[openpgp] WG: BSI view on KEM combiners

"Ehlen, Stephan" <stephan.ehlen@bsi.bund.de> Thu, 08 August 2024 13:45 UTC

Return-Path: <stephan.ehlen@bsi.bund.de>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11C0CC14F69F for <openpgp@ietfa.amsl.com>; Thu, 8 Aug 2024 06:45:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.005
X-Spam-Level:
X-Spam-Status: No, score=-7.005 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=bsi.bund.de header.b="AXmoXggr"; dkim=pass (2048-bit key) header.d=bsi.bund.de header.b="UOs8yuI/"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r20sJVRw9u3X for <openpgp@ietfa.amsl.com>; Thu, 8 Aug 2024 06:44:57 -0700 (PDT)
Received: from m3-bn.bund.de (m3-bn.bund.de [77.87.228.75]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4712CC14F683 for <openpgp@ietf.org>; Thu, 8 Aug 2024 06:44:56 -0700 (PDT)
Received: from m3-bn.bund.de (localhost [127.0.0.1]) by m3-bn.bund.de (Postfix) with ESMTP id 11EDF671623 for <openpgp@ietf.org>; Thu, 8 Aug 2024 15:44:54 +0200 (CEST)
Received: (from localhost) by m3-bn.bund.de (MSCAN) id 4/m3-bn.bund.de/smtp-gw/mscan; Thu Aug 8 15:44:54 2024
X-NdB-Source: NdB
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=bsi.bund.de; s=211014-e768-ed25519; t=1723124684; bh=iVsg50DaCQ+fdzURdZGvY2Ccee7JI58dWExSQLBc5z0=; h=From:To:Subject:Date:References:Content-Type: Content-Transfer-Encoding:MIME-Version:Autocrypt:Cc: Content-Transfer-Encoding:Content-Type:Date:From:In-Reply-To: Mime-Version:Openpgp:References:Reply-To:Resent-To:Sender:Subject: To; b=AXmoXggrS3XBHyB75OvQuoGNfbwGAxBwhJ1uuWy4hOFzXxiLUfEyuN2lNghN+Xe/R JebRyVNJXRA4oIil5BeBg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bsi.bund.de; s=211014-e768-rsa; t=1723124684; bh=iVsg50DaCQ+fdzURdZGvY2Ccee7JI58dWExSQLBc5z0=; h=From:To:Subject:Date:References:Content-Type: Content-Transfer-Encoding:MIME-Version:Autocrypt:Cc: Content-Transfer-Encoding:Content-Type:Date:From:In-Reply-To: Mime-Version:Openpgp:References:Reply-To:Resent-To:Sender:Subject: To; b=UOs8yuI/Rr0uShXnq6OIrBAL99DmrjSISg+xe/QjeFKccdKCMx5qSqXJrOAErxlM7 8QInBl3TWybpK0MhzP3JEhnDyEdvcXVPvLMata3AgEHJ1yrgRNLZ4LTPmb7LZAAcrz 4NpiZSlOJwWudGHrtWuwK7SHhdkqFP6jJ75MIL+oqOWUjLs5aZk/jIUAq8dK42L3I0 1GwxrJoU/P2Qq2UlZM9SvIzyXdC1Unzomr69pFjc1zuWh966reFOLHDkt9NvjefA7L OIOgD7sW7+IgGTfd1wMS4xSlcjULdB1Gu74RgDA7neYyvEifH6zRpLgQyBzniqLR90 sHG0StlL9wD2w==
X-P350-Id: 35a65e62375908ac
X-Virus-Scanned: amavisd-new at bsi.bund.de
From: "Ehlen, Stephan" <stephan.ehlen@bsi.bund.de>
To: "openpgp@ietf.org" <openpgp@ietf.org>
Thread-Topic: [openpgp] BSI view on KEM combiners
Thread-Index: AQHa3I/2PVIgzK1+Nk+9Jf7Ikl6GH7IPZUbwgA4TexA=
Date: Thu, 08 Aug 2024 13:44:39 +0000
Message-ID: <334c62d3389847e0b345269b54af639c@bsi.bund.de>
References: <5681EF18-EB2C-49FD-A3B0-735C6542725D@amongbytes.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Old-x-esetresult: clean, is OK
Old-x-esetid: 37303A29D0CFE057617765
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-EsetResult: clean, is OK
X-EsetId: 37303A29D6CFE057617765
X-Rusd: domwl, Pass through domain bsi.bund.de
Message-ID-Hash: 7S236LSBZIT6IKPJHLFXYWH3C3JOLRE7
X-Message-ID-Hash: 7S236LSBZIT6IKPJHLFXYWH3C3JOLRE7
X-MailFrom: stephan.ehlen@bsi.bund.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [openpgp] WG: BSI view on KEM combiners
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/rwzt-vG6QconOITuBChAIfD4ktw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>

Fyi my answer to Kris's question; I didn't realize I was responding to him directly instead of the mailing list.

Best,
Stephan

-----Ursprüngliche Nachricht-----
Von: Ehlen, Stephan 
Gesendet: Dienstag, 30. Juli 2024 17:07
An: 'Kris Kwiatkowski' <kris@amongbytes.com>
Betreff: AW: [openpgp] BSI view on KEM combiners

Hi Kris,

the short answer to your question is probably a "yes". 

However, it depends a bit on the context and on what you mean by "BSI-approved".

The BSI technical guideline TR-02102-1 contains recommendations for cryptographic mechanisms and parameters etc. And indeed, if you want to claim that a composite/hybrid KEM is in line with our recommendations, then all components should be recommended.
In some cases, for example for certain government applications, this can be a requirement instead of just a recommendation (detailed e.g. in BSI TR-03116-x).

To cite from the technical guideline: TR-02102-1
"However, no claim is made to completeness, that means mechanisms not listed are not necessarily considered to be insecure by the BSI. Conversely, it is also wrong to conclude that cryptographic systems which only use the mechanisms recommended in this Technical Guideline as basic components are automatically secure: The requirements of the concrete application and the linking of different cryptographic and non-cryptographic mechanisms can lead to the fact that the recommendations made here cannot be implemented directly or that vulnerabilities arise."

I hope this helps a bit!?

Kind regards,
Stephan



Dr. Stephan Ehlen
____________________________________ 
Referat V 32
Bundesamt für Sicherheit in der Informationstechnik 

E-Mail:           stephan.ehlen@bsi.bund.de 
Internet:       www.bsi.bund.de 

#DeutschlandDigitalSicherBSI

Alle Informationen zum Umgang mit Ihren personenbezogenen 
Daten finden Sie unter bsi.bund.de/datenschutz.





> -----Ursprüngliche Nachricht-----
> Von: Kris Kwiatkowski <kris@amongbytes.com>
> Gesendet: Dienstag, 23. Juli 2024 01:35
> An: openpgp@ietf.org
> Betreff: [openpgp] BSI view on KEM combiners
> 
> Hello,
> 
> Today at IETF 120, during a presentation of draft-ehlen-openpgp-nist-bp-
> comp there was a question regarding BSI’s view on KEM combiners. Section
> 3.1 of the document calls for the specification of ML-KEM+brainpool and
> ML-KEM+nist-P-XXX.
> 
> I would like to double-check - does it mean that instantiation of KEM-
> combiner will be BSI-approved only if _both_ (ECC and PQ) algorithms are
> BSI-approved?
> 
> Kind regards,
> Kris
> 
> 
> --
> Kris Kwiatkowski
> Cryptography Dev
> 
> 
> 
> 
> _______________________________________________
> openpgp mailing list -- openpgp@ietf.org
> To unsubscribe send an email to openpgp-leave@ietf.org