IETF Logo Mail Archive

Re: [TLS] Require deterministic ECDSA

Michael StJohns <msj@nthpermutation.com> Sun, 24 January 2016 01:00 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A61581B2D08 for <tls@ietfa.amsl.com>; Sat, 23 Jan 2016 17:00:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eqKrdTNiyJAV for <tls@ietfa.amsl.com>; Sat, 23 Jan 2016 17:00:37 -0800 (PST)
Received: from mail-qg0-x229.google.com (mail-qg0-x229.google.com [IPv6:2607:f8b0:400d:c04::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DF761B2D07 for <tls@ietf.org>; Sat, 23 Jan 2016 17:00:37 -0800 (PST)
Received: by mail-qg0-x229.google.com with SMTP id e32so85790313qgf.3 for <tls@ietf.org>; Sat, 23 Jan 2016 17:00:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=RwuZOAGpPGW2/8Xt6E3+pCj1k+CUpXSmLiYOIPk0pSg=; b=syhyO2AiS8Q+1Isz//6OMEnON/nQZCILtvdu9hZQuF0vqjy1jiKS5QcE77OgB43QSu AC97M7ha+H0/Aldtza5qVYELtamFeGWKm2z0FjD8r4QFCFF81eOObSe2gqLiQNfRUifT irepD+Wl78kxya45pCO4nqG3qJSabDlC73Ujlr3E+yp9/LN/6xrE0SdaCMOKV5C2YsO9 LMwdadOvoul4IF0Olbt5m21JzuJ+sI41abSFpTsXVghYOBOyV5aSL5gtQVBIJCRTNIvY cMZYymHjOEsDYA2tmtB2dW3pw9nRbULk3pgFiy8vyzX0qL7ON8sz0YgCUb496TFYxlkS JuIQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-type :content-transfer-encoding; bh=RwuZOAGpPGW2/8Xt6E3+pCj1k+CUpXSmLiYOIPk0pSg=; b=jfy82fCsiw5RxJa02keVXETuBzf02quBJng22RRe2FvN7zMxQvZm2pLq+BEBwKDcBq gHR9mEh1GfbCixZNE1OJXzjSK5t6V70UVZ9tcSWJH6YGSWw+Opj+bFA+tJ0SyctEyeTb CqFYrjgMJhn2CBgCIuZ0L6v+qAQAGtE0pjW2GxdHIYG10vGBVPBsai1xRVVEgaPp6KeU DL+zx8xqkPEmYixtdbze3SW3RuPiBOPK0m3+J54UPra5d1k1i75BaU6HBxNmXE37ekXX vH9zE6BjLp+6mWOP1NswcyVqMFRpUasGYWuvmlJ5q4StXKb2M9WdwCPIbvc8kqEAaZ+4 OQYQ==
X-Gm-Message-State: AG10YORl9Z6sGvXiO5lv7dpWKBPyWO7VEmkY3ERRacwAbVQcNmBy4Ldas0BQUiRPEsBmOw==
X-Received: by 10.140.180.80 with SMTP id b77mr13059004qha.67.1453597236739; Sat, 23 Jan 2016 17:00:36 -0800 (PST)
Received: from ?IPv6:2601:148:c000:1bb4:8579:2304:499a:677a? ([2601:148:c000:1bb4:8579:2304:499a:677a]) by smtp.gmail.com with ESMTPSA id z66sm5909152qhc.16.2016.01.23.17.00.36 for <tls@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 23 Jan 2016 17:00:36 -0800 (PST)
To: tls@ietf.org
References: <CACaGAp=-xJZN=L3av+DX_WQcki_k=L-_tc5dZnJNtM=M0W8MnQ@mail.gmail.com> <CAGwT64i5v+0xXLzQYFO5JVKs302x6BgZYN+ffYzMVesgbB9biA@mail.gmail.com> <CACaGApnF7fM2cQdbG9PK7uZaiUkhXiYqKVkzFuk2teD9B5et9w@mail.gmail.com> <m2vb6koxuq.fsf@localhost.localdomain>
From: Michael StJohns <msj@nthpermutation.com>
Message-ID: <56A42238.50204@nthpermutation.com>
Date: Sat, 23 Jan 2016 20:00:40 -0500
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <m2vb6koxuq.fsf@localhost.localdomain>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/ZHWKaDTgCS15c-NazIyJ_6GM3dI>
Subject: Re: [TLS] Require deterministic ECDSA
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Jan 2016 01:00:38 -0000

On 1/23/2016 3:16 PM, Geoffrey Keating wrote:
> But if k generation is broken, then that
> leaks the key permanently and you need to get a new one and revoke the
> old one, which may be difficult.

I agree that if RNG generation is broken then it breaks k generation.    
But if RNG generation was broken during key generation, you also have a 
problem.

In your arguments, assuming that the RNG was fine for key generation and 
broken for signature generation IMHO only applies to software modules 
(where you have the option of using separate RNGs for different functions).

For HSMs with any reasonable amount of good design, if the RNG is bad, 
the thing just stops working (and there are ALL sorts of tests to ensure 
that).

With respect to a software module, I'd find it easier just to read the 
key bits out of memory than apply most of the other threats that seem to 
be creeping into the argument.

Later, Mike

v2.23.0 | Report a Bug | By Email