IETF Logo Mail Archive

Re: [CFRG] NSA vs. hybrid

Natanael <natanael.l@gmail.com> Tue, 16 November 2021 21:17 UTC

Return-Path: <natanael.l@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEC673A094E for <cfrg@ietfa.amsl.com>; Tue, 16 Nov 2021 13:17:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gVVI0VG_dwzg for <cfrg@ietfa.amsl.com>; Tue, 16 Nov 2021 13:17:33 -0800 (PST)
Received: from mail-vk1-xa2a.google.com (mail-vk1-xa2a.google.com [IPv6:2607:f8b0:4864:20::a2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A6D63A0922 for <cfrg@irtf.org>; Tue, 16 Nov 2021 13:17:33 -0800 (PST)
Received: by mail-vk1-xa2a.google.com with SMTP id b192so353281vkf.3 for <cfrg@irtf.org>; Tue, 16 Nov 2021 13:17:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=JHtxdij0e7hz5KR5HzbzySOYKYxag8oU2ZlQHhbWiZA=; b=Rw8AYfxFVMQnM31+4j+oXuz7jw9DUf8ZaLTNQTP986mnZEkhEx0lnQ1DyA1/xSaFZO K2xRw8M6lllwy3JFzvi8YarXFRKauvmED1a8noJE4tbnfMUTehmwNtNDgTHOZ/ro1jDH aWuIBtzuiOg60A4YAQm7ghrqrRBXHLH3Ly0wfZw6QJvbaxfFKrZ4JavtwG2UAwRI2YBp jyNb8Wku+UKFyMCUgOp8jIauXJcpqsvAi8fFSnOoGBb/45eUiuNNvpYfpK19SBX05rWR 4J59DjGllBjTRqX1T/oewELDHgIDDF4VRIZwqegdZS2Kw/e2gz1Qd6W8jJseFo4gHaEX cUMw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=JHtxdij0e7hz5KR5HzbzySOYKYxag8oU2ZlQHhbWiZA=; b=weHuRX3lFr+jNnSYTqzkkAWajBstHkjFPUqtjTT+i2lNyDYLAAjVAybKm8cV/hDVdi sMTPrpokllsbmzGuy3Z752IAiJzIw+oia57KbIGSk4JaNGWHwNzkkW2+x1Tf8hmYi++o eQd6j1onw8jyhIwngHrRLWd2jEfWWcGjfsul6uEzATW00mzCcG2F6j6QZmVduWluwD85 ksr1YdwtnC8ygTF/Y7wVitQECcJjfWTFQ5QJhbcXFmzCVYuYElu9/8gng77qfr2ly5cN t5E7eXopMfaFta3ZEvrQ2taEUn8fGRCOYguiYk1yRKcDcLswLM95aEjf0+ZNdMFQr0l3 gD8g==
X-Gm-Message-State: AOAM530e+9QU/cOeXtUHqdTnyKSsa2SaC5VNTZBCKy54005HOkyaYTLx OO5iihomDKF1kJD82NxbbrrSF+yU0wGu1zRGhLBVCbok
X-Google-Smtp-Source: ABdhPJzNm4SkooQvtbFQbNjxuvkBvRUj22brY3p0CDJScp/ooZtAimcd8IfJmD20rnJ/p0TfZ9HvdNEwiRJ+EESinSc=
X-Received: by 2002:a05:6122:d05:: with SMTP id az5mr78636622vkb.9.1637097450815; Tue, 16 Nov 2021 13:17:30 -0800 (PST)
MIME-Version: 1.0
References: <20211112120349.636988.qmail@cr.yp.to> <46B5E229-0BB2-46D7-BFD3-98C10C6105EE@gnunet.org> <YZKHYWJgJHNtLsuG@LK-Perkele-VII2.locald>
In-Reply-To: <YZKHYWJgJHNtLsuG@LK-Perkele-VII2.locald>
From: Natanael <natanael.l@gmail.com>
Date: Tue, 16 Nov 2021 22:17:18 +0100
Message-ID: <CAAt2M1_qKck_Y+Ufgj5vB7+AA=Vp+=uQqboWVSHMZp_eSg5Bfw@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="00000000000004c54c05d0ee7439"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/lNVLFFQZiTR9NmYq0_j-AbvuGJg>
Subject: Re: [CFRG] NSA vs. hybrid
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Nov 2021 21:17:38 -0000

Den mån 15 nov. 2021 17:14Ilari Liusvaara <ilariliusvaara@welho.com> skrev:

> On Sun, Nov 14, 2021 at 10:49:29PM +0100, Jeff Burdges wrote:
> >
> > It’s always possible logic bugs arise in validation code of course,
> > but test vectors can trivially catch these bugs, assuming the
> > certificate format specifies both key types and the hybrid protocol.
>
> Catching those bugs may be far from trivial. Buggy signature
> verification code might have false accepts that are not trivial to
> generate, but still greatly weaken the security. One can not
> catch those with test vectors.
>
> I have not looked at if there are easy-to-make mistakes in
> signature verification of NISTPQC candidates that would behave in
> that way (not be obviously broken but still exploitable).
>
> > It’s fairly clear separate P and Q certificate chains obstruct test
> > vectors from enforcing this and invite more opportunities for
> > downgrade attacks, etc. too.
>
> IMO, The complexity of separate P and Q chain verification is
> absolutely terrifying. As for downgrade attacks, it is not clear how to
> deal with that even in theory, let alone in practice.
>

Besides committing to the algorithm negotiation as in TLS 1.3 to prevent
regular downgrade attacks, there also needs to be a policy that post
quantum CA:s can only sign post quantum certs (or hybrid certs), and that
hybrid CA:s can ONLY sign hybrid certs up until some predefined transition
period has ended (under the assumption that the CA cert gets deprecated
then with hybrid requirement renewed if we're not yet certain of the
strength of post quantum algorithms).

If we feel certain enough at the end of that period that the post quantum
algorithm will hold, then it remains valid and gets to sign post quantum
only certs.

The next two problems are that nobody will agree on the length of that
period, and that CA rollover is still problematic (just see the recent
let's encrypt issues on older devices).

v2.23.0 | Report a Bug | By Email