IETF Logo Mail Archive

Re: [CFRG] [EXTERNAL] What I want from the "KEM hybrids"

Hubert Kario <hkario@redhat.com> Wed, 21 February 2024 16:15 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75A9EC14F70A for <cfrg@ietfa.amsl.com>; Wed, 21 Feb 2024 08:15:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y2x0mZ0TgKXI for <cfrg@ietfa.amsl.com>; Wed, 21 Feb 2024 08:15:54 -0800 (PST)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 21606C14F6B1 for <cfrg@irtf.org>; Wed, 21 Feb 2024 08:15:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1708532153; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=A4aacfbQgAfxQLO3vqo8tod5rRUtUiWA/5jDMrQGwwk=; b=CTXHG/QxyVm7sfQMjnE7mE+/J9m7P7EHOGdGbjfq6DHrI9pNauIHpfspRiZzVoe6OpUhVw Jw2SEp6bkX5ZcGMiXKiYSu/u+9lQyj26L8+xTUWKtWFiAKvfr9vthx7mnQf3ZMXt/WOOUt oVHd8EU7jgkeJxldi6pW7bFXrDs9smg=
Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com [209.85.221.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-426-IDwpe7uwPESCDa3yfrcEow-1; Wed, 21 Feb 2024 11:15:51 -0500
X-MC-Unique: IDwpe7uwPESCDa3yfrcEow-1
Received: by mail-wr1-f70.google.com with SMTP id ffacd0b85a97d-33d0d313b81so2971726f8f.3 for <cfrg@irtf.org>; Wed, 21 Feb 2024 08:15:51 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708532150; x=1709136950; h=content-transfer-encoding:user-agent:organization:references :in-reply-to:message-id:mime-version:date:subject:cc:to:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=PXP0HgYWmhb8ftpPct8Th/3Uhk2wcO5eo3vn06ZUu0U=; b=H3GAHRiLtlI4HfwJayposCzwg5KgcEPggCIHmC6k4/Xv+euRZjAT246TPB3UKgI4V5 1D1qBsHD8q6SyGIE14hatwymrqzVjhmhhz4XYnlXvV5ndv1/2z2AcPD86KEd9ug2YClr c3nSiCncNtB1hptMmA1lPNVxuxk1OrMlXGve4+oL/etAniymJm81R0BCxKgTDL1I5Aou 6j5RCpE15fAyJAfDDWJbvsNRtzBBF551xa3Szegk7AxiAIUit2ZZBbDNNN6cR0PRYTIn 53bqqUUmZMNb4C7ZSHftiMLjTtwofChg182tpS8HROgOGh0kO799wb3MaRWGfmgkWMoT sSzg==
X-Forwarded-Encrypted: i=1; AJvYcCUML6CkjWFxOPSWWT23PVs4W/7iyZwVcDJ5Q+hTHienmxgfL5Qwghe9gitAZUxjpOZIgaO5pC/4I6ymfUtj
X-Gm-Message-State: AOJu0YyZZjZe9aYvqrGnNASb97usViMIuLtVl/76UcrGxgLq/F46Mzpu j0HnOlNiLBaxggpS/KEAWG5z2sL9+8v/O/SSTYJwfo5N92CACuOnMjKeOcTRLnUTXhJQlYnoG9+ 3cuDtTLrTQvaqmBZCu17/29r4d/6nyG/BNnVXn692GzjDqtWIAQ==
X-Received: by 2002:a5d:50d2:0:b0:33d:5272:6a8f with SMTP id f18-20020a5d50d2000000b0033d52726a8fmr5758030wrt.14.1708532150381; Wed, 21 Feb 2024 08:15:50 -0800 (PST)
X-Google-Smtp-Source: AGHT+IE8IHaub4n+lrnxXEVYtWEI97gh7wm/0TCGbM7P72/2mMa6L+Qnijvq8BKCLaSG7FOME8a4tw==
X-Received: by 2002:a5d:50d2:0:b0:33d:5272:6a8f with SMTP id f18-20020a5d50d2000000b0033d52726a8fmr5758015wrt.14.1708532150025; Wed, 21 Feb 2024 08:15:50 -0800 (PST)
Received: from localhost (nat-pool-brq-u.redhat.com. [213.175.37.12]) by smtp.gmail.com with ESMTPSA id x6-20020adff0c6000000b0033cfc035940sm17254380wro.34.2024.02.21.08.15.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 21 Feb 2024 08:15:49 -0800 (PST)
From: Hubert Kario <hkario@redhat.com>
To: Mike Ounsworth <Mike.Ounsworth@entrust.com>
Cc: Watson Ladd <watsonbladd@gmail.com>, CFRG <cfrg@irtf.org>
Date: Wed, 21 Feb 2024 17:15:48 +0100
MIME-Version: 1.0
Message-ID: <e1369b3b-d279-4f28-9076-71b1c20a55f5@redhat.com>
In-Reply-To: <CH0PR11MB5739C6CE875CB324341DA1859F572@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <CACsn0cmHNUGvDLctDKE4OUAWZiu3Ukj14hPBdP5Pd6B20CH44g@mail.gmail.com> <CH0PR11MB57392D1AD5E11B0F9813D09C9F502@CH0PR11MB5739.namprd11.prod.outlook.com> <CACsn0cm5Mk4fe-0V7ZvqnMrgm-yLEYxBtdvZCY6_2bFNMDKYqQ@mail.gmail.com> <CH0PR11MB57397410451311E1F310858B9F502@CH0PR11MB5739.namprd11.prod.outlook.com> <f0f38c7f-709a-4831-adec-5b74e5472eca@redhat.com> <CH0PR11MB5739B79C1BC69F91187663A79F572@CH0PR11MB5739.namprd11.prod.outlook.com> <87dcfb15-293a-4cfc-b264-c19ef5496bcc@redhat.com> <CH0PR11MB573995927633B3F2E46F79519F572@CH0PR11MB5739.namprd11.prod.outlook.com> <aa9dedf2-d3ff-4899-939f-31717c373329@redhat.com> <CH0PR11MB5739C6CE875CB324341DA1859F572@CH0PR11MB5739.namprd11.prod.outlook.com>
Organization: Red Hat
User-Agent: Trojita/0.7-git; Qt/5.15.11; xcb; Linux; Fedora release 38 (Thirty Eight)
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/stkjAubfQQcO1gpVygbLVno4keQ>
Subject: Re: [CFRG] [EXTERNAL] What I want from the "KEM hybrids"
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Feb 2024 16:15:58 -0000

On Wednesday, 21 February 2024 16:59:28 CET, Mike Ounsworth wrote:
>> For JWA/JWE PKCS#1v1.5 is already dead: no browser allows PKCS#1v1.5 
>> encryption in webcrypto API.
>  
> You’re trying to claim that JWE is only used in browsers? 
> Backend-to-backend JWE doesn’t count?
>  
> PKCS#1v1.5 encryption still seems to be supported in the two 
> largest JWE libraries for java:
>  
> https://javadoc.io/doc/com.nimbusds/nimbus-jose-jwt/latest/index.html
>  
> https://javadoc.io/doc/org.bitbucket.b_c/jose4j/latest/org/jose4j/jwe/RsaKeyManagementAlgorithm.Rsa1_5.html
>  

fair point

>  
>> Now in the wider context: Will there people that continue to do stupid
>> things? Absolutely.
>> Should we make it easy for them to do stupid things? I don't think so.
>  
> This is a fair point, but I would phrase it as “If we know that 
> people are going to do stupid things anyway, can we help them do 
> it less stupidly?”

and that is the "define RSA-OAEP+Kyber"

> ---
> Mike Ounsworth
>  
> From: Hubert Kario <hkario@redhat.com> 
> Sent: Wednesday, February 21, 2024 9:52 AM
> To: Mike Ounsworth <Mike.Ounsworth@entrust.com>
> Cc: Watson Ladd <watsonbladd@gmail.com>; CFRG <cfrg@irtf.org>
> Subject: Re: [CFRG] [EXTERNAL] What I want from the "KEM hybrids"
>  
> Not aware of anything CMS specific. My draft is a general 
> recommendation. For JWA/JWE PKCS#1v1. 5 is already dead: no 
> browser allows PKCS#1v1. 5 encryption in webcrypto API. Now in 
> the wider context: Will there people that continue to do stupid
> Not aware of anything CMS specific.
> My draft is a general recommendation.
> For JWA/JWE PKCS#1v1.5 is already dead: no browser allows PKCS#1v1.5 
> encryption in webcrypto API.
>  
> Now in the wider context: Will there people that continue to do stupid
> things? Absolutely.
> Should we make it easy for them to do stupid things? I don't think so.
>  
> On Wednesday, 21 February 2024 16:37:30 CET, Mike Ounsworth wrote:
>> Hi Hubert,
>>  
>> That’s a TLS-specific draft. Is there anything that would cover 
>> PKCS#1 usage in CMS or JOSE (JWA)?
>>  
>> ---
>> Mike Ounsworth
>>  
>> From: Hubert Kario <hkario@redhat.com> 
>> Sent: Wednesday, February 21, 2024 9:30 AM
>> To: Mike Ounsworth <Mike.Ounsworth@entrust.com>
>> Cc: Watson Ladd <watsonbladd@gmail.com>; CFRG <cfrg@irtf.org>
>> Subject: Re: [CFRG] [EXTERNAL] What I want from the "KEM hybrids"
>>  
>> On Wednesday, 21 February 2024 16: 12: 58 CET, Mike Ounsworth 
>> wrote: >> If we don't provide OIDs for combined PKCS#1/Kyber, 
>> then people won't > be using it. > > That’s optimistic 😊 > I 
>> think it means that people won’t be using
>> On Wednesday, 21 February 2024 16:12:58 CET, Mike Ounsworth wrote:
>>>> If we don't provide OIDs for combined PKCS#1/Kyber, then people won't
>>> be using it.
>>>  
>>> That’s optimistic 😊
>>> I think it means that people won’t be using it in a 
>>> standardized and peer-reviewed way, which might be worse.
>>>  
>>> Hypothetical situation: an organization has a FIPS certified 
>>> implementation of RSAencryption-PKCS#1v1.5.
>>  
>> It's purely hypothetical, as in FIPS mode you're not allowed to use
>> PKCS#1v1.5 since 1st of January 2024, no matter when your cryptographic
>> module received certification.
>>  
>>> Once FIPS 203 drops 
>>> in June – August 2024, it will take X years go get ML-KEM 
>>> through the FIPS certification, but in the meantime they can 
>>> claim FIPS-certification on a PKCS#1/Kyber hybrid. If the IETF 
>>> is only giving OIDs for OAEP/Kyber and RSA-KEM/Kyber, then they 
>>> will have to implement new OAEP or RSA-KEM code and run that 
>>> through FIPS certification that will equivalently take X years. 
>>> That’s a strong reason to use PKCS#1/Kyber, whether or not the 
>>> IETF has provided an OID for it.
>>>  
>>> I’m not necessarily saying that people *are* going to do this 
>>> (I need to do some homework here too), but I think that *IF* 
>>> people are going to do this, then it’s probably worth doing 
>>> properly in a standardized and peer-reviewed way.
>>>  
>>> By the way #1: Is there an RFC that formally deprecates 
>>> RSAencryption-PKCS#1v1.5?
>>  
>> not yet: 
>> https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-ietf-tls-deprecate-obsolete-kex/__;!!FJ-Y8qCqXTj2!c7bWTChVknVaBqExzLbeF7OCgpQiCWsgL9FQuQkxaJLCWqsY-JR2NiTA5OJL7hvAALBCQN8MBWKYV4YH46I$
>> https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-kario-rsa-guidance/__;!!FJ-Y8qCqXTj2!c7bWTChVknVaBqExzLbeF7OCgpQiCWsgL9FQuQkxaJLCWqsY-JR2NiTA5OJL7hvAALBCQN8MBWKYPz0v_RM$
>> 
>> but it's basically a done deal at this point
>>  
>>> By the way #2: no argument that RSA-OAEP is in all ways better, 
>>> but for my education, I am aware of the Bleichenbacher attack, 
>>> and that there exist many bad implementations of PKCS#1v1.5, but 
>>> also that in absence of an exploitable decryption oracle, right?
>>  
>> The whole issue with PKCS#1v1.5 is that padding check error is the 
>> information
>> that the attacker is looking for.
>>  
>> Normal way of handling errors is to raise an exception, or 
>> push it to error
>> stack, or do 100 other ways that triggers a different code path than
>> regular decryption. That means that error processing generally will have
>> a different timing characteristic than successful decryption, making
>> the attack easy.
>>  
>> Handling that error in side-channel free way requires two page-long 
>> description
>> in the TLS RFC 
>> (https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/rfc5246*section-7.4.7.1__;Iw!!FJ-Y8qCqXTj2!c7bWTChVknVaBqExzLbeF7OCgpQiCWsgL9FQuQkxaJLCWqsY-JR2NiTA5OJL7hvAALBCQN8MBWKYqRHgGGk$)
>>and the TLS gets away with it only because the PMS is also mixed with
>> ServerHello.random before using it for encryption key derivation.
>> Protocols like CMS don't have that luxury.
>>  
>>> Also,
>>>  
>>> ---
>>> Mike Ounsworth
>>>  
>>> From: Hubert Kario <hkario@redhat.com> 
>>> Sent: Wednesday, February 21, 2024 8:22 AM
>>> To: Mike Ounsworth <Mike.Ounsworth@entrust.com>
>>> Cc: Watson Ladd <watsonbladd@gmail.com>; CFRG <cfrg@irtf.org>
>>> Subject: Re: [CFRG] [EXTERNAL] What I want from the "KEM hybrids"
>>>  
>>> On Wednesday, 21 February 2024 00: 07: 25 CET, Mike Ounsworth 
>>> wrote: > Hi Watson, Sophie, Hubert, > > I’ll reply all at once. 
>>> > > > The point of having ML-KEM + RSA hybrids is not about 
>>> reusing > *keys*, which I agree should
>>> On Wednesday, 21 February 2024 00:07:25 CET, Mike Ounsworth wrote:
>>>> Hi Watson, Sophie, Hubert,
>>>>  
>>>> I’ll reply all at once.
>>>>  
>>>>  
>>>> The point of having ML-KEM + RSA hybrids is not about reusing 
>>>> *keys*, which I agree should not be done, but about reusing 
>>>> *code*. For the ultra-conservative crowd, being able to put 
>>>> their existing code (again, “code”, not “keys”) into hybrid 
>>>> reduces the migration risk.
>>>>  
>>>> Hubert, I am not trying to suggest that RSA_PKCS#1v1.5 is 
>>>> acceptable in any academic sense, but I am suggesting that it 
>>>> still very much exists in the wild in applications which need 
>>>> migrate-out strategies. If you want to leverage ML-KEM in 
>>>> addition to your existing codebase, and your existing codebase 
>>>> is RSA_PKCS#1v1.5, then that is what you will do.
>>>  
>>> That would make sense only if your code base implements PKCS#1v1.5
>>> properly, and the chances for that are slim to none.
>>>  
>>> The list on Marvin Attack page is over 30 implementations long
>>> _because I tested just over 30 implementations._ Of all the ones
>>> tested only two turned out to be side-channel safe.
>>>  
>>> People's efforts are far better spent making sure that OAEP 
>>> is implemented
>>> correctly than wrangling PKCS#1v1.5 to make it side-channel free.
>>> Implementing OAEP from scratch will be easier than implementing
>>> PKCS#1v1.5 in side-channel free way.
>>>  
>>>> I suppose it is one possible outcome here for the IRTF / IETF 
>>>> to say that RSA-PKCS#1 and/or RSA-OAEP and/or RSA-KEM are 
>>>> deprecated and the IRTF / IETF will not be standardizing ML-KEM 
>>>> + RSA hybrids. That will not prevent people from doing it, it 
>>>> will just prevent people from doing it in standardized and 
>>>> peer-reviewed ways.
>>>  
>>> If we don't provide OIDs for combined PKCS#1/Kyber, then people won't
>>> be using it.
>>>   
>>>> ---
>>>> Mike Ounsworth
>>>>  
>>>> From: Watson Ladd <watsonbladd@gmail.com> 
>>>> Sent: Tuesday, February 20, 2024 3:15 PM
>>>> To: Mike Ounsworth <Mike.Ounsworth@entrust.com>
>>>> Cc: CFRG <cfrg@irtf.org>
>>>> Subject: Re: [EXTERNAL] [CFRG] What I want from the "KEM hybrids"
>>>>  
>>>> On Tue, Feb 20, 2024, 1: 06 PM Mike Ounsworth 
>>>> <Mike. Ounsworth@ entrust. com> wrote: > > Hey Watson, > > > > I 
>>>> could come around to this viewpoint that CFRG should not 
>>>> standardize a generic KEM combiner, but instead publish
>>>> On Tue, Feb 20, 2024, 1:06 PM Mike Ounsworth 
>>>> <Mike.Ounsworth@entrust.com> wrote:
>>>>> 
>>>>> Hey Watson,
>>>>> 
>>>>> 
>>>>> 
>>>>> I could come around to this viewpoint that CFRG should not 
>>>>> standardize a generic KEM combiner, but instead publish a suite 
>>>>> of specific-algorithm combiners.
>>>>> 
>>>>> 
>>>>> 
>>>>> The question then becomes: “which algorithms need to be 
>>>>> supported on the Internet during the PQC migration period?”  
>>>>> The answer is probably some subset of  {ML-KEM, NTRU, Classic 
>>>>> McEliece} X {X25519, X448, ECDH{P*, Brainpool*}, RSA-KEM, 
>>>>> RSA-PKCS#1, RSA-OAEP}. Then we get into the game of trying to 
>>>>> figure out which of those combinations have enough usage to 
>>>>> motivate their own spec.
>>>>  
>>>>  
>>>> I'm not convinced we need any RSA options. You shouldn't reuse key
>>>> material for this.
>>>>  
>>>> Why Brainpool? It's not deployed widely. ECDHP makes sense for
>>>> FedRAMP/FIPS issues but I won't cry if we say X25519 alone because
>>>> that is permitted now even if certificates aren't quite updated. There
>>>> needs to be a strong rationale for each additional variation, because
>>>> the more you fill out the cartesian product the more tempting a
>>>> generic interface that application users will misuse becomes.
>>>>  
>>>>> 
>>>>> 
>>>>> 
>>>>> The alternative is that CFRG publish a few optimized 
>>>>> combinations, like ML-KEM+x25519, and a lower-performance 
>>>>> generic combiner for “the rest”.
>>>>  
>>>> There is no generic interface here: RSA-OAEP, ECDH, are different in
>>>> ways that matter for security.
>>>>  
>>>> Sincerely,
>>>> Watson
>>>  
>>  
>  

-- 
Regards,
Hubert Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00, Brno, Czech Republic

v2.23.0 | Report a Bug | By Email