[ACTION-36] Impact of SP 800-106 and SP 800-107 on XMLSEC WG from Brian LaMacchia on 2008-10-16 (public-xmlsec@w3.org from October 2008)

From: Brian LaMacchia <bal@exchange.microsoft.com>
Date: Wed, 15 Oct 2008 19:41:43 -0700
To: "public-xmlsec@w3.org" <public-xmlsec@w3.org>
Message-ID: <7684468BFDC4704884E4688E5CD105057C8B425E0A@df-whippet-msg.exchange.corp.microso>

Folks,

This message summarizes for the mailing list my earlier report on the revised draft NIST Special Publications SP 800-106 and SP 800-107 and their impact on our WG.  (Thanks to Frederick for reminding me that I still had this AI open.)  SP 800-106[1] specifies a randomized hashing mechanism for digital signatures (a transformation that may be used with any hash algorithm to add a message randomization feature before hash computation).  SP 800-107[2] provides some security recommendations for applications using one of the NIST-approved hash algorithms in an approved mode (including randomized hashing). 

With regard to the randomized hashing mechanism specified in SP800-106, the NIST mechanism is essentially a transformation that may be applied to any hash algorithm in any context (even though the NIST document is specific to hashes for digital signatures).  For XMLDSIG, we should think about randomized hashes as simply another class of hash functions that could be used potentially within <ds:Signature> and <ds:Reference> elements.  In both cases, randomized hashing requires an additional parameter (the "salt") which would have to be specified as part of the <ds:Signature> or <ds:Reference>.  At last year's W3C Workshop on Next Steps for XML Signature and XML Encryption[3] a proposal was presented by Halevi, Krawczyk and McIntosh[4] describing one possible approach, namely to define an additional <ds:Salt> subelement of <ds:SignatureMethod>.  (A similar schema-extension approach was suggested for supporting RSA-PSS by Lanz, Bratko and Lipp[5].) The schema for <ds:SignatureMethod> already contains and <any> child, so we can add subelements without breaking the existing schema.  

Defining standard subelements to support randomized hashing (and perhaps RSA-PSS) would be an appropriate activity for the WG as part of our overall revision of XMLDSIG's mandatory-to-implement and recommended algorithms.   An open issue we will need to address is whether we should just define these signature and hash function parameter subelements as direct children of <ds:SignatureMethod> or if we should add some additional substructure to separate out those elements which relate to the signature operation from those related to the hash operation.  (I'm not sure if it's really necessary to make such a separation, but it's worth talking about in the WG.)

Regarding SP 800-107, the security recommendations for use of NIST-approved hash algorithms, I believe the only action we will need to take is to make sure that any security recommendations we make in a revision to XMLDSIG do not conflict with those in SP 800-107.  Referencing SP 800-107 in revisions of XMLDSIG (in particular Table 1: Strengths of the Security Properties of the Approved Hash Algorithms) would be a good idea.

					--bal

[1] http://csrc.nist.gov/publications/drafts/800-106/2nd-Draft_SP800-106_July2008.pdf

[2] http://csrc.nist.gov/publications/drafts/Draft-SP-800-107/draft-SP800-107-July2008.pdf

[3] http://www.w3.org/2007/xmlsec/ws/report.html

[4] http://www.w3.org/2007/xmlsec/ws/papers/11-mcintosh-ibm/

[5] http://www.w3.org/2007/xmlsec/ws/papers/08-lanz-iaik/

Received on Thursday, 16 October 2008 02:42:27 UTC