2013-12-20 16:37:05 +00:00
|
|
|
>>> Flow 1 (client to server)
|
2016-10-11 18:08:57 +01:00
|
|
|
00000000 16 03 01 00 a7 01 00 00 a3 03 03 c6 e0 ed 21 7c |..............!||
|
|
|
|
00000010 09 45 6b 15 e9 26 d1 1c 39 d8 e7 b9 45 4f 35 0d |.Ek..&..9...EO5.|
|
|
|
|
00000020 b5 7f 57 0b e0 2d 9b 32 a0 85 f8 00 00 38 c0 2c |..W..-.2.....8.,|
|
|
|
|
00000030 c0 30 00 9f cc a9 cc a8 cc aa c0 2b c0 2f 00 9e |.0.........+./..|
|
|
|
|
00000040 c0 24 c0 28 00 6b c0 23 c0 27 00 67 c0 0a c0 14 |.$.(.k.#.'.g....|
|
|
|
|
00000050 00 39 c0 09 c0 13 00 33 00 9d 00 9c 00 3d 00 3c |.9.....3.....=.<|
|
|
|
|
00000060 00 35 00 2f 00 ff 01 00 00 42 00 0b 00 04 03 00 |.5./.....B......|
|
|
|
|
00000070 01 02 00 0a 00 0a 00 08 00 1d 00 17 00 19 00 18 |................|
|
|
|
|
00000080 00 0d 00 20 00 1e 06 01 06 02 06 03 05 01 05 02 |... ............|
|
|
|
|
00000090 05 03 04 01 04 02 04 03 03 01 03 02 03 03 02 01 |................|
|
|
|
|
000000a0 02 02 02 03 00 16 00 00 00 17 00 00 |............|
|
2013-12-20 16:37:05 +00:00
|
|
|
>>> Flow 2 (server to client)
|
crypto/ecdsa: make Sign safe with broken entropy sources
ECDSA is unsafe to use if an entropy source produces predictable
output for the ephemeral nonces. E.g., [Nguyen]. A simple
countermeasure is to hash the secret key, the message, and
entropy together to seed a CSPRNG, from which the ephemeral key
is derived.
Fixes #9452
--
This is a minimalist (in terms of patch size) solution, though
not the most parsimonious in its use of primitives:
- csprng_key = ChopMD-256(SHA2-512(priv.D||entropy||hash))
- reader = AES-256-CTR(k=csprng_key)
This, however, provides at most 128-bit collision-resistance,
so that Adv will have a term related to the number of messages
signed that is significantly worse than plain ECDSA. This does
not seem to be of any practical importance.
ChopMD-256(SHA2-512(x)) is used, rather than SHA2-256(x), for
two sets of reasons:
*Practical:* SHA2-512 has a larger state and 16 more rounds; it
is likely non-generically stronger than SHA2-256. And, AFAIK,
cryptanalysis backs this up. (E.g., [Biryukov] gives a
distinguisher on 47-round SHA2-256 with cost < 2^85.) This is
well below a reasonable security-strength target.
*Theoretical:* [Coron] and [Chang] show that Chop-MD(F(x)) is
indifferentiable from a random oracle for slightly beyond the
birthday barrier. It seems likely that this makes a generic
security proof that this construction remains UF-CMA is
possible in the indifferentiability framework.
--
Many thanks to Payman Mohassel for reviewing this construction;
any mistakes are mine, however. And, as he notes, reusing the
private key in this way means that the generic-group (non-RO)
proof of ECDSA's security given in [Brown] no longer directly
applies.
--
[Brown]: http://www.cacr.math.uwaterloo.ca/techreports/2000/corr2000-54.ps
"Brown. The exact security of ECDSA. 2000"
[Coron]: https://www.cs.nyu.edu/~puniya/papers/merkle.pdf
"Coron et al. Merkle-Damgard revisited. 2005"
[Chang]: https://www.iacr.org/archive/fse2008/50860436/50860436.pdf
"Chang and Nandi. Improved indifferentiability security analysis
of chopMD hash function. 2008"
[Biryukov]: http://www.iacr.org/archive/asiacrypt2011/70730269/70730269.pdf
"Biryukov et al. Second-order differential collisions for reduced
SHA-256. 2011"
[Nguyen]: ftp://ftp.di.ens.fr/pub/users/pnguyen/PubECDSA.ps
"Nguyen and Shparlinski. The insecurity of the elliptic curve
digital signature algorithm with partially known nonces. 2003"
New tests:
TestNonceSafety: Check that signatures are safe even with a
broken entropy source.
TestINDCCA: Check that signatures remain non-deterministic
with a functional entropy source.
Updated "golden" KATs in crypto/tls/testdata that use ECDSA suites.
Change-Id: I55337a2fbec2e42a36ce719bd2184793682d678a
Reviewed-on: https://go-review.googlesource.com/3340
Reviewed-by: Adam Langley <agl@golang.org>
2015-01-27 07:00:21 +00:00
|
|
|
00000000 16 03 03 00 31 02 00 00 2d 03 03 00 00 00 00 00 |....1...-.......|
|
2013-12-20 16:37:05 +00:00
|
|
|
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
|
crypto/ecdsa: make Sign safe with broken entropy sources
ECDSA is unsafe to use if an entropy source produces predictable
output for the ephemeral nonces. E.g., [Nguyen]. A simple
countermeasure is to hash the secret key, the message, and
entropy together to seed a CSPRNG, from which the ephemeral key
is derived.
Fixes #9452
--
This is a minimalist (in terms of patch size) solution, though
not the most parsimonious in its use of primitives:
- csprng_key = ChopMD-256(SHA2-512(priv.D||entropy||hash))
- reader = AES-256-CTR(k=csprng_key)
This, however, provides at most 128-bit collision-resistance,
so that Adv will have a term related to the number of messages
signed that is significantly worse than plain ECDSA. This does
not seem to be of any practical importance.
ChopMD-256(SHA2-512(x)) is used, rather than SHA2-256(x), for
two sets of reasons:
*Practical:* SHA2-512 has a larger state and 16 more rounds; it
is likely non-generically stronger than SHA2-256. And, AFAIK,
cryptanalysis backs this up. (E.g., [Biryukov] gives a
distinguisher on 47-round SHA2-256 with cost < 2^85.) This is
well below a reasonable security-strength target.
*Theoretical:* [Coron] and [Chang] show that Chop-MD(F(x)) is
indifferentiable from a random oracle for slightly beyond the
birthday barrier. It seems likely that this makes a generic
security proof that this construction remains UF-CMA is
possible in the indifferentiability framework.
--
Many thanks to Payman Mohassel for reviewing this construction;
any mistakes are mine, however. And, as he notes, reusing the
private key in this way means that the generic-group (non-RO)
proof of ECDSA's security given in [Brown] no longer directly
applies.
--
[Brown]: http://www.cacr.math.uwaterloo.ca/techreports/2000/corr2000-54.ps
"Brown. The exact security of ECDSA. 2000"
[Coron]: https://www.cs.nyu.edu/~puniya/papers/merkle.pdf
"Coron et al. Merkle-Damgard revisited. 2005"
[Chang]: https://www.iacr.org/archive/fse2008/50860436/50860436.pdf
"Chang and Nandi. Improved indifferentiability security analysis
of chopMD hash function. 2008"
[Biryukov]: http://www.iacr.org/archive/asiacrypt2011/70730269/70730269.pdf
"Biryukov et al. Second-order differential collisions for reduced
SHA-256. 2011"
[Nguyen]: ftp://ftp.di.ens.fr/pub/users/pnguyen/PubECDSA.ps
"Nguyen and Shparlinski. The insecurity of the elliptic curve
digital signature algorithm with partially known nonces. 2003"
New tests:
TestNonceSafety: Check that signatures are safe even with a
broken entropy source.
TestINDCCA: Check that signatures remain non-deterministic
with a functional entropy source.
Updated "golden" KATs in crypto/tls/testdata that use ECDSA suites.
Change-Id: I55337a2fbec2e42a36ce719bd2184793682d678a
Reviewed-on: https://go-review.googlesource.com/3340
Reviewed-by: Adam Langley <agl@golang.org>
2015-01-27 07:00:21 +00:00
|
|
|
00000020 00 00 00 00 00 00 00 00 00 00 00 00 c0 14 00 00 |................|
|
2016-08-17 23:55:15 +01:00
|
|
|
00000030 05 ff 01 00 01 00 16 03 03 02 59 0b 00 02 55 00 |..........Y...U.|
|
|
|
|
00000040 02 52 00 02 4f 30 82 02 4b 30 82 01 b4 a0 03 02 |.R..O0..K0......|
|
|
|
|
00000050 01 02 02 09 00 e8 f0 9d 3f e2 5b ea a6 30 0d 06 |........?.[..0..|
|
|
|
|
00000060 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 1f 31 0b |.*.H........0.1.|
|
|
|
|
00000070 30 09 06 03 55 04 0a 13 02 47 6f 31 10 30 0e 06 |0...U....Go1.0..|
|
|
|
|
00000080 03 55 04 03 13 07 47 6f 20 52 6f 6f 74 30 1e 17 |.U....Go Root0..|
|
|
|
|
00000090 0d 31 36 30 31 30 31 30 30 30 30 30 30 5a 17 0d |.160101000000Z..|
|
|
|
|
000000a0 32 35 30 31 30 31 30 30 30 30 30 30 5a 30 1a 31 |250101000000Z0.1|
|
|
|
|
000000b0 0b 30 09 06 03 55 04 0a 13 02 47 6f 31 0b 30 09 |.0...U....Go1.0.|
|
|
|
|
000000c0 06 03 55 04 03 13 02 47 6f 30 81 9f 30 0d 06 09 |..U....Go0..0...|
|
|
|
|
000000d0 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 |*.H............0|
|
|
|
|
000000e0 81 89 02 81 81 00 db 46 7d 93 2e 12 27 06 48 bc |.......F}...'.H.|
|
|
|
|
000000f0 06 28 21 ab 7e c4 b6 a2 5d fe 1e 52 45 88 7a 36 |.(!.~...]..RE.z6|
|
|
|
|
00000100 47 a5 08 0d 92 42 5b c2 81 c0 be 97 79 98 40 fb |G....B[.....y.@.|
|
|
|
|
00000110 4f 6d 14 fd 2b 13 8b c2 a5 2e 67 d8 d4 09 9e d6 |Om..+.....g.....|
|
|
|
|
00000120 22 38 b7 4a 0b 74 73 2b c2 34 f1 d1 93 e5 96 d9 |"8.J.ts+.4......|
|
|
|
|
00000130 74 7b f3 58 9f 6c 61 3c c0 b0 41 d4 d9 2b 2b 24 |t{.X.la<..A..++$|
|
|
|
|
00000140 23 77 5b 1c 3b bd 75 5d ce 20 54 cf a1 63 87 1d |#w[.;.u]. T..c..|
|
|
|
|
00000150 1e 24 c4 f3 1d 1a 50 8b aa b6 14 43 ed 97 a7 75 |.$....P....C...u|
|
|
|
|
00000160 62 f4 14 c8 52 d7 02 03 01 00 01 a3 81 93 30 81 |b...R.........0.|
|
|
|
|
00000170 90 30 0e 06 03 55 1d 0f 01 01 ff 04 04 03 02 05 |.0...U..........|
|
|
|
|
00000180 a0 30 1d 06 03 55 1d 25 04 16 30 14 06 08 2b 06 |.0...U.%..0...+.|
|
|
|
|
00000190 01 05 05 07 03 01 06 08 2b 06 01 05 05 07 03 02 |........+.......|
|
|
|
|
000001a0 30 0c 06 03 55 1d 13 01 01 ff 04 02 30 00 30 19 |0...U.......0.0.|
|
|
|
|
000001b0 06 03 55 1d 0e 04 12 04 10 9f 91 16 1f 43 43 3e |..U..........CC>|
|
|
|
|
000001c0 49 a6 de 6d b6 80 d7 9f 60 30 1b 06 03 55 1d 23 |I..m....`0...U.#|
|
|
|
|
000001d0 04 14 30 12 80 10 48 13 49 4d 13 7e 16 31 bb a3 |..0...H.IM.~.1..|
|
|
|
|
000001e0 01 d5 ac ab 6e 7b 30 19 06 03 55 1d 11 04 12 30 |....n{0...U....0|
|
|
|
|
000001f0 10 82 0e 65 78 61 6d 70 6c 65 2e 67 6f 6c 61 6e |...example.golan|
|
|
|
|
00000200 67 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 |g0...*.H........|
|
|
|
|
00000210 03 81 81 00 9d 30 cc 40 2b 5b 50 a0 61 cb ba e5 |.....0.@+[P.a...|
|
|
|
|
00000220 53 58 e1 ed 83 28 a9 58 1a a9 38 a4 95 a1 ac 31 |SX...(.X..8....1|
|
|
|
|
00000230 5a 1a 84 66 3d 43 d3 2d d9 0b f2 97 df d3 20 64 |Z..f=C.-...... d|
|
|
|
|
00000240 38 92 24 3a 00 bc cf 9c 7d b7 40 20 01 5f aa d3 |8.$:....}.@ ._..|
|
|
|
|
00000250 16 61 09 a2 76 fd 13 c3 cc e1 0c 5c ee b1 87 82 |.a..v......\....|
|
|
|
|
00000260 f1 6c 04 ed 73 bb b3 43 77 8d 0c 1c f1 0f a1 d8 |.l..s..Cw.......|
|
|
|
|
00000270 40 83 61 c9 4c 72 2b 9d ae db 46 06 06 4d f4 c1 |@.a.Lr+...F..M..|
|
|
|
|
00000280 b3 3e c0 d1 bd 42 d4 db fe 3d 13 60 84 5c 21 d3 |.>...B...=.`.\!.|
|
|
|
|
00000290 3b e9 fa e7 16 03 03 00 cd 0c 00 00 c9 03 00 17 |;...............|
|
|
|
|
000002a0 41 04 1e 18 37 ef 0d 19 51 88 35 75 71 b5 e5 54 |A...7...Q.5uq..T|
|
|
|
|
000002b0 5b 12 2e 8f 09 67 fd a7 24 20 3e b2 56 1c ce 97 |[....g..$ >.V...|
|
|
|
|
000002c0 28 5e f8 2b 2d 4f 9e f1 07 9f 6c 4b 5b 83 56 e2 |(^.+-O....lK[.V.|
|
|
|
|
000002d0 32 42 e9 58 b6 d7 49 a6 b5 68 1a 41 03 56 6b dc |2B.X..I..h.A.Vk.|
|
2016-10-11 18:08:57 +01:00
|
|
|
000002e0 5a 89 05 01 00 80 92 d2 50 33 89 38 da 9b ca f6 |Z.......P3.8....|
|
|
|
|
000002f0 5c e4 71 81 e3 c2 20 4e 76 7f 5a fd db 23 30 a4 |\.q... Nv.Z..#0.|
|
|
|
|
00000300 13 23 b5 21 5d 07 48 bf 4d d9 cd cc 9e 61 3c ef |.#.!].H.M....a<.|
|
|
|
|
00000310 2e 08 39 0e 67 a4 04 61 ce ed de 8d b6 fd c1 6c |..9.g..a.......l|
|
|
|
|
00000320 40 bf a5 0a 81 58 8d 19 f6 00 ea e8 f3 da 86 d1 |@....X..........|
|
|
|
|
00000330 6f 30 bc af 7f a0 ff 55 26 8a c4 aa 67 7e dd 51 |o0.....U&...g~.Q|
|
|
|
|
00000340 99 2d d7 6c b0 1f ad 5b 7e 2b c4 2c c1 61 87 3b |.-.l...[~+.,.a.;|
|
|
|
|
00000350 99 46 8d a4 60 a6 e1 6a 76 84 a7 d9 d0 7a f7 cf |.F..`..jv....z..|
|
|
|
|
00000360 25 d5 e7 f7 ec 98 16 03 03 00 04 0e 00 00 00 |%..............|
|
2013-12-20 16:37:05 +00:00
|
|
|
>>> Flow 3 (client to server)
|
2016-10-11 18:08:57 +01:00
|
|
|
00000000 16 03 03 00 46 10 00 00 42 41 04 81 f6 51 07 43 |....F...BA...Q.C|
|
|
|
|
00000010 27 64 fd ac a7 30 b0 06 97 ba 85 50 f9 41 da 33 |'d...0.....P.A.3|
|
|
|
|
00000020 8c 1a 4b 17 b4 63 04 2c 14 f7 35 a8 8b 79 40 08 |..K..c.,..5..y@.|
|
|
|
|
00000030 a8 b2 7e 24 cf 51 f0 1e 2b a9 f9 42 0d 7e 0a 17 |..~$.Q..+..B.~..|
|
|
|
|
00000040 bb 94 f0 7e 66 e1 bf 87 e6 f3 65 14 03 03 00 01 |...~f.....e.....|
|
|
|
|
00000050 01 16 03 03 00 40 7b 65 a7 15 d5 d9 03 c8 79 ab |.....@{e......y.|
|
|
|
|
00000060 16 eb 0d 78 d7 31 9f bb 88 be aa 19 fd 15 dc e7 |...x.1..........|
|
|
|
|
00000070 9e 89 df cf 28 e6 e9 be 7b ec 9b 79 05 9e d8 4d |....(...{..y...M|
|
|
|
|
00000080 0a 43 90 97 2e b0 f7 f4 a7 98 36 9b b5 45 a0 5c |.C........6..E.\|
|
|
|
|
00000090 e6 cf 8f 52 66 6f |...Rfo|
|
2013-12-20 16:37:05 +00:00
|
|
|
>>> Flow 4 (server to client)
|
|
|
|
00000000 14 03 03 00 01 01 16 03 03 00 40 00 00 00 00 00 |..........@.....|
|
2016-10-11 18:08:57 +01:00
|
|
|
00000010 00 00 00 00 00 00 00 00 00 00 00 65 e7 6e b1 7b |...........e.n.{|
|
|
|
|
00000020 eb cc 56 f0 b6 d5 f3 62 0f 04 e9 f3 19 40 ff 10 |..V....b.....@..|
|
|
|
|
00000030 62 1b 5d f8 d9 58 4d 0f c1 21 2d ce 27 22 3e 1b |b.]..XM..!-.'">.|
|
|
|
|
00000040 83 b2 08 bd a6 1d f8 d8 51 39 72 17 03 03 00 40 |........Q9r....@|
|
2013-12-20 16:37:05 +00:00
|
|
|
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
|
2016-10-11 18:08:57 +01:00
|
|
|
00000060 4c 58 dd ee ab 29 35 6e c1 b7 17 14 80 71 99 3e |LX...)5n.....q.>|
|
|
|
|
00000070 f2 1d 70 14 95 87 c1 b9 75 a3 26 78 b0 93 22 33 |..p.....u.&x.."3|
|
|
|
|
00000080 42 77 6f 0a 13 45 a4 5b 76 69 b8 a1 4b 6e c3 37 |Bwo..E.[vi..Kn.7|
|
2013-12-20 16:37:05 +00:00
|
|
|
00000090 15 03 03 00 30 00 00 00 00 00 00 00 00 00 00 00 |....0...........|
|
2016-10-11 18:08:57 +01:00
|
|
|
000000a0 00 00 00 00 00 60 8b 42 ec 29 a7 60 fc 3a 0a d3 |.....`.B.).`.:..|
|
|
|
|
000000b0 72 c0 42 e0 13 16 46 5a 2b 17 ee 62 56 bc f2 c1 |r.B...FZ+..bV...|
|
|
|
|
000000c0 ed db 99 cf aa |.....|
|