| blob | 56eabba2fa79e18506f4daa998201f434e5d9d19 |
1 /*
2 * Code to generate 'nonce' values for DSA signature algorithms, in a
3 * deterministic way.
4 */
10 /*
11 * All DSA-type signature systems depend on a nonce - a random number
12 * generated during the signing operation.
13 *
14 * This nonce is a weak point of DSA and needs careful protection,
15 * for multiple reasons:
16 *
17 * 1. If an attacker in possession of your public key and a single
18 * signature can find out or guess the nonce you used in that
19 * signature, they can immediately recover your _private key_.
20 *
21 * 2. If you reuse the same nonce in two different signatures, this
22 * will be instantly obvious to the attacker (one of the two
23 * values making up the signature will match), and again, they can
24 * immediately recover the private key as soon as they notice this.
25 *
26 * 3. In at least one system, information about your private key is
27 * leaked merely by generating nonces with a significant bias.
28 *
29 * Attacks #1 and #2 work across all of integer DSA, NIST-style ECDSA,
30 * and EdDSA. The details vary, but the headline effects are the same.
31 *
32 * So we must be very careful with our nonces. They must be generated
33 * with uniform distribution, but also, they must avoid depending on
34 * any random number generator that has the slightest doubt about its
35 * reliability.
36 *
37 * In particular, PuTTY's policy is that for this purpose we don't
38 * _even_ trust the PRNG we use for other cryptography. This is mostly
39 * a concern because of Windows, where system entropy sources are
40 * limited and we have doubts about their trustworthiness
41 * - even CryptGenRandom. PuTTY compensates as best it can with its
42 * own ongoing entropy collection, and we trust that for session keys,
43 * but revealing the private key that goes with a long-term public key
44 * is a far worse outcome than revealing one SSH session key, and for
45 * keeping your private key safe, we don't think the available Windows
46 * entropy gives us enough confidence.
47 *
48 * A common strategy these days (although <hipster>PuTTY was doing it
49 * before it was cool</hipster>) is to avoid using a PRNG based on
50 * system entropy at all. Instead, you use a deterministic PRNG that
51 * starts from a fixed input seed, and in that input seed you include
52 * the message to be signed and the _private key_.
53 *
54 * Including the private key in the seed is counterintuitive, but does
55 * actually make sense. A deterministic nonce generation strategy must
56 * use _some_ piece of input that the attacker doesn't have, or else
57 * they'd be able to repeat the entire computation and construct the
58 * same nonce you did. And the one thing they don't know is the
59 * private key! So we include that in the seed data (under enough
60 * layers of overcautious hashing to protect it against exposure), and
61 * then they _can't_ repeat the same construction. Moreover, if they
62 * _could_, they'd already know the private key, so they wouldn't need
63 * to perform an attack of this kind at all!
64 *
65 * (This trick doesn't, _per se_, protect against reuse of nonces.
66 * That is left to chance, which is enough, because the space of
67 * nonces is large enough to make it adequately unlikely. But it
68 * avoids escalating the reuse risk due to inadequate entropy.)
69 *
70 * For integer DSA and ECDSA, the system we use for deterministic
71 * generation of k is exactly the one specified in RFC 6979. We
72 * switched to this from the old system that PuTTY used to use before
73 * that RFC came out. The old system had a critical bug: it did not
74 * always generate _enough_ data to get uniform distribution, because
75 * its output was a single SHA-512 hash. We could have fixed that
76 * minimally, by concatenating multiple hashes, but it seemed more
77 * sensible to switch to a system that comes with test vectors.
78 *
79 * One downside of RFC 6979 is that it's based on rejection sampling
80 * (that is, you generate a random number and keep retrying until it's
81 * in range). This makes it play badly with our side-channel test
82 * system, which wants every execution trace of a supposedly
83 * constant-time operation to be the same. To work around this
84 * awkwardness, we break up the algorithm further, into a setup phase
85 * and an 'attempt to generate an output' phase, each of which is
86 * individually constant-time.
87 */
90 /*
91 * Size of the cyclic group over which we're doing DSA.
92 * Equivalently, the multiplicative order of g (for integer DSA)
93 * or the curve's base point (for ECDSA). For integer DSA this is
94 * also the same thing as the small prime q from the key
95 * parameters.
96 *
97 * This pointer is not owned. Freeing this structure will not free
98 * it, and freeing the pointed-to integer before freeing this
99 * structure will make this structure dangerous to use.
100 */
103 /*
104 * The private key integer, which is always the discrete log of
105 * the public key with respect to the group generator.
106 *
107 * This pointer is not owned. Freeing this structure will not free
108 * it, and freeing the pointed-to integer before freeing this
109 * structure will make this structure dangerous to use.
110 */
113 /*
114 * Cached values derived from q: its length in bits, and in bytes.
115 */
118 /*
119 * Reusable hash and MAC objects.
120 */
124 /*
125 * Cached value: the output length of the hash.
126 */
129 /*
130 * The byte string V used in the algorithm.
131 */
134 /*
135 * The string T to use during each attempt, and how many
136 * hash-sized blocks to fill it with.
137 */
140 };
143 {
148 /*
149 * Rationale for using mp_rshift_fixed_into and not
150 * mp_rshift_safe_into: the shift count is derived from the
151 * difference between the length of the modulus q, and the length
152 * of the input bit string, i.e. between the _sizes_ of things
153 * involved in the protocol. But the sizes aren't secret. Only the
154 * actual values of integers and bit strings of those sizes are
155 * secret. So it's OK for the shift count to be known to an
156 * attacker - they'd know it anyway just from which DSA algorithm
157 * we were using.
158 */
163 }
166 {
171 }
174 {
178 }
180 #define put_int2octets(bs, x, s) \
181 BinarySink_put_int2octets(BinarySink_UPCAST(bs), x, s)
182 #define put_bits2octets(bs, b, s) \
183 BinarySink_put_bits2octets(BinarySink_UPCAST(bs), b, s)
186 {
187 /* Make the state structure. */
197 /* In each attempt, we concatenate enough hash blocks to be
198 * greater than qbits in size. */
204 }
207 {
211 /* 3.2 (a): hash the message to get h1. */
216 /* 3.2 (b): set V to a sequence of 0x01 bytes the same size as the
217 * hash function's output. */
220 /* 3.2 (c): set the initial HMAC key K to all zeroes, again the
221 * same size as the hash function's output. */
225 /* 3.2 (d): compute the MAC of V, the private key, and h1, with
226 * key K, making a new key to replace K. */
235 /* 3.2 (e): replace V with its HMAC using the new K. */
240 /* 3.2 (f): repeat step (d), only using the new K in place of the
241 * initial all-zeroes one, and with the extra byte in the middle
242 * of the MAC preimage being 1 rather than 0. */
251 /* 3.2 (g): repeat step (e), using the again-replaced K. */
258 }
261 {
262 RFC6979Result result;
264 /* 3.2 (h) 1: set T to the empty string */
265 /* 3.2 (h) 2: make lots of output by concatenating MACs of V */
271 }
273 /* 3.2 (h) 3: if we have a number in [1, q-1], return it ... */
277 /*
278 * Perturb K and regenerate V ready for the next attempt.
279 *
280 * We do this unconditionally, whether or not the k we just
281 * generated is acceptable. The time cost isn't large compared to
282 * the public-key operation we're going to do next (not to mention
283 * the larger number of these same operations we've already done),
284 * and it makes side-channel testing easier if this function is
285 * constant-time from beginning to end.
286 *
287 * In other rejection-sampling situations, particularly prime
288 * generation, we're not this careful: it's enough to ensure that
289 * _successful_ attempts run in constant time, Failures can do
290 * whatever they like, on the theory that the only information
291 * they _have_ to potentially expose via side channels is
292 * information that was subsequently thrown away without being
293 * used for anything important. (Hence, for example, it's fine to
294 * have multiple different early-exit paths for failures you
295 * detect at different times.)
296 *
297 * But here, the situation is different. Prime generation attempts
298 * are independent of each other. These are not. All our
299 * iterations round this loop use the _same_ secret data set up by
300 * rfc6979_new(), and also, the perturbation step we're about to
301 * compute will be used by the next iteration if there is one. So
302 * it's absolutely _not_ true that a failed iteration deals
303 * exclusively with data that won't contribute to the eventual
304 * output. Hence, we have to be careful about the failures as well
305 * as the successes.
306 *
307 * (Even so, it would be OK to make successes and failures take
308 * different amounts of time, as long as each of those amounts was
309 * consistent. But it's easier for testing to make them the same.)
310 */
324 }
327 {
328 /* We don't free s->q or s->x: our caller still owns those. */
335 /* Clear the whole structure before freeing. Most fields aren't
336 * sensitive (pointers or well-known length values), but V is, and
337 * it's easier to clear the whole lot than fiddle about
338 * identifying the sensitive fields. */
342 }
346 {
349 RFC6979Result result;
354 else
356 }
359 }