Re: [TLS] Updated EdDSA/Ed25519 PKIX document

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Thu, 24 September 2015 15:26 UTC

Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2545E1B29D8 for <tls@ietfa.amsl.com>; Thu, 24 Sep 2015 08:26:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.301
X-Spam-Level:
X-Spam-Status: No, score=-1.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_47=0.6, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5FlXP_zgw1W0 for <tls@ietfa.amsl.com>; Thu, 24 Sep 2015 08:26:31 -0700 (PDT)
Received: from emh07.mail.saunalahti.fi (emh07.mail.saunalahti.fi [62.142.5.117]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 665A51B29D4 for <tls@ietf.org>; Thu, 24 Sep 2015 08:26:31 -0700 (PDT)
Received: from LK-Perkele-VII (a91-155-194-207.elisa-laajakaista.fi [91.155.194.207]) by emh07.mail.saunalahti.fi (Postfix) with ESMTP id DD45C3FE0; Thu, 24 Sep 2015 18:26:28 +0300 (EEST)
Date: Thu, 24 Sep 2015 18:26:28 +0300
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Nikos Mavrogiannopoulos <nmav@redhat.com>
Message-ID: <20150924152628.GA11747@LK-Perkele-VII>
References: <878u7xtu06.fsf@latte.josefsson.org> <20150924122747.GA10461@LK-Perkele-VII> <1443103408.20825.20.camel@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <1443103408.20825.20.camel@redhat.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/vXQt4CO0_-n2wnfA5lydK4rTznY>
Cc: Simon Josefsson <simon@josefsson.org>, tls@ietf.org
Subject: Re: [TLS] Updated EdDSA/Ed25519 PKIX document
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Sep 2015 15:26:34 -0000

On Thu, Sep 24, 2015 at 04:03:28PM +0200, Nikos Mavrogiannopoulos wrote:
> On Thu, 2015-09-24 at 15:27 +0300, Ilari Liusvaara wrote:
> 
> > 4) For TLS PoP signatures, does it make sense to use HashEdDSA at
> > all?
> > Another way would to always use PureEdDSA and perform hash separtion
> > from TLS side (e.g. sign(privkey, hash_func_id|H(tbs_data))).
> > The certificate signatures are different matter tho, since CAs use
> > HSMs for signing (those HSMs tend to be rather beefy, but still).
> 
> The problem with the PureEdDSA is that if you use a smart card or an
> HSM (both common for TLS), you have to transfer lots of data to them,
> something that may render it not really useful.

Well, hash_func_id|H(tbs_data) is 33-65 bytes for most nontrivial
hashes.

In TLS 1.3 Editor's copy, tbs_data itself is <150 bytes (but there
will be changes to merge certificate and its verify, which will
presumably enlarge that a bit, but still maybe <200 bytes).

I presume if TLS PoP can use HashEdDSA keys, then the TLS
HashAlgorithm MUST equal HashEdDSA prehash (and with current proposed
kinds, that would always be 6 => SHA-512).

> Also the PureEdDSA in most implementations it requires a new API for
> signing.

Oh yes, the old bad PKCS#11 signature API that takes online signing
model... Nevermind most of the time verification is offline (TLS is
actually one of the few exceptions).


-Ilari