Alternative TLS implementation in Go
Go to file
David Leon Gil a1363d2ed9 crypto/ecdsa: make Sign safe with broken entropy sources
ECDSA is unsafe to use if an entropy source produces predictable
output for the ephemeral nonces. E.g., [Nguyen]. A simple
countermeasure is to hash the secret key, the message, and
entropy together to seed a CSPRNG, from which the ephemeral key
is derived.

Fixes #9452

--

This is a minimalist (in terms of patch size) solution, though
not the most parsimonious in its use of primitives:

   - csprng_key = ChopMD-256(SHA2-512(priv.D||entropy||hash))
   - reader = AES-256-CTR(k=csprng_key)

This, however, provides at most 128-bit collision-resistance,
so that Adv will have a term related to the number of messages
signed that is significantly worse than plain ECDSA. This does
not seem to be of any practical importance.

ChopMD-256(SHA2-512(x)) is used, rather than SHA2-256(x), for
two sets of reasons:

*Practical:* SHA2-512 has a larger state and 16 more rounds; it
is likely non-generically stronger than SHA2-256. And, AFAIK,
cryptanalysis backs this up. (E.g., [Biryukov] gives a
distinguisher on 47-round SHA2-256 with cost < 2^85.) This is
well below a reasonable security-strength target.

*Theoretical:* [Coron] and [Chang] show that Chop-MD(F(x)) is
indifferentiable from a random oracle for slightly beyond the
birthday barrier. It seems likely that this makes a generic
security proof that this construction remains UF-CMA is
possible in the indifferentiability framework.

--

Many thanks to Payman Mohassel for reviewing this construction;
any mistakes are mine, however. And, as he notes, reusing the
private key in this way means that the generic-group (non-RO)
proof of ECDSA's security given in [Brown] no longer directly
applies.

--

[Brown]: http://www.cacr.math.uwaterloo.ca/techreports/2000/corr2000-54.ps
"Brown. The exact security of ECDSA. 2000"

[Coron]: https://www.cs.nyu.edu/~puniya/papers/merkle.pdf
"Coron et al. Merkle-Damgard revisited. 2005"

[Chang]: https://www.iacr.org/archive/fse2008/50860436/50860436.pdf
"Chang and Nandi. Improved indifferentiability security analysis
of chopMD hash function. 2008"

[Biryukov]: http://www.iacr.org/archive/asiacrypt2011/70730269/70730269.pdf
"Biryukov et al. Second-order differential collisions for reduced
SHA-256. 2011"

[Nguyen]: ftp://ftp.di.ens.fr/pub/users/pnguyen/PubECDSA.ps
"Nguyen and Shparlinski. The insecurity of the elliptic curve
digital signature algorithm with partially known nonces. 2003"

New tests:

  TestNonceSafety: Check that signatures are safe even with a
    broken entropy source.

  TestINDCCA: Check that signatures remain non-deterministic
    with a functional entropy source.

Updated "golden" KATs in crypto/tls/testdata that use ECDSA suites.

Change-Id: I55337a2fbec2e42a36ce719bd2184793682d678a
Reviewed-on: https://go-review.googlesource.com/3340
Reviewed-by: Adam Langley <agl@golang.org>
2015-01-28 01:39:51 +00:00
testdata crypto/ecdsa: make Sign safe with broken entropy sources 2015-01-28 01:39:51 +00:00
alert.go crypto/tls: support TLS_FALLBACK_SCSV as a server. 2014-10-15 17:54:04 -07:00
cipher_suites.go crypto/tls: support TLS_FALLBACK_SCSV as a server. 2014-10-15 17:54:04 -07:00
common.go crypto/tls: change default minimum version to TLS 1.0. 2014-12-18 19:49:41 +00:00
conn_test.go crypto/tls: Added dynamic alternative to NameToCertificate map for SNI 2014-08-06 11:22:00 -07:00
conn.go crypto/tls: implement tls-unique channel binding (RFC 5929 section 3). 2014-08-11 16:40:42 -07:00
example_test.go crypto/x509: add example of using a custom root list. 2014-02-19 11:18:35 -05:00
generate_cert.go crypto/tls: Support ECDSA keys in generate_cert.go 2014-07-28 14:46:34 -07:00
handshake_client_test.go crypto/tls: print unexpected error in test 2014-09-07 09:07:19 -04:00
handshake_client.go crypto: add Signer 2014-08-29 12:36:30 -07:00
handshake_messages_test.go crypto/tls: add ALPN support. 2014-08-05 11:36:20 -07:00
handshake_messages.go crypto/tls: fix renegotiation extension. 2015-01-06 19:50:07 +00:00
handshake_server_test.go crypto/tls: fix renegotiation extension. 2015-01-06 19:50:07 +00:00
handshake_server.go crypto/tls: enable TLS_FALLBACK_SCSV in server with default max version 2014-12-18 19:36:01 +00:00
handshake_test.go crypto/tls: rework reference tests. 2013-12-20 11:37:05 -05:00
key_agreement.go crypto/tls: check curve equation in ECDHE. 2014-07-28 15:46:27 -07:00
prf_test.go crypto/tls: support TLS 1.1. 2013-06-04 20:02:22 -04:00
prf.go crypto/tls: fix TLS 1.2 client certificates. 2013-09-16 16:39:42 -04:00
ticket.go crypto/tls: ensure that we don't resume when tickets are disabled. 2014-09-26 11:02:09 +10:00
tls_test.go crypto/tls: implement tls-unique channel binding (RFC 5929 section 3). 2014-08-11 16:40:42 -07:00
tls.go crypto/tls: remove return parameter stutter 2015-01-13 21:35:11 +00:00