IETF Logo Mail Archive

Re: [CFRG] NSA vs. hybrid

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Fri, 12 November 2021 13:38 UTC

Return-Path: <prvs=79504f246f=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F0643A091C for <cfrg@ietfa.amsl.com>; Fri, 12 Nov 2021 05:38:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5EwcyieIvH3U for <cfrg@ietfa.amsl.com>; Fri, 12 Nov 2021 05:38:14 -0800 (PST)
Received: from MX2.LL.MIT.EDU (mx2.ll.mit.edu [129.55.12.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 883FD3A0865 for <cfrg@irtf.org>; Fri, 12 Nov 2021 05:38:14 -0800 (PST)
Received: from LLEX2019-3.mitll.ad.local (llex2019-3.llan.ll.mit.edu [172.25.4.125]) by MX2.LL.MIT.EDU (8.16.1.2/8.16.1.2) with ESMTPS id 1ACDcC2E238057 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for <cfrg@irtf.org>; Fri, 12 Nov 2021 08:38:12 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=vbe9+xGAm6ckC42u1rGHoo2gqQyzaSki0bVN7Y9u5LPtPx5xwS3x5Il9FYebrLGMGmi1rQ+ghJr34zagHeGvfow6+ZmqHysnxkaWzS6jADiqWadByP2sIozTYj8jK5OsR38Oq9E0PJydIibERKMdWWCudboui4Il5oRUYyhCPi1K4dOuyA8Lie8+zIVfvKjBVWimRMjUcCckV+qVXEexXuUbH+0vxOSveuOVEdyAoEosUnXv0cYMJDfXMAqyRsA+1BEuzHhSKnHmAJpxRN/namdReTlJldoslRnEmZE0pfQHgHgkNizFx40/qZ/A8+X+8pKT8ZSD6N2ir9a9TiLj2A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=IPLM/XnyluspT1xQJUFqTMWT+vIhZhZhUxjJ+ENd8NU=; b=yqSm9M+qU4gBDzcPQjmcKMsXx54/Y9oHtroDeoJ8+nGWYiec7lpizOCz2p76ATTrPL7uWq7t7FzNUAhiIZEte4Ci3Ak+DX3JS+cmLdyHpVi36Y7NcGhiforXNc2iCOLtO/Yyre50mV8bvKChC23kPevaNWGPEmKl1MBMqGIOz9hMADQzyLGVem6PJs0Z5fcDXpcuzFrc+HBeVhFEyyFzbiDgUorYfCVmWgpkHVfHkt22UWG+BLR7g3QTKrV3gq2YBjYT1D9C8zNnu3IFSXKxRXFKMJB59OoCodus2Scr4IPTmqnv3HUUnvT9zA31UjuNT0kcivWo5qxMA6MhQ53cfA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [CFRG] NSA vs. hybrid
Thread-Index: AQHX16fXW9d+W2Z8cUihngZecK0bMav/vjuAgAANKYD//8aIAA==
Date: Fri, 12 Nov 2021 13:38:09 +0000
Message-ID: <A76CD9D7-7502-4C9D-AFCA-E9378D44E52B@ll.mit.edu>
References: <CAAt2M18seCg-Z_QZRma6nOiXS5SpESc=9Wfg_2brUbwiAxpSxQ@mail.gmail.com> <20211112120349.636988.qmail@cr.yp.to>
In-Reply-To: <20211112120349.636988.qmail@cr.yp.to>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.54.21101001
authentication-results: irtf.org; dkim=none (message not signed) header.d=none;irtf.org; dmarc=none action=none header.from=ll.mit.edu;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c55ff7fa-3159-4c24-e4e1-08d9a5e1aa71
x-ms-traffictypediagnostic: CY1P110MB0615:
x-microsoft-antispam-prvs: <CY1P110MB0615E1F0B8421A049599DF1C90959@CY1P110MB0615.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 8Th2z/5ft1q35rGAyBqjCwYXs2DxbDOUulYsRbQYp6rD5odGrnGlVeWjmoOqjaeHM6Sb68pPwhZKcpIEbrrc8xR4Oscf9osDCNzcpSj/t42oJOhnsB7pyTl7f4UxXLzYiK8Cy+SBD8Aa+MFHpT7AGHey0FNvJF8LER7GIGteovyoQIPKj7wWtV9mpo0LWLSYDngfa8yX6jST4Yh/XtvGEa45fnD2PswkkPAkJkAp4XhHj6enHNYIsPr3BwhXGU2Psa1/ZFjRIqPg/k5U9gdl+B59GjiU0D9PvNJ+OMTNgBwmLe8k+lBX5rfTQ3hmUzCCZq6XGXdDQizEKc3beQDva03WiSuNe/JGM7i1hwDBw+L0VzI1XP1/r+CCN7hHleBONdcxl2Z1yhcjQkjcpuuMECR1FKeZjexnnWgIYvZeHcE4nVVnFjDqsZLKs8Ki7kVYEQGUiIh1oy2as9BSYkmryBO303teNuYQotVpm2zs8KGO6lgUPRLD/luoyVdDKND1S7rHCpmV2iIl8LgRGbO1pZu6vZ2rrwjqX+8WvtrERj0l558Ml5/108gw1uk32yWdM664wGCrmzcLEd1DiaqrKuJyOFz3Q/+IQKniwtBunAsSP1Zdle7lVVjSjMxf/TbeAWhPVnqwUpyEJmqHVNo1a5eeoWpyzDvIWPULzF4hZDE=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CY1P110MB0616.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(366004)(6486002)(64756008)(186003)(6506007)(26005)(71200400001)(66946007)(6512007)(75432002)(33656002)(66556008)(2616005)(5660300002)(86362001)(6916009)(38070700005)(99936003)(66446008)(8676002)(8936002)(2906002)(83380400001)(76116006)(122000001)(38100700002)(45080400002)(498600001)(66476007)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: UlIL+1z3nci9QMC8zgzpOGTsPj840sOKmHiuI4k9Edc3mKLo7y1OlBNyaR9hQoakXwC4qWl4IzL8Uc8AsehClz+39I1E1GEQ6QlDbIpeqc6Q3eET2wm/PaX4WscnlXslz/3XFEujUnentsJocgl8PbgwdU8phizcv+nE6xkgSPAOn5f7Q4I7AEBshxx8ONvgvsNB6z1mQMr5soF+s6rdddTuRVjOtl5vureYMSHpAluQ1KTaId+FDsXif6bZIObthy8SeFe4iinh5LHraLNbuP5UOn1QkZCqWp6jDPHGeQ8vlqgQivWhj405K+fwj0MHf4X0W7bpDLlYCQiWuXCFUrpT5IYuR+hGRHO+uWo0rnTdvv8lUV1hzgCgZahXzRAialjOSOIyoaaz5GP5aUAIBStah9SjU1uFVx8BJ44WOhPiX0CRdpr2UHcRl/fVjSWjbrY614J13AvsFCGxcZ8r/WbQM3YXH8xE4rmvcOS23k4qKLyryQvdjNo36Xv2kUMhIetf/69GE1WwkQmim2f6cWZhHNHHEDQBA37RhspcDPnTGinwXJQkKu8moF9QtC9bL+ORLTtFloiXdNSV8Wg2ajuvrNqTNiaxePh1RSqCfANSlhNEnlaSzzU/nKyJ+CHmx+2aqtLWRGkR4isq8IiYuIdF6y5jZuZ+4n3MtLli86yuJf5qQ4axQ0PXZcqiOh2IPevJamwDi8SuSs2rX+RFEQ==
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3719551088_1994069852"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CY1P110MB0616.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: c55ff7fa-3159-4c24-e4e1-08d9a5e1aa71
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Nov 2021 13:38:09.4212 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1P110MB0615
X-Proofpoint-ORIG-GUID: TX6UqaplTZl9-2WBgpvWGVTyDfhABn5C
X-Proofpoint-GUID: TX6UqaplTZl9-2WBgpvWGVTyDfhABn5C
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425, 18.0.790 definitions=2021-11-12_04:2021-11-11, 2021-11-12 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 bulkscore=0 spamscore=0 suspectscore=0 mlxscore=0 mlxlogscore=999 malwarescore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2110150000 definitions=main-2111120077
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/CMzo5KI93NG0IOqC0TEmMEugxDs>
Subject: Re: [CFRG] NSA vs. hybrid
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Nov 2021 13:38:20 -0000

To me, having multiple signatures in one certificate is asking for troubles.

Using Dan's terminology: you want P chain of trust - ask for it, you want Q chain of trust - request that. In the unlikely case of wanting both - get both, AFAICT, the overhead would be small.

In practice, large PKI that have multiple intermediary CAs, will likely have separate CAs for P and Q certs.

<soapbox>Oh, speaking of how cert validation can be screwed up - how about validating email signatures in MS Outlook and Apple Mail? They totally ignore DN, and can only parse *one* SAN - because, hey, who's ever heard of a person with more than one email address, right?  And you expect P+Q certificates to be validated correctly? Oh well...</soapbox>
--
Regards,
Uri
 
There are two ways to design a system. One is to make is so simple there are obviously no deficiencies.
The other is to make it so complex there are no obvious deficiencies.
                                                                                                                                     -  C. A. R. Hoare
 

On 11/12/21, 07:05, "CFRG on behalf of D. J. Bernstein" <cfrg-bounces@irtf.org on behalf of djb@cr.yp.to> wrote:

    > >   [ under "CONS" of "composite" certs ]
    > > > Can require reworking of certificate validation
    > > Yikes---sounds scary given how tricky certificate validation is. But
    > > wait a minute. Isn't certificate validation simply calling signature
    > > verification as a black box? What has to be reworked here?
    > In theory it should be simple, in practice there's constant mistakes made in
    > validating certificate chains and certificate properties. In theory this should
    > be as simple as requiring dual and identical certificate chains with no
    > difference but the asymmetric primitives, requiring both to be valid at once.
    > In practice, I expect this to get messed up in a million different ways.

    My understanding of the terminology of the slides is that a "composite"
    certificate is one where the protocol is checking _one_ certificate with
    _one_ signature from the CA as usual, but the signature details are
    built _internally_ as requiring two component signatures to be valid.

    This approach doesn't touch the logic of certificate validation outside
    the signature-verification black box. So I'm puzzled as to why NSA is
    pointing to "reworking of certificate validation" as a disadvantage for
    _this_ approach rather than for the _other_ approach.

    > >   [ under "PROS" of "non-composite" certs ]
    > > > Computational processes remain unchanged (but perhaps multiple
    > > > iterations)
    > > This sounds weird, given that the whole point is to be adding new
    > > post-quantum primitives into the picture. Perhaps I'm missing some
    > > restricted definition of "computational process".
    > This is essentially a variant of the argument above, you run the validator
    > twice on different certs with only the primitive being different. The validator
    > needs additional changes to put both chains in the same cert. 

    Say P is whichever ECC system and Q is whichever post-quantum system.
    Here's my understanding of the two options under discussion:

       (1) Send a certificate with a "composite" P+Q signature to satisfy
           new clients; also, for however long the transition takes, send a
           certificate with a P signature to satisfy old clients.

       (2) To satisfy new clients, send a certificate with a Q signature and
           a certificate with a P signature; the second certificate will
           also satisfy old clients.

    I don't see how either of these qualifies as "computational processes
    remain unchanged": new clients are in any case doing a new Q process.
    For the first option, there's a new P+Q signature system; for the second
    option, there's a new Q signature system and new certificate logic.

    ---Dan

v2.23.0 | Report a Bug | By Email