IETF Logo Mail Archive

[Curdle] Quantum computer resistance? (Re: I-D Action: draft-ietf-curdle-gss-keyex-sha2-00.txt)

Hubert Kario <hkario@redhat.com> Tue, 02 May 2017 13:57 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 848D2128C82 for <curdle@ietfa.amsl.com>; Tue, 2 May 2017 06:57:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.223
X-Spam-Level:
X-Spam-Status: No, score=-4.223 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gsGVrtTfx9Bz for <curdle@ietfa.amsl.com>; Tue, 2 May 2017 06:57:25 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B9D551314A8 for <curdle@ietf.org>; Tue, 2 May 2017 06:54:23 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 4F033106D18 for <curdle@ietf.org>; Tue, 2 May 2017 13:54:23 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 4F033106D18
Authentication-Results: ext-mx04.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx04.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=hkario@redhat.com
DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 4F033106D18
Received: from pintsize.usersys.redhat.com (dhcp-0-115.brq.redhat.com [10.34.0.115]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 1D8BC78C29 for <curdle@ietf.org>; Tue, 2 May 2017 13:54:23 +0000 (UTC)
From: Hubert Kario <hkario@redhat.com>
To: curdle@ietf.org
Date: Tue, 02 May 2017 15:54:21 +0200
Message-ID: <2602201.lV3Rmsh2R0@pintsize.usersys.redhat.com>
In-Reply-To: <149347252355.2923.13177496291079730679@ietfa.amsl.com>
References: <149347252355.2923.13177496291079730679@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart8843063.Guij1U4mDF"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Tue, 02 May 2017 13:54:23 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/DtYZ3xdsvsKjQ2nyiMvJgbQL8JI>
Subject: [Curdle] Quantum computer resistance? (Re: I-D Action: draft-ietf-curdle-gss-keyex-sha2-00.txt)
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 May 2017 13:57:27 -0000

On Saturday, 29 April 2017 15:28:43 CEST internet-drafts@ietf.org wrote:
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories. This draft is a work item of the CURves, Deprecating and a
> Little more Encryption of the IETF.
> 
>         Title           : GSS-API Key Exchange with SHA2
>         Authors         : Simo Sorce
>                           Hubert Kario
> 	Filename        : draft-ietf-curdle-gss-keyex-sha2-00.txt
> 	Pages           : 16
> 	Date            : 2017-04-28
> 
> Abstract:
>    This document specifies additions and amendments to SSH GSS-API
>    Methods [RFC4462].  It defines a new key exchange method that uses
>    SHA-2 for integrity and deprecates weak DH groups.  The purpose of
>    this specification is to modernize the cryptographic primitives used
>    by GSS Key Exchanges.
> 
> 
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-curdle-gss-keyex-sha2/
> 
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-curdle-gss-keyex-sha2-00
> https://datatracker.ietf.org/doc/html/draft-ietf-curdle-gss-keyex-sha2-00

One of the nice properties of Kerberos, because it uses only symmetric 
cryptography, is that it is secure against quantum computer attacks.

Unfortunately, neither the previous gss-api kex scheme, nor the one we 
proposed here (as it is essentially the same), maintain that property.
This is because the input to the HASH function, with one exception, are 
transferred in clear. That only secret input is the value calculated using 
algorithm vulnerable to quantum computers - FF or EC version of Diffie-Hellman

Thus my question are, 
1). should we change the input provided to HASH to provide quantum computer 
resistance, or
2). should we prioritise ease of upgrade to SHA-2, ECDH, bigger primes (and 
forget about QC-resistance - that's the current draft), or
3). should we multiply the kex options further and provide QC-resistant 
variants of all the GSSAPI kex algorithms?


As for technical details, I was thinking of adding a step in which the peers 
each choose a random value, GSS_Wrap it, send it to peer, GSS_Unwrap peers 
value and append their value and the peers decrypted value to HASH input.
-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

v2.23.0 | Report a Bug | By Email