openssl icon indicating copy to clipboard operation
openssl copied to clipboard

Published 20 hours ago verified publisher icon openssl

Add design document for LMS.

Open slontis opened this issue 2 years ago • 29 comments
trafficstars

Checklist
  • [x] documentation is added or updated
  • [ ] tests are added or updated

slontis avatar Oct 12 '23 04:10 slontis

Put a hold on this to discuss within the OTC.. In particular the new API and what is supported/not supported need to be discussed.

slontis avatar Oct 12 '23 05:10 slontis

May I ask for a requirement that if any signing operation is implemented that it can be disabled at built time, leaving only verification operations available?

LMS is something that should never been implemented in a generic software system, NIST and NSA as well recommend that LMS and XMSS signatures are implemented only in Hardware, and the reason is that duplicating state is catastrophic, and in software duplicating state is as simple as restarting a machine after a crash where updates didn't get to disk, or copying around files.

We do not want to give our users a knife that has cyanide laced razor blades for a handle.

simo5 avatar Oct 13 '23 18:10 simo5

May I ask for a requirement that if any signing operation is implemented that it can be disabled at built time, leaving only verification operations available?

LMS is something that should never been implemented in a generic software system, NIST and NSA as well recommend that LMS and XMSS signatures are implemented only in Hardware, and the reason is that duplicating state is catastrophic, and in software duplicating state is as simple as restarting a machine after a crash where updates didn't get to disk, or copying around files.

We do not want to give our users a knife that has cyanide laced razor blades for a handle.

There is no intention of implementing the sign or private key generation

slontis avatar Oct 15 '23 23:10 slontis

Thanks for your input @rjrelyea

slontis avatar Oct 16 '23 22:10 slontis

I would go even further that what Simo said.

I consider not only presence of signature creation a problem, but signature verification too.

Safe use of any stateful hash based signature formats absolutely and unequivocally depends on the signature operation being performed in hardware. Doing it in a way that allows for disaster recovery, over 10, or 20+ years of use, is orders of magnitude harder still. That means that there will be very few originators of such signatures. Which means they will be used in very few places.

In case we have widely deployed implementations that can verify such signatures, there definitely will be people that don't know better and actually implement and use signature creation in software. So, just presence of signature verification is an incentive to do the wrong thing.

As such, I don't think openssl should ship with any code that can do LMS verification. It can have support for providers that support it (to support the hardware modules), but I think including verification code is a mistake. If there are specific users asking for it, it should be a separate provider module, not part of OpenSSL proper. Users should not be able to expect that LMS is supported out of the box.

See also: Nuclear Non-proliferation Treaty

tomato42 avatar Nov 21 '23 18:11 tomato42

I would go even further that what Simo said.

I consider not only presence of signature creation a problem, but signature verification too.

Safe use of any stateful hash based signature formats absolutely and unequivocally depends on the signature operation being performed in hardware. Doing it in a way that allows for disaster recovery, over 10, or 20+ years of use, is orders of magnitude harder still. That means that there will be very few originators of such signatures. Which means they will be used in very few places.

In case we have widely deployed implementations that can verify such signatures, there definitely will be people that don't know better and actually implement and use signature creation in software. So, just presence of signature verification is an incentive to do the wrong thing.

There is no state associated with the signature verification, so I dont agree. There are many things in crypto that you can do wrong if you dont know what you are doing. @t-j-h Would you care to respond to why we should do HSS signature and key generation in OpenSSL.

slontis avatar Nov 21 '23 18:11 slontis

My point is that there is a difference between "it's hard to do it correctly" and "there's literally at most double digit number of corporations in the world that will be able to do a production deployment correctly".

tomato42 avatar Nov 21 '23 19:11 tomato42

While I agree that with hubert that only a handful of entities will be able to correctly deploy keygen and signatures, I don't agree verification will necessarily be wrong. Those handful of entities will be creating signatures that millions of users may need to verify. The use cases for these signature algorithms are basically sign an object once and many people verify that signature over the course of the next couple of decades.

Anyone with enough skill to replace the signature/keygen portion will also have enough skill to know the dangers of not doing this with hardware tokens. The guidance is pretty widespread.

rjrelyea avatar Nov 21 '23 21:11 rjrelyea

And if we expect that only a handful of entities will be creating such signatures, why would we want to have code for verifying them when processing any and all signatures?

Reasonably there are two usages for stateful signatures: root CAs and signing software/firmware. In both cases you know a priori if you'll need support for a stateful hash signature. So if that need arises, the code can load the necessary provider ahead of time.

There's another reason for not including it in OpenSSL proper: stateful signatures are very much a transitionary, niche technology. Long term we will end up using stateless hash signatures, lattice based, or something else still. By including it in OpenSSL, the project commits to supporting them for a long time.

tomato42 avatar Nov 21 '23 23:11 tomato42

This PR is in a state where it requires action by @openssl/otc but the last update was 30 days ago

openssl-machine avatar Dec 22 '23 00:12 openssl-machine

This PR is in a state where it requires action by @openssl/otc but the last update was 61 days ago

openssl-machine avatar Jan 22 '24 00:01 openssl-machine

This PR is in a state where it requires action by @openssl/otc but the last update was 92 days ago

openssl-machine avatar Feb 22 '24 00:02 openssl-machine

This PR is in a state where it requires action by @openssl/otc but the last update was 123 days ago

openssl-machine avatar Mar 24 '24 00:03 openssl-machine

This PR is in a state where it requires action by @openssl/otc but the last update was 154 days ago

openssl-machine avatar Apr 24 '24 00:04 openssl-machine

This PR is in a state where it requires action by @openssl/otc but the last update was 30 days ago

openssl-machine avatar Jun 08 '24 00:06 openssl-machine

This PR is in a state where it requires action by @openssl/otc but the last update was 61 days ago

openssl-machine avatar Jul 09 '24 00:07 openssl-machine

This PR is in a state where it requires action by @openssl/otc but the last update was 91 days ago

openssl-machine avatar Aug 08 '24 08:08 openssl-machine

This PR is in a state where it requires action by @openssl/otc but the last update was 122 days ago

openssl-machine avatar Sep 08 '24 00:09 openssl-machine

Considering the recent additions to the EVP_PKEY_ sign and verify functionality, maybe this needs an update? Is the new interface ready enough so this can simply be a matter of writing provider code?

levitte avatar Sep 09 '24 09:09 levitte

I am in the process of writing the code..

slontis avatar Sep 09 '24 22:09 slontis