Opened 7 years ago

Closed 6 years ago

#83 closed defect (fixed)

CT should mandate the use of deterministic ECDSA

Reported by: dkg@… Owned by: melinda.shore@…
Priority: major Milestone: review
Component: rfc6962-bis Version:
Severity: - Keywords:
Cc:

Description

RFC:6979 describes how to do deterministic ECDSA.

certificate transparency logs should be required to use this mechanism, for two reasons:

  • using non-deterministic ECDSA with a predictable source of randomness means that each signature can potentially leak the secret material of the signing key.
  • a log that produces two separate valid STHs with the same timestamp and same data but with different signatures should be considered dubious (though i don't have a concrete attack i can describe for this scenario yet) -- ensuring the use of deterministic ECDSA means that in normal operation, regular logs won't produce this behavior.

Change History (15)

comment:1 Changed 7 years ago by benl@…

I am addressing this. But what about RSA?

comment:3 Changed 7 years ago by eranm@…

  • Resolution set to needs-review
  • Status changed from new to closed

comment:4 Changed 7 years ago by eranm@…

  • Resolution needs-review deleted
  • Status changed from closed to reopened

comment:5 Changed 7 years ago by eranm@…

  • Resolution set to needs-review
  • Status changed from reopened to closed

comment:6 Changed 7 years ago by eranm@…

  • Milestone set to review
  • Resolution needs-review deleted
  • Status changed from closed to reopened

comment:7 Changed 7 years ago by benl@…

Not sure this is ready for closing: the question remains "what about RSA?".

comment:8 Changed 7 years ago by eranm@…

  • Milestone changed from review to milestone1

My bad - that's exactly what I was looking at and don't have an answer yet.
(removing 'review' milestone)

comment:9 Changed 6 years ago by eranm@…

  • Milestone changed from milestone1 to review
  • Owner changed from draft-ietf-trans-rfc6962-bis@… to melinda.shore@…
  • Status changed from reopened to new

About RSA: The v1.5 signature scheme (currently required in -bis) is deterministic. The new one (RSASSA-PSS) is not, see:
https://en.wikipedia.org/wiki/PKCS_1
Seems like this ticket can be closed as fixed.

comment:10 Changed 6 years ago by rob.stradling@…

Should we add some text to the Security Considerations section to explain _why_ we need to use deterministic signature schemes?

If we don't, then in a few years from now somebody might say "Hey, let's upgrade CT to use RSASSA-PSS 'cos it's newer".

comment:11 Changed 6 years ago by melinda.shore@…

Do we have some resolution on this?

comment:12 Changed 6 years ago by eranm@…

Agree with Rob's point - I'll address it today.

comment:14 Changed 6 years ago by dkg@…

The revised draft doesn't mention that this explicitly precludes RSASSA-PSS. Do we want that stated explicitly?

Also, we probably want to add more than one signature over a single timestamp to the list of things that a monitor or auditor should look for as evidence of log malfeasance (though i'm not sure whether this list belongs in 6962-bis or elsewhere.

comment:15 Changed 6 years ago by melinda.shore@…

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.