IETF Logo Mail Archive

Re: [TLS] Require deterministic ECDSA

Yoav Nir <ynir.ietf@gmail.com> Sun, 24 January 2016 10:13 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CF281B2D65 for <tls@ietfa.amsl.com>; Sun, 24 Jan 2016 02:13:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id naaZIC1umDKr for <tls@ietfa.amsl.com>; Sun, 24 Jan 2016 02:13:01 -0800 (PST)
Received: from mail-wm0-x22f.google.com (mail-wm0-x22f.google.com [IPv6:2a00:1450:400c:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68A241B2D67 for <tls@ietf.org>; Sun, 24 Jan 2016 02:13:01 -0800 (PST)
Received: by mail-wm0-x22f.google.com with SMTP id b14so39697597wmb.1 for <tls@ietf.org>; Sun, 24 Jan 2016 02:13:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=wY0N5vZsh/dEqFbvOFL1f/QsUVXQ5vY+tz03NjJJX60=; b=xXJ+gAaszWztk4zV096At+sVDjT+B6aGUAdsTy2IfUSnCmBdHbQPLQKe/tvWx5Gjah eANu7SC7ByeztVtUSlb6xKAOSDY8XBOGQKzvsEO+OoHYfRV5OUM0+bHBaTtFgzqu/wru Brv3vu/3rNmm09dZqITNHAmFQgOmsRKHBm6CziQWU6UIT1J159CnZSuH6DLrVyZlXsWf qR/LlKZo7TxYu4fxecpqWv0o/e4Vplgvhhrs47u/db2aefRZkrCkNiVomKByon6v+ZHA WshGvQkqHGERpXq1lzXwuQ1Ab1H7qQN9RmvnouyxQWQmb3GYx87zV6Vt0Cqb3Ras/Er4 q4Eg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=wY0N5vZsh/dEqFbvOFL1f/QsUVXQ5vY+tz03NjJJX60=; b=SLagHKQqSqYt9dtC93USM2KaN/CbzlaTe/rGtx02f6Syj8UKNFra7idh2OR+5dEsE3 LLyLe+kUSH6HnDZvH/fr5efAu8kVUJM9vB7Lvq6zr6/DyCQsuZVC3czfqLxUAjioxCtU oJ/3abaYdnX/+fGukf33Z85KvRWBidsJ9BOrYdobdZRPv2h3Di1clauBsaxjUKQw10Sy pzSia07RDfrhcK5v5eY4slIUTHi9hneXEZfuAD5ifllCqiYftARu2yTKIkvL6kyDmnDZ UG0aohX0Z+51OQ/lwVNKLjAno7DXiQbdZlTOgrL7vmmY7t2HkYcsEtCPAYtbzSfIKu/q apKQ==
X-Gm-Message-State: AG10YOSkm8HPU6wzb4ToGXn6x5x7m7SVoOHKm1YKx3H+EuEYwYIn8MVhd1DDPoHpSbV2aQ==
X-Received: by 10.194.111.232 with SMTP id il8mr13717339wjb.150.1453630379948; Sun, 24 Jan 2016 02:12:59 -0800 (PST)
Received: from [172.24.248.122] (dyn32-131.checkpoint.com. [194.29.32.131]) by smtp.gmail.com with ESMTPSA id r4sm13908717wjy.39.2016.01.24.02.12.58 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 24 Jan 2016 02:12:59 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <56A42097.5010802@nthpermutation.com>
Date: Sun, 24 Jan 2016 12:12:57 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <F819D2BB-53B0-4DD9-AAE4-856AAEDD0A8A@gmail.com>
References: <CACaGAp=-xJZN=L3av+DX_WQcki_k=L-_tc5dZnJNtM=M0W8MnQ@mail.gmail.com> <CAGwT64i5v+0xXLzQYFO5JVKs302x6BgZYN+ffYzMVesgbB9biA@mail.gmail.com> <CACaGApnF7fM2cQdbG9PK7uZaiUkhXiYqKVkzFuk2teD9B5et9w@mail.gmail.com> <07742742-5517-4A94-9462-E41F4C3EB6FD@gmail.com> <56A42097.5010802@nthpermutation.com>
To: Michael StJohns <msj@nthpermutation.com>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/ae7sbojwSpDQj4L93_4kHOT73Ks>
Cc: tls@ietf.org
Subject: Re: [TLS] Require deterministic ECDSA
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Jan 2016 10:13:03 -0000

Hi, Mike

> On 24 Jan 2016, at 2:53 AM, Michael StJohns <msj@nthpermutation.com> wrote:
> 
> On 1/23/2016 7:17 PM, Yoav Nir wrote:
>> Also if the signatures are done in a separate hardware module, that module is even less likely to have a good random source.
>> 
>> And if we make it rely on external input for the random, that’s a good way of getting it to reveal information about the private key, whereas keeping the private key secret forever was the whole point of using a hardware module.
>> 
>> So that’s another argument in favor of deterministic signatures.
>> 
>> Yoav
> 
> I tried to parse the above into meaningful A implies B logic and failed.
> 
> If you have an HSM, the key that's generating the signature tends to be generated inside the HSM.  If your HSM has a bad RNG, then the key generation is going to be a problem well before the signature generation RNG problem kicks in.   And to clarify, a key generated inside an HSM tends to use that HSM's signature mechanism, not something in a separate module.
> 
> I don't think your argument holds.
> 
> "If we make it rely on external input for the random"???   Isn't that exactly what the RFC uses in the form of the hashed message?

Yeah, it was way past midnight when I wrote that. Only so much coherence in those hours.

The HSM has enough entropy to generate (once) a 256-bit (or 384-bit or 521-bit) key. When working as part of a TLS server using regular ECDSA it would need to generate a random k for each full handshake, and many such servers routinely handle tens of thousands of such handshakes per second. So it’s hundreds of kilobytes per second, for an HSM that has no network input, no I/O of any kind other than the signature requests, this may be a problem. I’ve seen people claim this in the past.

That last sentence there. If we’re using regular ECDSA, the HSM can either generate its own k or receive a k from the caller. For our software’s FIPS certification we had to support both modes to be able to produce a predictable ECDSA. I don’t know, but I imagine hardware would be required to support this as well. If you run the HSM in production with the external random input, you’re making it possible for an attacker who has compromised the system to discover the key bits by repeatedly calling the HSM with same k’s for different inputs. This is negated by using deterministic ECDSA where the k is a function of the input.

Yoav

v2.23.0 | Report a Bug | By Email