Does ECDSA require DER?
65 views
Skip to first unread message
Greg Rubin
Dec 21, 2016, 12:42:57 AM12/21/16
to wycheproof-users
Can someone point me to the standard which actually defines the ASN.1 encoding for ECDSA signatures? Specifically, must it be DER, or is BER sufficient?
If DER is required, should we create some test cases for this? (Such as leading zeros on R and S or non-mimimal length encodings?)
Greg
P.S. Can I write an email in nothing but questions?
Daniel Bleichenbacher
Dec 21, 2016, 11:28:43 AM12/21/16
to Greg Rubin, wycheproof-users
On Wed, Dec 21, 2016 at 6:42 AM, Greg Rubin <grr...@gmail.com> wrote:
Can someone point me to the standard which actually defines the ASN.1 encoding for ECDSA signatures? Specifically, must it be DER, or is BER sufficient?
Good question.
I haven't found a standard making claims in either direction. There are a few arguments suggesting that a restriction to DER would be preferable.
OpenSSL and other SSL implementations only accepts DER encoded signatures. Hence an implementation that is not generating DER encoded signatures
is likely going to cause problems at some point. Hence at least flagging such libraries as incompatible and problematic makes sense.
if we can assume that all signatures we have to check are DER encoded, then it also makes sense to reject other formats, since stricter testing should
make a library more robust.
Preventing that signatures are malleable can have some minor advantages in general.
Though ECDSA is not such a good example, since the sign of s can always be flipped.
And it also simplifies my work. Testing implementations of cryptographic primitives can become painful if randomly changing a signature can
result in another valid signature by chance.
If DER is required, should we create some test cases for this? (Such as leading zeros on R and S or non-mimimal length encodings?)
Just to avoid duplicate work: I have such test cases, but they have not been added since there are open issues. One is the question you mention.
Another one is simply the question what Exception may be thrown when the encoding is invalid.
GregP.S. Can I write an email in nothing but questions?
--
You received this message because you are subscribed to the Google Groups "wycheproof-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wycheproof-users+unsubscribe@googlegroups.com.
To post to this group, send email to wycheproof-users@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wycheproof-users/CAEG%2BP28eLoSR4_3xoXW2V85otnccUP9fWX5xCdku-SgQMC6VcQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
nolo...@gmail.com
Dec 23, 2016, 6:06:49 AM12/23/16
to wycheproof-users, grr...@gmail.com
On Wednesday, December 21, 2016 at 12:42:57 AM UTC-5, Greg Rubin wrote:
Can someone point me to the standard which actually defines the ASN.1 encoding for ECDSA signatures? Specifically, must it be DER, or is BER sufficient?
I'm guessing there are probably a few standards that provide an encoding.
I know ANSI 9.62, Annex E, pp 45-70 provides it. Its so many pages because nearly anything that can be ASN.1 encoded is specified.
The intro paragraph to the annex can be found at https://postimg.org/image/5spbtia87/.
Jeff
nolo...@gmail.com
Dec 23, 2016, 8:44:57 AM12/23/16
to wycheproof-users
On Friday, December 23, 2016 at 6:06:49 AM UTC-5, nolo...@gmail.com wrote:
On Wednesday, December 21, 2016 at 12:42:57 AM UTC-5, Greg Rubin wrote:Can someone point me to the standard which actually defines the ASN.1 encoding for ECDSA signatures? Specifically, must it be DER, or is BER sufficient?
I'm guessing there are probably a few standards that provide an encoding.
This may also help you. See section 10.1 CORE ECDSA STANDARDS (pp.37-39) at http://cs.ucsb.edu/~koc/ccs130h/notes/ecdsa-cert.pdf. It looks like it list five or so standards, including IEEE P1363 and ANSI X9.62.
Jeff
Blumenthal, Uri - 0553 - MITLL
Dec 23, 2016, 9:25:46 AM12/23/16
to nolo...@gmail.com, wycheproof-users
Translating the documents into plain language: decoding may be BER, encoding must be DER. Otherwise one may be very sorry. ;-)
Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network.
| From: nolo...@gmail.com Sent: Friday, December 23, 2016 08:45 To: wycheproof-users Subject: Re: Does ECDSA require DER? |
--
You received this message because you are subscribed to the Google Groups "wycheproof-users" group.
You received this message because you are subscribed to the Google Groups "wycheproof-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
wycheproof-use...@googlegroups.com.
To post to this group, send email to wychepro...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wycheproof-users/03bf1e9d-68e5-462e-8269-1d2b0f222d88%40googlegroups.com.
To post to this group, send email to wychepro...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wycheproof-users/03bf1e9d-68e5-462e-8269-1d2b0f222d88%40googlegroups.com.
Daniel Bleichenbacher
Jan 3, 2017, 6:01:28 AM1/3/17
to Blumenthal, Uri - 0553 - MITLL, nolo...@gmail.com, wycheproof-users
Thanks for the replays.
The test vectors for ECDSA will be divided into two sets:
(1) invalid signatures, which always should be rejected
(2) modified signatures, which might get accepted but should not crash a library.
These signatures include BER encodings and possibly some legacy cases.
On Fri, Dec 23, 2016 at 3:21 PM, Blumenthal, Uri - 0553 - MITLL <u...@ll.mit.edu> wrote:
Translating the documents into plain language: decoding may be BER, encoding must be DER. Otherwise one may be very sorry. ;-)Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network.
--
On Friday, December 23, 2016 at 6:06:49 AM UTC-5, nolo...@gmail.com wrote:
On Wednesday, December 21, 2016 at 12:42:57 AM UTC-5, Greg Rubin wrote:Can someone point me to the standard which actually defines the ASN.1 encoding for ECDSA signatures? Specifically, must it be DER, or is BER sufficient?
I'm guessing there are probably a few standards that provide an encoding.
This may also help you. See section 10.1 CORE ECDSA STANDARDS (pp.37-39) at http://cs.ucsb.edu/~koc/ccs130h/notes/ecdsa-cert.pdf. It looks like it list five or so standards, including IEEE P1363 and ANSI X9.62.
Jeff
You received this message because you are subscribed to the Google Groups "wycheproof-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wycheproof-users+unsubscribe@googlegroups.com.
To post to this group, send email to wycheproof-users@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wycheproof-users/03bf1e9d-68e5-462e-8269-1d2b0f222d88%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "wycheproof-users" group.
To view this discussion on the web visit https://groups.google.com/d/msgid/wycheproof-users/20161223142202.18280523.11320.108273%40ll.mit.edu.To unsubscribe from this group and stop receiving emails from it, send an email to wycheproof-users+unsubscribe@googlegroups.com.
To post to this group, send email to wycheproof-users@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages