[TLS] New curves work and TLS
Ilari Liusvaara <ilariliusvaara@welho.com> Thu, 15 October 2015 13:09 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71E651B3194 for <tls@ietfa.amsl.com>; Thu, 15 Oct 2015 06:09:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fd4m6Tm39evf for <tls@ietfa.amsl.com>; Thu, 15 Oct 2015 06:09:42 -0700 (PDT)
Received: from filtteri2.pp.htv.fi (filtteri2.pp.htv.fi [213.243.153.185]) by ietfa.amsl.com (Postfix) with ESMTP id 20C031B3193 for <tls@ietf.org>; Thu, 15 Oct 2015 06:09:42 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by filtteri2.pp.htv.fi (Postfix) with ESMTP id D838E19C651 for <tls@ietf.org>; Thu, 15 Oct 2015 16:09:40 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from smtp4.welho.com ([213.243.153.38]) by localhost (filtteri2.pp.htv.fi [213.243.153.185]) (amavisd-new, port 10024) with ESMTP id ZIVNhTHztZRa for <tls@ietf.org>; Thu, 15 Oct 2015 16:09:40 +0300 (EEST)
Received: from LK-Perkele-V2 (87-92-35-116.bb.dnainternet.fi [87.92.35.116]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp4.welho.com (Postfix) with ESMTPSA id AF2A15BC015 for <tls@ietf.org>; Thu, 15 Oct 2015 16:09:40 +0300 (EEST)
Date: Thu, 15 Oct 2015 16:09:39 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: tls@ietf.org
Message-ID: <20151015130939.GA19330@LK-Perkele-V2.elisa-laajakaista.fi>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: ilariliusvaara@welho.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/el8iTgddc4Toje-epuryp5pQ80k>
Subject: [TLS] New curves work and TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Oct 2015 13:09:44 -0000
As you might know, CFRG has been working on new curves (the document has been sent to IRSG) and is working on signatures (main issues seem to be selecting prehash for prehashed version of 448-bit signatures and KDF for 448-bit signatures). I have been thinking how to integrate this work into TLS. Diffie-Hellman: --------------- There is already a WG draft about this. The one remaining technical issue seems to be wheither to share the curves with signatures or dedicate those for DH. I propose dedicating the codepoints (like draft currently does). The complexity of implementing signatures is significantly above complexity of implementing ECDH. This is magnified by the differences between the signature primitive (one is based on SHA-512, the other on some still-TBD KDF). It is not like there is imminent shortage of curve codepoint space, as we have >64,000 codepoints free. There's also editorial issue of tracking the renaming of the DHFs in CFRG-CURVES (Curve25519->X25519 and similarly for Curve448). Signatures: ----------- The base algorithm for signatures work is EdDSA. It looks like Ed25519 is standardized as-is (at least compatible enough for existing verifiers to be used). Then there is version that first does SHA-512. For 448-bit versions, the KDF and prehash to be done first (for version that does prehashing) is TBD. So, there are four primitives: Ed25519, Ed25519ph, Ed448 and Ed448ph. And keys MUST NOT be mixed between those. I propose the following: - EdDSA uses one SignatureAlgorithm value (5?[1]). - There will be new curves for EdDSA, one for Ed25519/Ed25519ph and another for Ed448/Ed448ph - If there is ever EdDSA instantiation with Edwards448 curve (the same one Ed448 uses) with another KDF, it gets a new curve distinct from Ed448/Ed448ph. - The HashAlgorithm is always 0, or the HashAlgorithm is always 0 or value matching the prehash (but the prehash is always done once[2]). [TBD: resolve this] - To be useful, one needs PKIX SPKI representation for the keys. There is a draft about that, to be progressed via other channels (Security area presumably, as PKIX WG is no more). [1] TLS 1.3 introduces one new value for RSA-PSS (which is IIRC marked as 4 in the spec). [2] Technically Ed25519 and Ed448 do have prehash function PH, it just is the identity function. -Ilari
- [TLS] New curves work and TLS Ilari Liusvaara
- Re: [TLS] New curves work and TLS Dave Garrett
- Re: [TLS] New curves work and TLS Eric Rescorla
- Re: [TLS] New curves work and TLS Ilari Liusvaara
- Re: [TLS] New curves work and TLS Sean Turner
- Re: [TLS] New curves work and TLS Ilari Liusvaara