IETF Logo Mail Archive

Re: [Trans] The RFC6979 requirement in RFC6962-bis is bad

Eran Messeri <eranm@google.com> Fri, 05 May 2017 09:02 UTC

Return-Path: <eranm@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE94912946A for <trans@ietfa.amsl.com>; Fri, 5 May 2017 02:02:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AjfR7Arg8fbP for <trans@ietfa.amsl.com>; Fri, 5 May 2017 02:02:55 -0700 (PDT)
Received: from mail-io0-x229.google.com (mail-io0-x229.google.com [IPv6:2607:f8b0:4001:c06::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 36AD01276AF for <trans@ietf.org>; Fri, 5 May 2017 02:02:55 -0700 (PDT)
Received: by mail-io0-x229.google.com with SMTP id k91so87466ioi.1 for <trans@ietf.org>; Fri, 05 May 2017 02:02:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=2YcDs6JE8reQCk3r6mZwRlh4rVxTc4c4EoXRnVVALGo=; b=ZfFdKhM7c0ZVm+563XyDRBCUcSd/1ti/vonK6Es6iJRv/WGfAqzViVWG2wsIqoHAMP QMTEtfzNSJEUol0GSiLILJalo9Fa8cHWp/iapvD2w1ArA76SeOO4OUaBVOEurg3Oa4xQ hu83PVmbnCCPZk3z8VivdUBUA0cEAs96yzhLgeYClGXnfkHh5SJGt5Qsqgb1IFkaStWi yhj43H6b+eK0Let+mz7xOkBDja9BY4/YpuuQ9DSipPti5yEIn1iJylnEVi0szF56NwXz woJctj0v2eHFbMK4KbKsIKUJr5dkI30QpQup7wBsxaslrbuItKdu1RjEQpHugPCN3L5O ni8w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=2YcDs6JE8reQCk3r6mZwRlh4rVxTc4c4EoXRnVVALGo=; b=XsG3I3fzHhPgv20Vw+4rLx29x05KDuh8FEGd9coEsKxqFnLGNWjaa0C1DZT7bL7HBZ 9ywQsk/h/jXDNM1Fes58y6SBHl4hrLJKRwOufohUzafpBWEkENot5zOXe4OZaFjZBCGe q6hxdHvXZDsL1uj2oBJKXRCyZ3K0EVxw68yBKOO6EL4/1g6nwhEjeibm/agbX4H9urjt OBapuw9oncPDojHHVqC8rSa7oQSxV/wVZwljZXvIbx6bA5HqU/T9kH/A4Ownh86R6iYY M3tu5MPiiWTdZOUZn5E9D3fLaefTmkJlgfnths9t0RrNHcKycNQwrwb1XwB0/Cvea1/V bDew==
X-Gm-Message-State: AODbwcAJnWVwjdgnb4efPSkIoXhL2pIxECeT8ANmHbD9nHy+fvidx5so iyFcS4JSL3frzxc3bRNx5ik2CXsW6G/u
X-Received: by 10.107.128.98 with SMTP id b95mr5819220iod.25.1493974974436; Fri, 05 May 2017 02:02:54 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.47.41 with HTTP; Fri, 5 May 2017 02:02:23 -0700 (PDT)
In-Reply-To: <CAFewVt5z3sq-Occ1VaHeNeBvt1yyCM_3_nssZSu2f_PBEL4SFQ@mail.gmail.com>
References: <CAFewVt5z3sq-Occ1VaHeNeBvt1yyCM_3_nssZSu2f_PBEL4SFQ@mail.gmail.com>
From: Eran Messeri <eranm@google.com>
Date: Fri, 05 May 2017 10:02:23 +0100
Message-ID: <CALzYgEdtUz2H1Lbpg7jdHHUZn_pQnOpJnhFR0mb=j7fcg21DWA@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: "trans@ietf.org" <trans@ietf.org>
Content-Type: multipart/alternative; boundary="001a113dfdaea7f7a4054ec3276f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/iA9yZDXzqHgUsLaFtLMcRLUtQAI>
Subject: Re: [Trans] The RFC6979 requirement in RFC6962-bis is bad
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 May 2017 09:02:58 -0000

I share the concern, due to the difficulty I've had finding implementations
of this RFC (or any deterministic signature scheme for ECDSA in general).

I'd like to hear the opinion of people who've worked on the Gossip protocol
- as Brian said, the purpose behind deterministic signatures is to make it
difficult to fingerprint individual clients. However, the only gossip
that's taking place right now is STH exchange between monitors, where this
is not a concern,

My proposal for 6962-bis is then to:
* State 6962-bis logs SHOULD use a deterministic signature scheme (making
it optional, but strongly suggested).
* Remove normative references to RFC6979.

Eran



On Thu, May 4, 2017 at 11:21 PM, Brian Smith <brian@briansmith.org> wrote:

> Hi,
>
> Recently I implemented RFC 6979 and also I'm implementing some CT things.
>
> Draft 24 of rfc6962-bis says that the log must use RFC 6979 for ECDSA
> signatures. However, the requirement to use RFC 6979 is problematic
> for several reasons, noted below. I think this group should reconsider
> if the fingerprinting threat that motivated the requirement for
> deterministic signatures is significant enough to overcome these
> problems.
>
> If the requirement for deterministic signatures were removed, all the
> problems below would be resolved. (Additionally the more secure
> RSA-PSS could be mandated instead of the obsolete and less safe PKCS#1
> 1.5.)
>
> If it is still seen as very important to require signatures be
> deterministic, the requirement to to use specifically RFC 6979 should
> be be removed, and replaced with a more general requirement to use
> *some* secure deterministic nonce for ECDSA signatures, without
> mandating RFC 6979 specifically.
>
> Here are the problems I see with mandating the use of RFC 6979:
>
> 1. RFC 6979 deterministic signatures are not and cannot be compliant
> with FIPS and other regulations. This means, in particular, that a log
> cannot use the same CABForum-compliant (HSM) ECDSA implementation that
> it could use to sign certificates.
>
> 2. RFC 6979 is a very inefficient way of generating deterministic
> signatures. Every RFC 6979 signature requires invoking the SHA-256
> compression function 19 to 22 times. The BitCoin core developers
> reported that this takes 10% of total signature generation time. [0]
>
> 3. As RFC 6979 notes, RFC 6979 invalidates the proof of security for
> ECDSA. This is a step backward from recent progress towards provable
> security of internet protocols.
>
> 4. Because of #1, #2, and #3, most crypto libraries and HSM
> implementations would be better off using a different deterministic
> signature scheme (such as a variant of the much more efficient one
> used for Ed25519). And/or they may use a different, non-deterministic,
> solution to the concerns that originally motivated the creation of RFC
> 6979 in the first place, such as the one that Google's BoringSSL [1]
> and Cisco [2] have implemented. If one is going to use a better
> scheme, then maintaining RFC 6979 support too just for this one
> protocol is a large burden.
>
> 5. There is no way to check that the log actually used RFC 6979, or
> any other specific secure deterministic scheme, because part of
> calculating the nonce involves hashing the private key. Thus the
> requirement to use RFC 6979 is unenforceable technically or even by
> policy.
>
> [0] https://crypto.stackexchange.com/a/42551 (I can't find the
> original citation for what the Bitcoin people said.)
> [1] https://boringssl.googlesource.com/boringssl/+/
> 783e0957875ac62b35aa4f8741069e133695a3d4
> [2] https://blogs.cisco.com/security/fips-and-
> deterministic-ecdsa-achieving-robust-security-and-conformance
>
> Cheers,
> Brian
> --
> https://briansmith.org/
>
> _______________________________________________
> Trans mailing list
> Trans@ietf.org
> https://www.ietf.org/mailman/listinfo/trans
>

v2.23.0 | Report a Bug | By Email