[Trans] The RFC6979 requirement in RFC6962-bis is bad
Brian Smith <brian@briansmith.org> Thu, 04 May 2017 22:21 UTC
Return-Path: <brian@briansmith.org>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9045C129478 for <trans@ietfa.amsl.com>; Thu, 4 May 2017 15:21:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.799
X-Spam-Level:
X-Spam-Status: No, score=0.799 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=briansmith-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dGLW2Bro8UQK for <trans@ietfa.amsl.com>; Thu, 4 May 2017 15:21:16 -0700 (PDT)
Received: from mail-it0-x22a.google.com (mail-it0-x22a.google.com [IPv6:2607:f8b0:4001:c0b::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B6DE129469 for <trans@ietf.org>; Thu, 4 May 2017 15:21:15 -0700 (PDT)
Received: by mail-it0-x22a.google.com with SMTP id e65so7579266ita.1 for <trans@ietf.org>; Thu, 04 May 2017 15:21:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=briansmith-org.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=GQB/GSJjXn/FbiI7hEXbQnN6zBZKP5rF8F5U+/Xe7MA=; b=PYYaTg7lRQk9mELg6MpY6Boor3E9pKyN8Ft6aUNfVvzvV9mmX1RH4dSAQD3R5RaGUC ukLDLREMbrpmDR4AAeILevybwNSIsa/zqTw0LIkD3os4WngT6frW9haAtfwBLf2TcuyH MWezqMoiOPMFa/8BxhV5S9ypfoJJRwKMi355k8EnTZIx5nhrmwFrRdvGJa417oRSONU3 ib4hco3Wb1tLrB1jiOVbog7QdTH/hsAu2g+0vXXSqzQblCgmv8qVEgAcDN/l4NLratLe a4kEWpmvh4lEKbX7uBXBHBqH8WYNWjzApZs4SN+pyhdbP6hi1+KbMYeIiJ/d5mG44Y36 1OOg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=GQB/GSJjXn/FbiI7hEXbQnN6zBZKP5rF8F5U+/Xe7MA=; b=KyIKn60HsD1IHGEBVNPkRUjqZDpUpBeE0I7FEh6IXSljrbeLkBWsNDLOxi/21ZrEIm QDt5Xs3A/L7O01B/hHQh1fW6STP2qH2sC9441aYviE4shhP18E5wpah3Q5/wt81+wDd4 aGiQEnfgKD4s+uGBb3xeR6r051+Y/frPc7e8TV49Y0I9nQaZVG5RoHVmNgsWP2e3sLbe MYElCdShYS1xLk7KmKG0udkIzL9R9vnH0tg8ji/vgx/zUsTjcPNRYpIHpz6pa/Scaz14 NF1cLh3f5Hkq8DCfsqWFE26mj4QO7HHa+cTqsoBF5Phhsvz/eOjaNtRiK3nyuvpeBY1i MGaQ==
X-Gm-Message-State: AN3rC/4FARIR/zlZRmBq13wf7rnXgLOsdKDJRllx1fZbcPx3WP0HGyeZ up7+MzqHQWFnz1YwdJp60zYjLWW976P6
X-Received: by 10.36.124.85 with SMTP id a82mr4958748itd.90.1493936474817; Thu, 04 May 2017 15:21:14 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.36.77.84 with HTTP; Thu, 4 May 2017 15:21:14 -0700 (PDT)
From: Brian Smith <brian@briansmith.org>
Date: Thu, 04 May 2017 12:21:14 -1000
Message-ID: <CAFewVt5z3sq-Occ1VaHeNeBvt1yyCM_3_nssZSu2f_PBEL4SFQ@mail.gmail.com>
To: "trans@ietf.org" <trans@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/-S0iP5xjcjAQP0tNRAEvsOvpFrU>
Subject: [Trans] The RFC6979 requirement in RFC6962-bis is bad
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 May 2017 22:21:19 -0000
Hi, Recently I implemented RFC 6979 and also I'm implementing some CT things. Draft 24 of rfc6962-bis says that the log must use RFC 6979 for ECDSA signatures. However, the requirement to use RFC 6979 is problematic for several reasons, noted below. I think this group should reconsider if the fingerprinting threat that motivated the requirement for deterministic signatures is significant enough to overcome these problems. If the requirement for deterministic signatures were removed, all the problems below would be resolved. (Additionally the more secure RSA-PSS could be mandated instead of the obsolete and less safe PKCS#1 1.5.) If it is still seen as very important to require signatures be deterministic, the requirement to to use specifically RFC 6979 should be be removed, and replaced with a more general requirement to use *some* secure deterministic nonce for ECDSA signatures, without mandating RFC 6979 specifically. Here are the problems I see with mandating the use of RFC 6979: 1. RFC 6979 deterministic signatures are not and cannot be compliant with FIPS and other regulations. This means, in particular, that a log cannot use the same CABForum-compliant (HSM) ECDSA implementation that it could use to sign certificates. 2. RFC 6979 is a very inefficient way of generating deterministic signatures. Every RFC 6979 signature requires invoking the SHA-256 compression function 19 to 22 times. The BitCoin core developers reported that this takes 10% of total signature generation time. [0] 3. As RFC 6979 notes, RFC 6979 invalidates the proof of security for ECDSA. This is a step backward from recent progress towards provable security of internet protocols. 4. Because of #1, #2, and #3, most crypto libraries and HSM implementations would be better off using a different deterministic signature scheme (such as a variant of the much more efficient one used for Ed25519). And/or they may use a different, non-deterministic, solution to the concerns that originally motivated the creation of RFC 6979 in the first place, such as the one that Google's BoringSSL [1] and Cisco [2] have implemented. If one is going to use a better scheme, then maintaining RFC 6979 support too just for this one protocol is a large burden. 5. There is no way to check that the log actually used RFC 6979, or any other specific secure deterministic scheme, because part of calculating the nonce involves hashing the private key. Thus the requirement to use RFC 6979 is unenforceable technically or even by policy. [0] https://crypto.stackexchange.com/a/42551 (I can't find the original citation for what the Bitcoin people said.) [1] https://boringssl.googlesource.com/boringssl/+/783e0957875ac62b35aa4f8741069e133695a3d4 [2] https://blogs.cisco.com/security/fips-and-deterministic-ecdsa-achieving-robust-security-and-conformance Cheers, Brian -- https://briansmith.org/
- [Trans] The RFC6979 requirement in RFC6962-bis is… Brian Smith
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Eran Messeri
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Brian Smith
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Rob Stradling
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Tom Ritter
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Andrew Ayer
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Linus Nordberg
- [Trans] What logs are storing (was: The RFC6979 r… Linus Nordberg
- Re: [Trans] What logs are storing (was: The RFC69… Andrew Ayer
- Re: [Trans] What logs are storing Linus Nordberg
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Linus Nordberg
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Linus Nordberg
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Linus Nordberg
- Re: [Trans] What logs are storing (was: The RFC69… Eran Messeri
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Tom Ritter
- Re: [Trans] What logs are storing (was: The RFC69… Al Cutter
- Re: [Trans] What logs are storing (was: The RFC69… Andrew Ayer
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Eran Messeri
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Brian Smith
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Linus Nordberg
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Eran Messeri
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Eran Messeri
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Linus Nordberg
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Gary Belvin
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Linus Nordberg
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Eran Messeri
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Linus Nordberg
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Andrew Ayer
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Al Cutter