Re: [webauthn] Section 8.6 step 6 clarification (Correct Hash algorithm) (#1279) from Bart via GitHub on 2019-08-17 (public-webauthn@w3.org from August 2019)

From: Bart via GitHub <sysbot+gh@w3.org>
Date: Sat, 17 Aug 2019 17:08:06 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-522254290-1566061685-sysbot+gh@w3.org>

The U2F attestation formats section should be read within the context of other sections on attestation 🙂. But the back and forth can be confusing. Section 6.4.5 on signature formats for the different attestation formats mentions:
> For COSEAlgorithmIdentifier -7 (ES256), and other ECDSA-based algorithms, a signature value is encoded as an ASN.1 DER Ecdsa-Sig-Value [...] CTAP1/U2F authenticators are already producing signatures values in this format

If you want to follow the rabbit-hole with the sources given in section 8.6, step 3 refers to ALG_KEY_ECC_X962_RAW key format which according to the [FIDO registry document](https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-registry-v2.0-id-20180227.html#h3_tags-used-for-crypto-algorithms-and-types) can be used with ECDSA/SHA-256 and SM2/SM3. 

[SEC1: Elliptic Curve Cryptography](http://www.secg.org/sec1-v2.pdf) referred to in step 6 mentions:
> The ANS X9.62 standard specifies ECDSA for use by the financial services industry. It requires
ECDSA to be used with an ANSI-approved hash function, and with elliptic curve domain parameters with n > 2 <sup>160</sup> to meet the stringent security requirements of the banking industry. Subject to these constraints and other procedural constraints such as the use of an ANSI-approved random number generator, the specification of ECDSA in this document should comply with ANS X9.62-2005.

Per the excerpt of ANSI X9.62-2005 (a non-free document) from https://standards.globalspec.com/std/1955141/ANSI%20X9.62 :
> The ECDSA shall be used in conjunction with an Approved hash function, as specified in X9 Registry Item 00003, Secure Hash Standard (SHS). The hash functions Approved at the time of publication of this document are SHA1 (see NOTE), SHA-224, SHA-256, SHA-384 and SHA-512. 

The Secure Hash Standard latest version is https://csrc.nist.gov/publications/detail/fips/180/4/final but the only common hash function through this all is... you guessed it 😄 SHA-256.

-- 
GitHub Notification of comment by bdewater
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1279#issuecomment-522254290 using your GitHub account

Received on Saturday, 17 August 2019 17:08:08 UTC