Re: [Curdle] Quantum computer resistance? (Re: I-D Action: draft-ietf-curdle-gss-keyex-sha2-00.txt)
Hubert Kario <hkario@redhat.com> Mon, 22 May 2017 13:28 UTC
Return-Path: <hkario@redhat.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0704A12EA42 for <curdle@ietfa.amsl.com>; Mon, 22 May 2017 06:28:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.922
X-Spam-Level:
X-Spam-Status: No, score=-6.922 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0mkpqOllnLgr for <curdle@ietfa.amsl.com>; Mon, 22 May 2017 06:28:00 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4941F12EA53 for <curdle@ietf.org>; Mon, 22 May 2017 06:27:54 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 94E6090905; Mon, 22 May 2017 13:27:54 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 94E6090905
Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=hkario@redhat.com
DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 94E6090905
Received: from pintsize.usersys.redhat.com (dhcp-0-115.brq.redhat.com [10.34.0.115]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 3AA9280E92; Mon, 22 May 2017 13:27:54 +0000 (UTC)
From: Hubert Kario <hkario@redhat.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: curdle@ietf.org
Date: Mon, 22 May 2017 15:27:47 +0200
Message-ID: <1674834.KTPl0iozjd@pintsize.usersys.redhat.com>
In-Reply-To: <20170521201350.GP39245@kduck.kaduk.org>
References: <149347252355.2923.13177496291079730679@ietfa.amsl.com> <2602201.lV3Rmsh2R0@pintsize.usersys.redhat.com> <20170521201350.GP39245@kduck.kaduk.org>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart3294733.JPtQj2RNT1"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Mon, 22 May 2017 13:27:54 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/AvKW7qSHZNZUA42t2wfKRFitHs8>
Subject: Re: [Curdle] Quantum computer resistance? (Re: I-D Action: draft-ietf-curdle-gss-keyex-sha2-00.txt)
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 May 2017 13:28:02 -0000
On Sunday, 21 May 2017 22:13:50 CEST Benjamin Kaduk wrote: > On Tue, May 02, 2017 at 03:54:21PM +0200, Hubert Kario wrote: > > On Saturday, 29 April 2017 15:28:43 CEST internet-drafts@ietf.org wrote: > > > > One of the nice properties of Kerberos, because it uses only symmetric > > cryptography, is that it is secure against quantum computer attacks. > > [obligatory note that the GSS-API is generic, i.e., there are > non-Kerberos GSS mechanisms, some of which are even used with ssh > today. AIUI, the GSI mech does not use symmetric crypto and could > not reasonably become quantum-computer-resistant.] Yes, the change is necessary, but not sufficient, for QC resistance. > > Unfortunately, neither the previous gss-api kex scheme, nor the one we > > proposed here (as it is essentially the same), maintain that property. > > This is because the input to the HASH function, with one exception, are > > transferred in clear. That only secret input is the value calculated using > > algorithm vulnerable to quantum computers - FF or EC version of > > Diffie-Hellman > > > > Thus my question are, > > 1). should we change the input provided to HASH to provide quantum > > computer > > resistance, or > > We should probably provide a scheme that has some additional input(s) to > HASH, perhaps with a GSS_Pseudo_random() (RFC 4401) or a > GSS_Wrap()'d random value. GSS_Pseudo_random() could be a neat solution. But I have some reservations, see below. > > 2). should we prioritise ease of upgrade to SHA-2, ECDH, bigger primes > > (and > > forget about QC-resistance - that's the current draft), or > > But, I'm not convinced that we want to make "gss-<group>-<hash>" > have different global semantics based on the particular group+hash > combination; What I was thinking, is that -sha1 ones are becoming insecure either way. So lets make sure that the only ones that remain have the same properties (and they are a superset of the -sha1 ones). > > 3). should we multiply the kex options further and provide QC-resistant > > variants of all the GSSAPI kex algorithms? > > it seems like it would make more sense to have a separate document > that creates a new family of gss-pq-<group>-<hash> keyex schemes, > though probably only of the new ones from this document and not the > SHA1 ones. yes, using sha-1 for PQ is quite silly. For gss-pq-* key exchanges I was thinking of something that is truly PQ, that is, provides PFS even against quantum computers. That means something that uses Ring-LWE or supersingular isogeny DH, not something that uses FFDH or ECDH. Even if that FFDH or ECDH is slightly augmented to provide minimum of QC resistance. In other words, the intention was to make the hopeless situation survivable and provide a proper fix only after a clear winner for PQ KEX has been established. Creating 3 documents is probably overdoing it. > > As for technical details, I was thinking of adding a step in which the > > peers each choose a random value, GSS_Wrap it, send it to peer, > > GSS_Unwrap peers value and append their value and the peers decrypted > > value to HASH input. > That probably suffices; I would have to think a bit harder about > where there is any value gained from using such wrapped random > values as input to GSS_Pseudo_random(), or whether just passing the > HASH inputs as the prf_in input would suffice (which would mean less > data going on the wire). Yes, not requiring changes to the on-the-wire messages is a definite plus. OTOH, I'd assume that all GSS-API implementations support GSS_Wrap() and GSS_Unwrap(), I don't know what's the support level for GSS_Pseudo_random(). Given the notes in RFC 7802, I see there were some problems with interoperability in Kerberos... -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
- [Curdle] I-D Action: draft-ietf-curdle-gss-keyex-… internet-drafts
- [Curdle] Quantum computer resistance? (Re: I-D Ac… Hubert Kario
- Re: [Curdle] Quantum computer resistance? (Re: I-… Benjamin Kaduk
- Re: [Curdle] Quantum computer resistance? (Re: I-… Hubert Kario
- Re: [Curdle] Quantum computer resistance? (Re: I-… Benjamin Kaduk
- Re: [Curdle] Quantum computer resistance? (Re: I-… Hubert Kario