Scope and Field of Application
|
This technical report proposes to investigate the security issues for managing state in, and for the appropriateness of using, stateful hash-based signature schemes in different deployment environments. This report does not intend to investigate such usage in specific hardware or software products. This report will investigate usage abstractly in contexts such as, but not necessarily limited to, hardware security modules, smart cards, Public Key Infrastructure, and for firmware or software signing. This informative report will reference the stateful hash-based signature specifications from the Crypto Forum Research Group (RFC 8391, and 8554), as well as the forthcoming NIST Special Publication on stateful hash-based signature schemes. This proposed Technical Report intends to help a reader determine if a given deployment scenario is a suitable context for stateful hash-based signature algorithms by discussing the characteristics of such schemes, and by identifying potential security risks associated with managing state. Examples of both appropriate use-cases as well as inappropriate use-cases will be given. Following, the report intends to give guidance on how to best mitigate the identified potential vulnerabilities and security risks associated with state management.
|