IETF Logo Mail Archive

Re: [Cfrg] Key establishment advice (say, for TLS): How about MQV?

Hugo Krawczyk <hugo@ee.technion.ac.il> Thu, 06 March 2014 16:28 UTC

Return-Path: <hugokraw@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94F4D1A0226 for <cfrg@ietfa.amsl.com>; Thu, 6 Mar 2014 08:28:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.677
X-Spam-Level:
X-Spam-Status: No, score=-0.677 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_21=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GdIjUy_ShjuR for <cfrg@ietfa.amsl.com>; Thu, 6 Mar 2014 08:28:16 -0800 (PST)
Received: from mail-qc0-x22a.google.com (mail-qc0-x22a.google.com [IPv6:2607:f8b0:400d:c01::22a]) by ietfa.amsl.com (Postfix) with ESMTP id 8987C1A01DF for <cfrg@irtf.org>; Thu, 6 Mar 2014 08:28:13 -0800 (PST)
Received: by mail-qc0-f170.google.com with SMTP id e9so3222836qcy.1 for <cfrg@irtf.org>; Thu, 06 Mar 2014 08:28:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:content-type; bh=Ro+3zDFbrROXvEBrOLY9sQDrtiYMHtrlin5hMZSyBDs=; b=Msk85F5JWXkbUrKFKRYLOv9nviSmnxR6POFqD48Dc+Eqr6qDEPPUkzR5tcLt/nIabd YWhthuFazDLD3qsAF6OGxZjnOahbt7jy4OnpIUM3xkAW9ahX1MOWRJuhSSacRLkeoiaV xuEJRZadIp+HYzXWb+PSP5aVd7BDWALlQgPPDlxPs/rICWvaqg+1Rr4IOrpa7f7fPx94 az0M8VfvRwrwiJAx3htKPULlBNf86vGiGvzf/rifb2YCy9kVTKtZYvBgXxIHI7e4xRlC 5iEOp+NibBPhfsGSCB1LAy1ShJk0+RpdZrxxcazFc1cg+Dx+GwML6Wq/bQQzPEJ8tD+u eYMQ==
X-Received: by 10.140.23.52 with SMTP id 49mr14223952qgo.17.1394123289292; Thu, 06 Mar 2014 08:28:09 -0800 (PST)
MIME-Version: 1.0
Sender: hugokraw@gmail.com
Received: by 10.96.181.9 with HTTP; Thu, 6 Mar 2014 08:27:39 -0800 (PST)
In-Reply-To: <CADi0yUMAnbbWg7iXJdAddc+9YOr5-B=XRN3VbTO48hAS1acwBg@mail.gmail.com>
References: <810C31990B57ED40B2062BA10D43FBF5C46AB5@XMB116CNC.rim.net> <CADi0yUMAnbbWg7iXJdAddc+9YOr5-B=XRN3VbTO48hAS1acwBg@mail.gmail.com>
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Thu, 06 Mar 2014 11:27:39 -0500
X-Google-Sender-Auth: drCftXlwXHhT4rKa-BS8x8GZsBY
Message-ID: <CADi0yUOxJhztH_S-j1TSN4WNdb5BBuLPHdSXVhfaB0-DpjPFqQ@mail.gmail.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: multipart/related; boundary="001a11c148366ea25904f3f29fe8"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/onDuGu7ayEx4DQzKPY4GTPKB2QQ
Subject: Re: [Cfrg] Key establishment advice (say, for TLS): How about MQV?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Mar 2014 16:28:21 -0000

A clarification on my previous email:

> There has been some contention about the need to do group membership
tests in
> HMQV. Indeed, the need for this depends on the use case and security
model.
> However, this issue is relevant for mod p groups where such tests are
expensive.
> For elliptic curves the test is inexpensive hence can be made an integral
part
> of the protocol.

The group membership test would be performed by the parties in the
protocol, not by the CA. It would be applied to a single element that
combines the static and ephemeral values (in the HMQV paper notation Alice
applies the test to  YB^e and Bob to XA^e). The part of the test checking
the order of these elements is needed in two cases: for the one-pass
variant of the protocol and to achieve security in case of compromise of
the ephemeral exponents (x and y in HMQV notation). The latter makes sense
in settings where the long-term keys are better protected than the
ephemeral exponents. But as said, in the EC setting the group membership
test, including testing the order, is inexpensive so it makes sense to
always perform it.

If one wanted to use HMQV in the IETF, a full detailed spec would be
required of the type written for the mod p groups in P1363. But there is no
point in doing it as long as the patent issues stand in the way of
standardization.

Hugo



On Wed, Mar 5, 2014 at 11:45 PM, Hugo Krawczyk <hugo@ee.technion.ac.il>wrote:

> ​A few notes on the potential use of HMQV for TLS.
>
> I do believe that HMQV could be a good basis for TLS 3.0 due to its
> efficiency,
> versatility, and proof of security (I comment a bit on these aspects
> below).
> But given the patent issues surrounding the protocol I doubt it would be
> feasible to get this standardized by the IETF. As I understand, Certicom
> has
> some claims on the MQV protocol and IBM has a patent on HMQV.
>
> HMQV gives an authenticated DH exchange *at essentially the cost of plain
> DH*
> (plus certificate verification) and can support "seamlessly" several
> functional
> variants: from implicit mutual or unilateral authentication to explicit
> authentication with key confirmation to a single message key exchange with
> unilateral or mutual authentication. The latter mode is particularly well
> suited
> as a one-message key exchange of the type I've seen in some "TLS 3.0"
> proposals
> (which assume some form of anti-replay state) and has the advantage of
> optionally accommodating client authentication almost for free.
>
> The protocol has a proof of security (scrutinized through several hundred
> papers
> that build upon HMQV) which not only serves to have confidence in the
> design but
> also avoids the "safety margins" typically needed for not-well-understood
> protocols. Very importantly, it avoids the need to rely on the CA to check
> the
> algebraic properties of public keys (as it is required, for example, by
> MQV).
> Indeed, such reliance would be a kiss of death to a protocol intended for
> wide
> use as CA's do not typically do such tests. In particular, it would be
> totally
> unusable for TLS where a server signs its own HMQV key (and the CA
> certifies the
> server signature key).
>
> There has been some contention about the need to do group membership tests
> in
> HMQV. Indeed, the need for this depends on the use case and security model.
> However, this issue is relevant for mod p groups where such tests are
> expensive.
> For elliptic curves the test is inexpensive hence can be made an integral
> part
> of the protocol.
>
> Finally, for those wondering if UKS attacks should be avoided in TLS. For
> many
> years I had to work hard to convince people that UKS attacks are real
> threats.
> The counter-intuitive nature of these attacks is that an attacker can
> cause harm
> without having to learn the key. Fortunately (or should I say
> unfortunately), the
> "re-negotiation bug" in TLS is an excellent demonstration of how practical
> such an
> attack can be. Nothing better than the history of TLS to show that one
> better
> takes seriously attacks that seem theoretical at first glance.
> ​
>
> Hugo
>
>
> On Tue, Mar 4, 2014 at 12:10 PM, Dan Brown <dbrown@certicom.com> wrote:
>
>>  Dear CFRG list,
>>
>>
>>
>> If I understand correctly, the TLS WG plans a protocol revision which
>> will modify the underlying key establishment scheme.  Should CFRG advise
>> TLS on key establishment?
>>
>>
>>
>> Naturally, TLS may have some specific requirements, directed towards the
>> nature of the client and server in the transport layer, whereas CFRG might
>> have expertise on a more generic security level.  So, perhaps, TLS could
>> convey its requirements to CFRG, and CFRG could return a set of key
>> establishment schemes that meet those requirements, in particular, those
>> which have been extensively researched.  (Well, that’s a bit formal, and
>> probably requires a few more iterations than I described, but seems
>> sensible to me.)  More likely, TLS will pick their own key establishment
>> scheme, and ask for CFRG’s blessing.
>>
>>
>>
>> I haven’t followed the TLS list too closely, but I’d summarize two main
>> possible approaches as: (1) patch and (2) overhaul.  On the overhaul side,
>> I’ve seen Watson Ladd’s suggestion of signed ephemeral DH: which is
>> something TLS already has, with the core of the proposal being to narrow
>> the options drastically.  I’ve also seen a couple of IACR eprints analyzing
>> the security of certain TLS ciphersuites.  (Maybe these would go on the
>> patch side?)  If I recall those papers correctly, they define some special
>> security models just for TLS, but I forget if these models were chosen just
>> to make the proofs work for the protocols used in the ciphersuites, or for
>> something more fundamental like the nature of the transport layer.
>>
>>
>>
>> ***
>>
>>
>>
>> I’d like to suggest a key establishment scheme for CFRG consideration:
>> MQV (or one of its successors, maybe), with an eye to perhaps recommend to
>> IETF WGs such as TLS.
>>
>>
>>
>> ***
>>
>>
>>
>> Some generic (non-TLS-specific) issues for MQV:
>>
>>
>>
>> Two benefits of MQV over signed ephemeral DH, as I see it, would be
>> efficiency (though I’m no expert) and better plausible deniability (due to
>> the lack of signatures).  I wonder what CFRG thinks of these benefits.
>>
>>
>>
>> Existing standards that specify versions of MQV include ANSI
>> X9.{44,63,98}, NIST SP 800-56A, IEEE P1363, and SEC1.  Therefore, it may be
>> redundant for CFRG to draft on RFC for MQV, although CFRG may wish to write
>> an RFC to profile the version that they like best.
>>
>>
>>
>> These standards go towards the maturity of MQV, in the sense that they
>> received scrutiny from the committees that drafted them, and have been
>> public for a long time, and have served as an incentive to cryptanalytic
>> research, being fairly high profile targets.
>>
>>
>>
>> The HMQV paper by Krawczyk critiques MQV, but these critiques did not
>> seem terribly serious to me, at least when I last read them years ago.
>> Also, I’m not sure how other key establishment schemes fare under these
>> more stringent requirements (session-state reveal attacks, and so on).
>>
>>
>>
>> The version of the MQV from NIST requires identifiers in the KDF, which
>> helps prevent UKS attacks.  (I’m not sure if TLS needs to resist UKS
>> attacks, but a recent thread on the TLS reminds of UKS attacks.)
>>
>>
>>
>> I recently released a (rather theoretical and very incomplete) IACR
>> eprint on MQV.  It only covers a modest, but essential, level of security
>> for key agreement schemes.  I think other people on the CFRG list are much
>> more up to speed on the key establishment schemes.
>>
>>
>>
>> ***
>>
>>
>>
>> Some TLS-specific issues for MQV, but at a high level for CFRG
>> consideration:
>>
>>
>>
>> Past proposals to integrate MQV into TLS a few times include:
>>
>>
>>
>>
>> https://datatracker.ietf.org/doc/search/?name=mqv&rfcs=on&activedrafts=on&olddrafts=on&sort
>> =
>>
>>
>>
>> Perhaps these could be improved, given current knowledge on key agreement.
>>
>>
>>
>> A major issue is that MQV usually presumes mutual authentication, but TLS
>> accommodates anonymous clients. Leaving the MQV client “static” key
>> unauthenticated seems, at least intuitively, to reduce MQV to DH, on the
>> client side, which is not much of a loss.  It may be possible to have
>> stateful TLS client retain a static MQV key, but still unauthenticated.
>> This could be used for the weaker TOFU model of trust, so may still have
>> some security benefit.
>>
>>
>>
>> If I understand correctly, TLS may now want to add some kind of
>> anonymity, e.g. encryption of certificates and other identifiers.  Since
>> MQV involves sending ephemeral key, these could, at the cost of an extra
>> shared key computation, protect the static (certified or trusted) keys
>> against passive adversaries.  I’m not sure if the resulting double use of
>> the ephemeral keys would undermine the security of MQV.
>>
>>
>>
>> Best regards,
>>
>>
>>
>> -        Dan
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> http://www.irtf.org/mailman/listinfo/cfrg
>>
>>
>

v2.23.0 | Report a Bug | By Email