IETF Logo Mail Archive

Re: [CFRG] [EXTERNAL] What I want from the "KEM hybrids"

Hubert Kario <hkario@redhat.com> Wed, 21 February 2024 15:52 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00594C1519A7 for <cfrg@ietfa.amsl.com>; Wed, 21 Feb 2024 07:52:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S5A-jo5zYGaa for <cfrg@ietfa.amsl.com>; Wed, 21 Feb 2024 07:52:11 -0800 (PST)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3285CC151992 for <cfrg@irtf.org>; Wed, 21 Feb 2024 07:52:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1708530729; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=3e1Q7wn84/1+9/wBmldzz8phXcp/5L8hAmPN0UKbkTU=; b=EGAcLmrB3UtPkuTav4Z/DfPR2G5I3dmUttZTm8BwGnnq09AxYDj38/MeDc14baGUyJk+JZ 2eRnez4Y/eoROpFyU3QSEbA3Wml20aEa+Sk1g2N7QMYAJLGXq7Ici6D7juw7/iAXRAzbW+ QBSS/jp1inNJkJANiouGsxR/OrZYZc4=
Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com [209.85.221.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-363-iI52d3UvPz2TRPFxQjIZ8w-1; Wed, 21 Feb 2024 10:52:08 -0500
X-MC-Unique: iI52d3UvPz2TRPFxQjIZ8w-1
Received: by mail-wr1-f70.google.com with SMTP id ffacd0b85a97d-33d39bc6bf4so2096487f8f.0 for <cfrg@irtf.org>; Wed, 21 Feb 2024 07:52:07 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708530727; x=1709135527; h=content-transfer-encoding:user-agent:organization:references :in-reply-to:message-id:mime-version:date:subject:cc:to:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=xbfboy9Z07M/ROpEATuW2TKMPBIFCVZ/vpd0DzyUK5o=; b=C+si+LpOXG3oC9khAAYtVcbZ6MM7nSNZCH/AfgHemlLs57Kdwv9xO8d4BFj5WXB0vh VgblmYT6x0/HEEcc9yWJOPJcaeQDCAOAMZOUWBL+ozHmfnFt/9NDXkMIOn/WWTI6OK0V m3EJCXPsKINj3ETXj9gyMNz0dgZJHJ/hEOO7LuUwJcXXga4VczkkKIz7SXXzN8A4o6jC XONUX8OwIVvwBHZtllv4cY4NFWbG6X/UndIQuaFJ6WhlLutFjG8RejLhFtezkAFEJ/BG Eigqdjos7EetIXIb0T6kFcWj3WTDzmP69gw3LLf6D2u+pvnHTMIUFvyNjllx2/MX/54e RKbA==
X-Forwarded-Encrypted: i=1; AJvYcCWOo54bLviPsR0lXooa8C7DBVGlOkuJGWq8ZfZH5jGHYnJ413PGXjE7Yw+XAFjLKTxCpPP5k3nKQwiWj5rX
X-Gm-Message-State: AOJu0YxEYBNmtaEA6mReZP2pBQFIfVaaiz7pHvKS/LMfI2TRjxNovzpJ 6j/VAsyVjR4yisC/1RP/IzP4G2BFRXFOb37bMCpo2mfhBuQw7vKIkItYJSGg4w3BP/j+aAUVBrA VVsX0kNvW+Jv+TfsSHXJbszVjwhFb7l1YEvYPW4nSqQ==
X-Received: by 2002:adf:f144:0:b0:33d:3cea:8484 with SMTP id y4-20020adff144000000b0033d3cea8484mr9904309wro.1.1708530726993; Wed, 21 Feb 2024 07:52:06 -0800 (PST)
X-Google-Smtp-Source: AGHT+IFVyrXZr82FuHyE7w4B30v0pnmxbEIYNcldPzBL9P6uQAGQ9lxcPfUQLQkDdLAJyuJqF9cl5A==
X-Received: by 2002:adf:f144:0:b0:33d:3cea:8484 with SMTP id y4-20020adff144000000b0033d3cea8484mr9904279wro.1.1708530725958; Wed, 21 Feb 2024 07:52:05 -0800 (PST)
Received: from localhost (nat-pool-brq-u.redhat.com. [213.175.37.12]) by smtp.gmail.com with ESMTPSA id h7-20020a056000000700b0033ce214a97csm17252889wrx.17.2024.02.21.07.52.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 21 Feb 2024 07:52:05 -0800 (PST)
From: Hubert Kario <hkario@redhat.com>
To: Mike Ounsworth <Mike.Ounsworth@entrust.com>
Cc: Watson Ladd <watsonbladd@gmail.com>, CFRG <cfrg@irtf.org>
Date: Wed, 21 Feb 2024 16:52:04 +0100
MIME-Version: 1.0
Message-ID: <aa9dedf2-d3ff-4899-939f-31717c373329@redhat.com>
In-Reply-To: <CH0PR11MB573995927633B3F2E46F79519F572@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <CACsn0cmHNUGvDLctDKE4OUAWZiu3Ukj14hPBdP5Pd6B20CH44g@mail.gmail.com> <CH0PR11MB57392D1AD5E11B0F9813D09C9F502@CH0PR11MB5739.namprd11.prod.outlook.com> <CACsn0cm5Mk4fe-0V7ZvqnMrgm-yLEYxBtdvZCY6_2bFNMDKYqQ@mail.gmail.com> <CH0PR11MB57397410451311E1F310858B9F502@CH0PR11MB5739.namprd11.prod.outlook.com> <f0f38c7f-709a-4831-adec-5b74e5472eca@redhat.com> <CH0PR11MB5739B79C1BC69F91187663A79F572@CH0PR11MB5739.namprd11.prod.outlook.com> <87dcfb15-293a-4cfc-b264-c19ef5496bcc@redhat.com> <CH0PR11MB573995927633B3F2E46F79519F572@CH0PR11MB5739.namprd11.prod.outlook.com>
Organization: Red Hat
User-Agent: Trojita/0.7-git; Qt/5.15.11; xcb; Linux; Fedora release 38 (Thirty Eight)
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/Qj94N-K_NQsD5RQf0XK0qfbdJHE>
Subject: Re: [CFRG] [EXTERNAL] What I want from the "KEM hybrids"
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Feb 2024 15:52:15 -0000

Not aware of anything CMS specific.
My draft is a general recommendation.
For JWA/JWE PKCS#1v1.5 is already dead: no browser allows PKCS#1v1.5 
encryption in webcrypto API.

Now in the wider context: Will there people that continue to do stupid
things? Absolutely.
Should we make it easy for them to do stupid things? I don't think so.

On Wednesday, 21 February 2024 16:37:30 CET, Mike Ounsworth wrote:
> Hi Hubert,
>  
> That’s a TLS-specific draft. Is there anything that would cover 
> PKCS#1 usage in CMS or JOSE (JWA)?
>  
> ---
> Mike Ounsworth
>  
> From: Hubert Kario <hkario@redhat.com> 
> Sent: Wednesday, February 21, 2024 9:30 AM
> To: Mike Ounsworth <Mike.Ounsworth@entrust.com>
> Cc: Watson Ladd <watsonbladd@gmail.com>; CFRG <cfrg@irtf.org>
> Subject: Re: [CFRG] [EXTERNAL] What I want from the "KEM hybrids"
>  
> On Wednesday, 21 February 2024 16: 12: 58 CET, Mike Ounsworth 
> wrote: >> If we don't provide OIDs for combined PKCS#1/Kyber, 
> then people won't > be using it. > > That’s optimistic 😊 > I 
> think it means that people won’t be using
> On Wednesday, 21 February 2024 16:12:58 CET, Mike Ounsworth wrote:
>>> If we don't provide OIDs for combined PKCS#1/Kyber, then people won't
>> be using it.
>>  
>> That’s optimistic 😊
>> I think it means that people won’t be using it in a 
>> standardized and peer-reviewed way, which might be worse.
>>  
>> Hypothetical situation: an organization has a FIPS certified 
>> implementation of RSAencryption-PKCS#1v1.5.
>  
> It's purely hypothetical, as in FIPS mode you're not allowed to use
> PKCS#1v1.5 since 1st of January 2024, no matter when your cryptographic
> module received certification.
>  
>> Once FIPS 203 drops 
>> in June – August 2024, it will take X years go get ML-KEM 
>> through the FIPS certification, but in the meantime they can 
>> claim FIPS-certification on a PKCS#1/Kyber hybrid. If the IETF 
>> is only giving OIDs for OAEP/Kyber and RSA-KEM/Kyber, then they 
>> will have to implement new OAEP or RSA-KEM code and run that 
>> through FIPS certification that will equivalently take X years. 
>> That’s a strong reason to use PKCS#1/Kyber, whether or not the 
>> IETF has provided an OID for it.
>>  
>> I’m not necessarily saying that people *are* going to do this 
>> (I need to do some homework here too), but I think that *IF* 
>> people are going to do this, then it’s probably worth doing 
>> properly in a standardized and peer-reviewed way.
>>  
>> By the way #1: Is there an RFC that formally deprecates 
>> RSAencryption-PKCS#1v1.5?
>  
> not yet: 
> https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-ietf-tls-deprecate-obsolete-kex/__;!!FJ-Y8qCqXTj2!c7bWTChVknVaBqExzLbeF7OCgpQiCWsgL9FQuQkxaJLCWqsY-JR2NiTA5OJL7hvAALBCQN8MBWKYV4YH46I$
> https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-kario-rsa-guidance/__;!!FJ-Y8qCqXTj2!c7bWTChVknVaBqExzLbeF7OCgpQiCWsgL9FQuQkxaJLCWqsY-JR2NiTA5OJL7hvAALBCQN8MBWKYPz0v_RM$
>  
> but it's basically a done deal at this point
>  
>> By the way #2: no argument that RSA-OAEP is in all ways better, 
>> but for my education, I am aware of the Bleichenbacher attack, 
>> and that there exist many bad implementations of PKCS#1v1.5, but 
>> also that in absence of an exploitable decryption oracle, right?
>  
> The whole issue with PKCS#1v1.5 is that padding check error is the 
> information
> that the attacker is looking for.
>  
> Normal way of handling errors is to raise an exception, or push it to error
> stack, or do 100 other ways that triggers a different code path than
> regular decryption. That means that error processing generally will have
> a different timing characteristic than successful decryption, making
> the attack easy.
>  
> Handling that error in side-channel free way requires two page-long 
> description
> in the TLS RFC 
> (https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/rfc5246*section-7.4.7.1__;Iw!!FJ-Y8qCqXTj2!c7bWTChVknVaBqExzLbeF7OCgpQiCWsgL9FQuQkxaJLCWqsY-JR2NiTA5OJL7hvAALBCQN8MBWKYqRHgGGk$)
> and the TLS gets away with it only because the PMS is also mixed with
> ServerHello.random before using it for encryption key derivation.
> Protocols like CMS don't have that luxury.
>  
>> Also,
>>  
>> ---
>> Mike Ounsworth
>>  
>> From: Hubert Kario <hkario@redhat.com> 
>> Sent: Wednesday, February 21, 2024 8:22 AM
>> To: Mike Ounsworth <Mike.Ounsworth@entrust.com>
>> Cc: Watson Ladd <watsonbladd@gmail.com>; CFRG <cfrg@irtf.org>
>> Subject: Re: [CFRG] [EXTERNAL] What I want from the "KEM hybrids"
>>  
>> On Wednesday, 21 February 2024 00: 07: 25 CET, Mike Ounsworth 
>> wrote: > Hi Watson, Sophie, Hubert, > > I’ll reply all at once. 
>> > > > The point of having ML-KEM + RSA hybrids is not about 
>> reusing > *keys*, which I agree should
>> On Wednesday, 21 February 2024 00:07:25 CET, Mike Ounsworth wrote:
>>> Hi Watson, Sophie, Hubert,
>>>  
>>> I’ll reply all at once.
>>>  
>>>  
>>> The point of having ML-KEM + RSA hybrids is not about reusing 
>>> *keys*, which I agree should not be done, but about reusing 
>>> *code*. For the ultra-conservative crowd, being able to put 
>>> their existing code (again, “code”, not “keys”) into hybrid 
>>> reduces the migration risk.
>>>  
>>> Hubert, I am not trying to suggest that RSA_PKCS#1v1.5 is 
>>> acceptable in any academic sense, but I am suggesting that it 
>>> still very much exists in the wild in applications which need 
>>> migrate-out strategies. If you want to leverage ML-KEM in 
>>> addition to your existing codebase, and your existing codebase 
>>> is RSA_PKCS#1v1.5, then that is what you will do.
>>  
>> That would make sense only if your code base implements PKCS#1v1.5
>> properly, and the chances for that are slim to none.
>>  
>> The list on Marvin Attack page is over 30 implementations long
>> _because I tested just over 30 implementations._ Of all the ones
>> tested only two turned out to be side-channel safe.
>>  
>> People's efforts are far better spent making sure that OAEP is implemented
>> correctly than wrangling PKCS#1v1.5 to make it side-channel free.
>> Implementing OAEP from scratch will be easier than implementing
>> PKCS#1v1.5 in side-channel free way.
>>  
>>> I suppose it is one possible outcome here for the IRTF / IETF 
>>> to say that RSA-PKCS#1 and/or RSA-OAEP and/or RSA-KEM are 
>>> deprecated and the IRTF / IETF will not be standardizing ML-KEM 
>>> + RSA hybrids. That will not prevent people from doing it, it 
>>> will just prevent people from doing it in standardized and 
>>> peer-reviewed ways.
>>  
>> If we don't provide OIDs for combined PKCS#1/Kyber, then people won't
>> be using it.
>>   
>>> ---
>>> Mike Ounsworth
>>>  
>>> From: Watson Ladd <watsonbladd@gmail.com> 
>>> Sent: Tuesday, February 20, 2024 3:15 PM
>>> To: Mike Ounsworth <Mike.Ounsworth@entrust.com>
>>> Cc: CFRG <cfrg@irtf.org>
>>> Subject: Re: [EXTERNAL] [CFRG] What I want from the "KEM hybrids"
>>>  
>>> On Tue, Feb 20, 2024, 1: 06 PM Mike Ounsworth 
>>> <Mike. Ounsworth@ entrust. com> wrote: > > Hey Watson, > > > > I 
>>> could come around to this viewpoint that CFRG should not 
>>> standardize a generic KEM combiner, but instead publish
>>> On Tue, Feb 20, 2024, 1:06 PM Mike Ounsworth 
>>> <Mike.Ounsworth@entrust.com> wrote:
>>>> 
>>>> Hey Watson,
>>>> 
>>>> 
>>>> 
>>>> I could come around to this viewpoint that CFRG should not 
>>>> standardize a generic KEM combiner, but instead publish a suite 
>>>> of specific-algorithm combiners.
>>>> 
>>>> 
>>>> 
>>>> The question then becomes: “which algorithms need to be 
>>>> supported on the Internet during the PQC migration period?”  
>>>> The answer is probably some subset of  {ML-KEM, NTRU, Classic 
>>>> McEliece} X {X25519, X448, ECDH{P*, Brainpool*}, RSA-KEM, 
>>>> RSA-PKCS#1, RSA-OAEP}. Then we get into the game of trying to 
>>>> figure out which of those combinations have enough usage to 
>>>> motivate their own spec.
>>>  
>>>  
>>> I'm not convinced we need any RSA options. You shouldn't reuse key
>>> material for this.
>>>  
>>> Why Brainpool? It's not deployed widely. ECDHP makes sense for
>>> FedRAMP/FIPS issues but I won't cry if we say X25519 alone because
>>> that is permitted now even if certificates aren't quite updated. There
>>> needs to be a strong rationale for each additional variation, because
>>> the more you fill out the cartesian product the more tempting a
>>> generic interface that application users will misuse becomes.
>>>  
>>>> 
>>>> 
>>>> 
>>>> The alternative is that CFRG publish a few optimized 
>>>> combinations, like ML-KEM+x25519, and a lower-performance 
>>>> generic combiner for “the rest”.
>>>  
>>> There is no generic interface here: RSA-OAEP, ECDH, are different in
>>> ways that matter for security.
>>>  
>>> Sincerely,
>>> Watson
>>  
>  

-- 
Regards,
Hubert Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00, Brno, Czech Republic

v2.23.0 | Report a Bug | By Email