236739; Sat, 23 Jan 2016 17:00:36 -0800 (PST)
Received: from ?IPv6:2601:148:c000:1bb4:8579:2304:499a:677a? ([2601:148:c000:1bb4:8579:2304:499a:677a]) by smtp.gmail.com with ESMTPSA id z66sm5909152qhc.16.2016.01.23.17.00.36 for <tls@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 23 Jan 2016 17:00:36 -0800 (PST)
To: tls@ietf.org
References: <CACaGAp=-xJZN=L3av+DX_WQcki_k=L-_tc5dZnJNtM=M0W8MnQ@mail.gmail.com> <CAGwT64i5v+0xXLzQYFO5JVKs302x6BgZYN+ffYzMVesgbB9biA@mail.gmail.com> <CACaGApnF7fM2cQdbG9PK7uZaiUkhXiYqKVkzFuk2teD9B5et9w@mail.gmail.com> <m2vb6koxuq.fsf@localhost.localdomain>
From: Michael StJohns <msj@nthpermutation.com>
Message-ID: <56A42238.50204@nthpermutation.com>
Date: Sat, 23 Jan 2016 20:00:40 -0500
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <m2vb6koxuq.fsf@localhost.localdomain>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/ZHWKaDTgCS15c-NazIyJ_6GM3dI>
Subject: Re: [TLS] Require deterministic ECDSA
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Jan 2016 01:00:38 -0000
On 1/23/2016 3:16 PM, Geoffrey Keating wrote: > But if k generation is broken, then that > leaks the key permanently and you need to get a new one and revoke the > old one, which may be difficult. I agree that if RNG generation is broken then it breaks k generation. But if RNG generation was broken during key generation, you also have a problem. In your arguments, assuming that the RNG was fine for key generation and broken for signature generation IMHO only applies to software modules (where you have the option of using separate RNGs for different functions). For HSMs with any reasonable amount of good design, if the RNG is bad, the thing just stops working (and there are ALL sorts of tests to ensure that). With respect to a software module, I'd find it easier just to read the key bits out of memory than apply most of the other threats that seem to be creeping into the argument. Later, Mike
- [TLS] Require deterministic ECDSA Joseph Birr-Pixton
- Re: [TLS] Require deterministic ECDSA Joseph Birr-Pixton
- Re: [TLS] Require deterministic ECDSA Geoffrey Keating
- Re: [TLS] Require deterministic ECDSA Yoav Nir
- Re: [TLS] Require deterministic ECDSA Michael StJohns
- Re: [TLS] Require deterministic ECDSA Michael StJohns
- Re: [TLS] Require deterministic ECDSA Michael StJohns
- Re: [TLS] Require deterministic ECDSA Brian Smith
- Re: [TLS] Require deterministic ECDSA Dave Garrett
- Re: [TLS] Require deterministic ECDSA Yoav Nir
- Re: [TLS] Require deterministic ECDSA Yoav Nir
- Re: [TLS] Require deterministic ECDSA Watson Ladd
- Re: [TLS] Require deterministic ECDSA Filippo Valsorda
- Re: [TLS] Require deterministic ECDSA Michael StJohns
- Re: [TLS] Require deterministic ECDSA Michael StJohns
- [TLS] Fwd: Re: Require deterministic ECDSA Michael StJohns
- Re: [TLS] Require deterministic ECDSA Hubert Kario
- Re: [TLS] Require deterministic ECDSA Jacob Maskiewicz
- Re: [TLS] Require deterministic ECDSA Salz, Rich
- Re: [TLS] Require deterministic ECDSA Adam Langley
- Re: [TLS] Require deterministic ECDSA Yoav Nir
- Re: [TLS] Require deterministic ECDSA Salz, Rich
- Re: [TLS] Require deterministic ECDSA Daniel Kahn Gillmor
- Re: [TLS] Require deterministic ECDSA Joseph Birr-Pixton
- Re: [TLS] Require deterministic ECDSA Watson Ladd
- Re: [TLS] Require deterministic ECDSA Salz, Rich
- Re: [TLS] Require deterministic ECDSA Jacob Maskiewicz
- Re: [TLS] Require deterministic ECDSA Bill Cox
- Re: [TLS] Require deterministic ECDSA Michael StJohns