Re: [Curdle] Quantum computer resistance? (Re: I-D Action: draft-ietf-curdle-gss-keyex-sha2-00.txt)
Benjamin Kaduk <kaduk@mit.edu> Tue, 23 May 2017 02:08 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF076128656 for <curdle@ietfa.amsl.com>; Mon, 22 May 2017 19:08:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level:
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1u3HVtCzk0In for <curdle@ietfa.amsl.com>; Mon, 22 May 2017 19:08:38 -0700 (PDT)
Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu [18.7.68.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 359B412946E for <curdle@ietf.org>; Mon, 22 May 2017 19:08:37 -0700 (PDT)
X-AuditID: 12074423-dfbff70000004989-8e-592399a39044
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-6.mit.edu (Symantec Messaging Gateway) with SMTP id F6.B4.18825.3A993295; Mon, 22 May 2017 22:08:35 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id v4N28YCu019763; Mon, 22 May 2017 22:08:35 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v4N28UZs019378 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 22 May 2017 22:08:33 -0400
Date: Mon, 22 May 2017 21:08:30 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Hubert Kario <hkario@redhat.com>
Cc: curdle@ietf.org
Message-ID: <20170523020830.GU39245@kduck.kaduk.org>
References: <149347252355.2923.13177496291079730679@ietfa.amsl.com> <2602201.lV3Rmsh2R0@pintsize.usersys.redhat.com> <20170521201350.GP39245@kduck.kaduk.org> <1674834.KTPl0iozjd@pintsize.usersys.redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
In-Reply-To: <1674834.KTPl0iozjd@pintsize.usersys.redhat.com>
User-Agent: Mutt/1.7.1 (2016-10-04)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpmleLIzCtJLcpLzFFi42IRYrdT1108UznSoPGmvsXWhbOYLW59O8zq wOSxZMlPJo/3+66yBTBFcdmkpOZklqUW6dslcGW0rtrJXvBNquL08yvsDYwbRLsYOTkkBEwk PvZ/ZO5i5OIQEljMJHH4/D42CGcjo8TB0/eZIJyrTBJXGhtZQVpYBFQlVv85zQhiswmoSDR0 X2YGsUWA7LOnOsFsZgFhiX+fW4GaOTiEBfIkFt4IBwnzAm070vMfasEVRonGXQtZIRKCEidn PmGB6NWSuPHvJVgvs4C0xPJ/HBBhbYllC1+DjecUsJXo3tAJdoKogLLE38P3WCYwCs5CMmkW kkmzECbNQjJpASPLKkbZlNwq3dzEzJzi1GTd4uTEvLzUIl0zvdzMEr3UlNJNjOCwdlHewfiy z/sQowAHoxIPr8ZjpUgh1sSy4srcQ4ySHExKorx7EpQjhfiS8lMqMxKLM+KLSnNSiw8xSnAw K4nwbssCyvGmJFZWpRblw6SkOViUxHnFNRojhATSE0tSs1NTC1KLYLIyHBxKErwTZwA1Chal pqdWpGXmlCCkmTg4QYbzAA2PBKnhLS5IzC3OTIfIn2JUlBLn1QNJCIAkMkrz4HpBaUcie3/N K0ZxoFeEef+AVPEAUxZc9yugwUxAg62fyYMMLklESEk1MNpUZ0bsi5xqeUTmI9/K7ZPOuere lrjndWlq8yHRiSfifH53fiyM51x3znxy9ysGv5+bpr/e4bBTISso+HfkoeWlwQ2FTJ2rnlj8 lT6Uv3xCwskJ9S8eTve0Nyk8ESMmGZT/4mf72y+3t22tWhn2JvFJWFDcQrc1+zQays7knl19 0fPqrEhu3l9KLMUZiYZazEXFiQDxG/ecFgMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/gO1_SLkSUlrXkAvhyhb3mUR8Uy4>
Subject: Re: [Curdle] Quantum computer resistance? (Re: I-D Action: draft-ietf-curdle-gss-keyex-sha2-00.txt)
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 May 2017 02:08:40 -0000
On Mon, May 22, 2017 at 03:27:47PM +0200, Hubert Kario wrote: > On Sunday, 21 May 2017 22:13:50 CEST Benjamin Kaduk wrote: > > On Tue, May 02, 2017 at 03:54:21PM +0200, Hubert Kario wrote: > > > > 2). should we prioritise ease of upgrade to SHA-2, ECDH, bigger primes > > > (and > > > forget about QC-resistance - that's the current draft), or > > > > But, I'm not convinced that we want to make "gss-<group>-<hash>" > > have different global semantics based on the particular group+hash > > combination; > > What I was thinking, is that -sha1 ones are becoming insecure either way. So > lets make sure that the only ones that remain have the same properties (and > they are a superset of the -sha1 ones). Ah, I see the point better now. > > > 3). should we multiply the kex options further and provide QC-resistant > > > variants of all the GSSAPI kex algorithms? > > > > it seems like it would make more sense to have a separate document > > that creates a new family of gss-pq-<group>-<hash> keyex schemes, > > though probably only of the new ones from this document and not the > > SHA1 ones. > > yes, using sha-1 for PQ is quite silly. For gss-pq-* key exchanges I was > thinking of something that is truly PQ, that is, provides PFS even against > quantum computers. That means something that uses Ring-LWE or supersingular > isogeny DH, not something that uses FFDH or ECDH. Even if that FFDH or ECDH is > slightly augmented to provide minimum of QC resistance. > > In other words, the intention was to make the hopeless situation survivable > and provide a proper fix only after a clear winner for PQ KEX has been > established. > > Creating 3 documents is probably overdoing it. But yes, 3 documents is probably overdoing it, and there is something of a desire to get a sha1 alternative out quickly so it can be implemented and those implementations have a chance to trickle out into deployment. So maybe we will just hold off until there is a winner for PQ KEX. > > > As for technical details, I was thinking of adding a step in which the > > > peers each choose a random value, GSS_Wrap it, send it to peer, > > > GSS_Unwrap peers value and append their value and the peers decrypted > > > value to HASH input. > > That probably suffices; I would have to think a bit harder about > > where there is any value gained from using such wrapped random > > values as input to GSS_Pseudo_random(), or whether just passing the > > HASH inputs as the prf_in input would suffice (which would mean less > > data going on the wire). > > Yes, not requiring changes to the on-the-wire messages is a definite plus. > OTOH, I'd assume that all GSS-API implementations support GSS_Wrap() and > GSS_Unwrap(), I don't know what's the support level for GSS_Pseudo_random(). > Given the notes in RFC 7802, I see there were some problems with > interoperability in Kerberos... Yeah, it is not as widely implemented/adopted as the original GSS APIs. But there is software out there actually using it, commercial software even, so there has been some progress on that front. The two big open-source C Kerberos implementations have had it for a few years (MIT and Heimdal), but I don't have a sense for whether (e.g.) Java or the various closed-source GSSAPI implementations have picked it up. -Ben
- [Curdle] I-D Action: draft-ietf-curdle-gss-keyex-… internet-drafts
- [Curdle] Quantum computer resistance? (Re: I-D Ac… Hubert Kario
- Re: [Curdle] Quantum computer resistance? (Re: I-… Benjamin Kaduk
- Re: [Curdle] Quantum computer resistance? (Re: I-… Hubert Kario
- Re: [Curdle] Quantum computer resistance? (Re: I-… Benjamin Kaduk
- Re: [Curdle] Quantum computer resistance? (Re: I-… Hubert Kario