On Wed, Apr 1, 2015 at 7:58 AM, Russ Housley <[email protected]> wrote: > * using non-deterministic ECDSA with a predictable source of randomness > means that each signature can potentially leak the secret material of the > signing key. > > My understanding is that the first step in generating an ECDSA signature is > to generate a random value K. The private key is disclosed if the same K is > used to produce more than one signature. The chances of generating the same > K is vanishingly small if there is a reasonable pseudorandom source. I would > hope that the servers running the logs have a reasonable source of > pseudorandom values.
So these servers wouldn't be running Debian, would they? Or Freebsd pre-release versions? In fact, secret keys can be revealed via slight biases or a few leaked bits of k over multiple signatures. Sincerely, Watson Ladd > > Russ > > > On Apr 1, 2015, at 10:50 AM, trans issue tracker wrote: > >> #83: CT should mandate the use of deterministic ECDSA >> >> RFC:6979 describes how to do deterministic ECDSA. >> >> certificate transparency logs should be required to use this mechanism, >> for two reasons: >> >> * using non-deterministic ECDSA with a predictable source of randomness >> means that each signature can potentially leak the secret material of the >> signing key. >> >> * a log that produces two separate valid STHs with the same timestamp and >> same data but with different signatures should be considered dubious >> (though i don't have a concrete attack i can describe for this scenario >> yet) -- ensuring the use of deterministic ECDSA means that in normal >> operation, regular logs won't produce this behavior. >> >> -- >> -------------------------+------------------------------------------------- >> Reporter: | Owner: draft-ietf-trans- >> [email protected] | [email protected] >> Type: defect | Status: new >> Priority: major | Milestone: >> Component: rfc6962-bis | Version: >> Severity: - | Keywords: >> -------------------------+------------------------------------------------- >> >> Ticket URL: <http://trac.tools.ietf.org/wg/trans/trac/ticket/83> >> trans <http://tools.ietf.org/trans/> >> >> _______________________________________________ >> Trans mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/trans > > _______________________________________________ > Trans mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/trans -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
