Re: [Trans] The RFC6979 requirement in RFC6962-bis is bad
Tom Ritter <tom@ritter.vg> Mon, 08 May 2017 17:39 UTC
Return-Path: <tom@ritter.vg>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D162A127B31 for <trans@ietfa.amsl.com>; Mon, 8 May 2017 10:39:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.601
X-Spam-Level:
X-Spam-Status: No, score=-0.601 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ritter.vg
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MEMv__f7DN7H for <trans@ietfa.amsl.com>; Mon, 8 May 2017 10:39:07 -0700 (PDT)
Received: from mail-qt0-x235.google.com (mail-qt0-x235.google.com [IPv6:2607:f8b0:400d:c0d::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DFC04126FDC for <trans@ietf.org>; Mon, 8 May 2017 10:39:06 -0700 (PDT)
Received: by mail-qt0-x235.google.com with SMTP id t26so40477640qtg.0 for <trans@ietf.org>; Mon, 08 May 2017 10:39:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ritter.vg; s=vg; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=v1mwvWA/Xbnp6uHhcikJShLWQ3ikXNxbQO2Bf+19BEw=; b=RIojuXtRGAxlN/q64zZQgqilL9unfCUTnAgpXrYYHpb9UNbdNnHXfSzz+cyv3cc+fT 8ef2svzClfLtnw6tp0ynBTSa48k6H4VeyjfHNguuyoYazhQLrAodB9wj5Ts78QHuEjeM Qf5pRak6RFRfKA5O3s3+af4gxp1xZKsLSL2WM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=v1mwvWA/Xbnp6uHhcikJShLWQ3ikXNxbQO2Bf+19BEw=; b=CE92/YkVLUmkV3bJMOxacnifXAIAu4qMx3OTURnzzB1jJ7gpG3Ze+wkKSfSjKa2hpt PFE/8F7X1Qse1azlqX6tKjn2rT2ng6DRQfVsr/ihDyWPco3OQ0+QJspd5XrpfiHrFaj9 hxMs73h+jMx6VWj9qOckEqi8mwJXbaopljMYakKP4PSJ1b8mXc3SjBG2ih3eL5Ow5DOv hXlaTN8U5sISZ4VQHH0Kg9ZrI5FnMKregP+NjqKluW4fsHmljkzYWmn/0nKKfIYrii/D IeBlmfT3HRKiCv95l6kajGJT8Yv6HK3/78udsaIOA36434Kz8teH2EcPx9dbb9MN7d60 mctA==
X-Gm-Message-State: AN3rC/72X36iN8deLd7iW66Bw13vJ/m3pRMX1YeDskeeD8NeFA3PkOKy y/rekgQj556tz/vlZF0l/kWfksbDqzoAKWOVoA==
X-Received: by 10.237.62.200 with SMTP id o8mr23930201qtf.152.1494265145836; Mon, 08 May 2017 10:39:05 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.101.148 with HTTP; Mon, 8 May 2017 10:38:45 -0700 (PDT)
In-Reply-To: <CAFewVt5z3sq-Occ1VaHeNeBvt1yyCM_3_nssZSu2f_PBEL4SFQ@mail.gmail.com>
References: <CAFewVt5z3sq-Occ1VaHeNeBvt1yyCM_3_nssZSu2f_PBEL4SFQ@mail.gmail.com>
From: Tom Ritter <tom@ritter.vg>
Date: Mon, 08 May 2017 12:38:45 -0500
Message-ID: <CA+cU71kBmKsxyvsmpuF6UAzP+fict3v62gEq_iKY-O2P07ZRLw@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: "trans@ietf.org" <trans@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/o1BALNgKscH0wB7Pz9_NLAO6VEA>
Subject: Re: [Trans] The RFC6979 requirement in RFC6962-bis is bad
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 May 2017 17:39:09 -0000
On 4 May 2017 at 17:21, Brian Smith <brian@briansmith.org> wrote: > 3. As RFC 6979 notes, RFC 6979 invalidates the proof of security for > ECDSA. This is a step backward from recent progress towards provable > security of internet protocols. I just want to make sure I understand this point. Skimming the draft I gather this is because the proof of ECDSA relies on k being indistinguishable from the output of a Random Oracle? Deterministic generation of k uses HMAC_DRBG which sure looks like the ROM, but isn't (?) provably so? Assuming I understand - when you implement ECDSA you don't get to use a RO, you use a CSPRNG which also doesn't count as a RO so that probably invalidates the proof. So one assumes the CSPRNG behaves like the ROM, so why don't you just assume HMAC-DRBG behaves like the ROM and your proof is repaired! On 5 May 2017 at 04:02, Eran Messeri <eranm@google.com> wrote: > I'd like to hear the opinion of people who've worked on the Gossip protocol > - as Brian said, the purpose behind deterministic signatures is to make it > difficult to fingerprint individual clients. However, the only gossip that's > taking place right now is STH exchange between monitors, where this is not a > concern, All of Brian's points are strong points. My concern with fingerprinting still stands though. While not Gossip - Google plans to resolve inclusion proofs for SCTs via DNS. The end DNS server for this is their own log mirror - but I believe this is for scaling, not privacy. If a log and server colluded to issue and serve different SCT signatures for the same SCT, there are no great options to detect it: - very complicated logic in the client - auditors performing aggressive fake-client spidering from multiple network vantage points combined with significant refactoring and data storage requirements - the SCT Feedback part of the Gossip draft combined with the auditor changes As far as the concern of this attack goes: without long-term storage of the SCT (such as that in SCT Feedback) - the impact is minimal when it comes to log+webserver-collaboration-for-tracking. But the log is still able to send different SCTs out and can do this without the server participating. With the distribution part outside the log's control it's not as effective, and more turns into a game of "I wonder what happens...". (I think.) Anyway, so I still think there's fingerprinting concerns. But even if we require deterministic signatures - if the log *wants* to be malicious, it can still issue non-deterministic signatures, and there's no way to know, because as I said above - detection is hard. So I think Eran's suggested changes are okay. -tom
- [Trans] The RFC6979 requirement in RFC6962-bis is… Brian Smith
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Eran Messeri
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Brian Smith
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Rob Stradling
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Tom Ritter
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Andrew Ayer
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Linus Nordberg
- [Trans] What logs are storing (was: The RFC6979 r… Linus Nordberg
- Re: [Trans] What logs are storing (was: The RFC69… Andrew Ayer
- Re: [Trans] What logs are storing Linus Nordberg
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Linus Nordberg
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Linus Nordberg
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Linus Nordberg
- Re: [Trans] What logs are storing (was: The RFC69… Eran Messeri
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Tom Ritter
- Re: [Trans] What logs are storing (was: The RFC69… Al Cutter
- Re: [Trans] What logs are storing (was: The RFC69… Andrew Ayer
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Eran Messeri
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Brian Smith
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Linus Nordberg
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Eran Messeri
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Eran Messeri
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Linus Nordberg
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Gary Belvin
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Linus Nordberg
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Eran Messeri
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Linus Nordberg
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Andrew Ayer
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Al Cutter