Re: [Pqc] [TLS] Did TLS AuthKEM die?
Thom Wiggers <thom@thomwiggers.nl> Wed, 25 January 2023 10:29 UTC
Return-Path: <thom@thomwiggers.nl>
X-Original-To: pqc@ietfa.amsl.com
Delivered-To: pqc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13A30C14F74B for <pqc@ietfa.amsl.com>; Wed, 25 Jan 2023 02:29:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=thomwiggers.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uyI_d0t1DQcp for <pqc@ietfa.amsl.com>; Wed, 25 Jan 2023 02:29:16 -0800 (PST)
Received: from mail-yb1-xb32.google.com (mail-yb1-xb32.google.com [IPv6:2607:f8b0:4864:20::b32]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9DCC0C14CEE4 for <pqc@ietf.org>; Wed, 25 Jan 2023 02:29:16 -0800 (PST)
Received: by mail-yb1-xb32.google.com with SMTP id 123so22387507ybv.6 for <pqc@ietf.org>; Wed, 25 Jan 2023 02:29:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thomwiggers.nl; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=H+EgNCZJSU+dCZARCda3KG6Qef2owMXye7PadR7id2Q=; b=YZMiBkInEV+gJ5PGeFjF9ooyPswwyxEF0AEzRY/c+nuCndondbVR8/zV4ZtCFWX0L4 pX4G8KdTPM0MpI09NGa6XLhQKFlnESRYiQ+3kNCyFTpdOLzEo0Qi+Iw7yE15f9JjjXhk Qlm2SxujNJLU4DRfkx7JqFSTnz1xcAQ4p1c6c=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=H+EgNCZJSU+dCZARCda3KG6Qef2owMXye7PadR7id2Q=; b=vZF6V0IzdGXiW7FUKuhvaguIO6DRDv831Sb3wbNjtjbnMejI4yJYRIPpwjXGttVEcj fnkzUhXpkioulOonjtEbOTw46t8QjnGc0nvF2GX7hNq8IQYM9Y8i2Mpq1OsUTfVzNny3 kC/0SQ8CZgE+iuJ/TePrFPDlBhNWxTRnSgGtja3qbnnwMJEkU91YlE1ZhFKXodQP3oU9 SAQoWjqstH3BEm7HKPEOi/+kA2fA4RXtbhUW3wCYe3FDOZttmXfFmy1DYr/Yw+AZHbZh KtE+dteWjn6Bch64Ewn47c/hpImAjtxx0VdyvEGH2sIacd9JMblDthWhLJNtYeLF6ahU Bq+A==
X-Gm-Message-State: AFqh2kpz7iZimh/B9DGX3Y+NI0Z2SXGv4IUoxb1TeT6rWpqo41stHosJ l8NK50IOHOLr1YS3VU+wAmiEt2bepUhlmo9Vpq9VBA==
X-Google-Smtp-Source: AMrXdXtfnIDb+dD9OFb8I6xDIlUuSJSvnbiAYBt/Kojo3zSDg73VCw0hq7yc4ouEAWtIrcXwTOff5dyzknltEoyH/b0=
X-Received: by 2002:a5b:386:0:b0:75c:5065:133a with SMTP id k6-20020a5b0386000000b0075c5065133amr3874119ybp.350.1674642555355; Wed, 25 Jan 2023 02:29:15 -0800 (PST)
MIME-Version: 1.0
References: <1CEC4270-E6A8-4081-8D54-8B16234EE968@ll.mit.edu> <HE1PR0701MB30505085B9EDB32A1D30F48789C99@HE1PR0701MB3050.eurprd07.prod.outlook.com> <81500504-0D85-4A0F-B333-A6D8FD472373@ll.mit.edu>
In-Reply-To: <81500504-0D85-4A0F-B333-A6D8FD472373@ll.mit.edu>
From: Thom Wiggers <thom@thomwiggers.nl>
Date: Wed, 25 Jan 2023 11:28:59 +0100
Message-ID: <CABzBS7mSYRtZH2FprCiNbcSo_+oGMNSOP9rqG1GShcNuKVxnSA@mail.gmail.com>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
Cc: John Mattsson <john.mattsson@ericsson.com>, Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>, "pqc@ietf.org" <pqc@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a360ab05f3141a81"
Archived-At: <https://mailarchive.ietf.org/arch/msg/pqc/AsLh6qEtJfn1EE1TTtSEXoZwZAE>
Subject: Re: [Pqc] [TLS] Did TLS AuthKEM die?
X-BeenThere: pqc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Post Quantum Cryptography discussion list <pqc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pqc>, <mailto:pqc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pqc/>
List-Post: <mailto:pqc@ietf.org>
List-Help: <mailto:pqc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pqc>, <mailto:pqc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jan 2023 10:29:21 -0000
Hi all, I'll first ask the first question, and then try to clarify a few of the other things raised in this thread. > Is AuthKEM dead? I'd say it's hibernating. The draft has indeed expired: there was nothing significant to add since the last time we edited/updated it. I also couldn't make it to the last two IETF meetings (and due to conflict with Real World Crypto, I will most likely not be able to make IETF116 either). The TLS working group has seemed to want to focus on getting PQ key exchange out of the door, but if it's ready to continue the discussion on post-quantum authentication (which should include some other things like OCSP and CT), I'd be very happy to continue the discussion and work on AuthKEM. One change that we'd probably like to make soon is to include Kyber-based (hybrid / PQ/T) KEMs -- once those KEMs have been hammered out for the ephemeral key exchange. I am currently working hard on wrapping up my PhD thesis* (which is largely on post-quantum TLS and KEMTLS in particular). This is another reason why the draft has been sitting there for a while. To me, right now, most of the "homework" behind the AuthKEM/KEMTLS proposal feels pretty "finished"; I'd argue we have some form of running code (as in the various KEMTLS experimental implementations we did for the academic work are pretty close to AuthKEM). We also have proofs, both pen-and-paper and two Tamarin models. If anyone has suggestions for concrete next steps, perhaps in which AuthKEM solves a problem that they're seeing, let us know. But in the end, AuthKEM, as any IETF WG proposal, can't get pushed over the line by some ivory tower academic like myself --- we will need people coming out and saying they want to have this. By the way, if anyone wants to discuss KEM-based authentication for other protocol(s) by the way, I am always happy to talk, for example in the new PQUIP wg that's also addressed :-) Next, replying to John's comments: Op di 24 jan. 2023 om 19:32 schreef John Mattsson <john.mattsson= 40ericsson.com@dmarc.ietf.org>: > Using ephemeral-static ECDH for implit authentication as in the Noise > protocol has several benefits. The benefits of using KEMs instead of > signatures seem more limited. The current proposal requires 3 full > round-trips instead of 1.5 round-trips for mutual authentication. If I > understand correctly, the messages sizes are smaller than Kyber+Dilithium > but similar to Kyber+Falcon (probably a bit larger in total). > Indeed, our mutual authentication story with plain AuthKEM is pretty weak; but to be fair, it appears mutual authentication is extremely rarely used in web browsing [0]. Naturally, that doesn't say anything about mTLS deployments in e.g. service-to-service or IoT contexts. The 'pre-distributed key' version of AuthKEM (which relies on much-easier to manage public keys) may be a remedy in some of those deployments, or be used with caching, to at least avoid the full handshake penalty most of the time. > If continued, I think Kyber KEMs makes a lot more sense than ECDH KEM. > For ECDH KEM you can do something much more efficient. > Naturally, OPTLS/draft-semistatic are indeed more elegant given DH/NIKE. I'd argue that we're looking at a KEM-based future, though: AFAIK we currently still don't have any satisfactory answers to the PQ NIKE question: CSIDH's security is still a big, on-going discussion, CSIDH is also awfully slow, and SIDH-based solutions (not to be confused with CSIDH) seem dead in the water. If any new proposals pop up, they will probably not have seen much cryptanalysis yet. - “these proposals require a non-interactive key exchange” > > My understandaing of NIKE is that the parties do not have any interaction. > One example of NIKE is static-static DH. OPTLS uses ephemeral-static DH. > I don't think it is correct to describe that as NIKE. > > https://eprint.iacr.org/2012/732.pdf > Ephemeral-static DH key exchange is also exactly what I would describe as NIKE: you just get a unilaterally authenticated secret instead of a mutually authenticated secret. Following the terminology in the linked paper (slightly simplified), you need exactly the SharedSecret operation: server_authenticated_ss = SharedKey(servers_sk_static, client_pk_ephemeral). The "lack of interaction" lies in the fact that the computation of the shared secret has only this single operation and that it requires no more communication than the exchange of public keys, unlike KEMs which have Encaps and Decaps and require the exchange of a ciphertext: indeed, there is no way of doing static-ephemeral with a KEM-style API. - The document could mentioned that to derive the > application_traffic_secret, an attacker needs more than a single private > key. Having a single ephemeral private key is no longer enough as it is > the case in ordinary certificate based TLS 1.3. > Thanks! We must have missed pointing that out. I put it on the list for a next revision: https://github.com/claucece/draft-celi-wiggers-tls-authkem/issues/22 Cheers, Thom [0]: M. Birghan and T. van der Merwe, "A Client-Side Seat to TLS Deployment," *2022 IEEE Security and Privacy Workshops (SPW)*, San Francisco, CA, USA, 2022, pp. 13-19, https://ieeexplore.ieee.org/document/9833861. Unfortunately, I couldn't find an open access source, but they measured TLS usage from Firefox on a big scale. The relevant data point is: out of all of the hundreds of billions of TLS connections they measured, they only saw three (!!) instances of mutual authentication in the handshakes. Post-handshake authentication was used <6000 times per day in web browsing, out of 32-66 billion connections per day. * I should have a job after finishing my PhD that will allow me to keep being involved in these kinds of discussions :)
- [Pqc] Did TLS AuthKEM die? Mike Ounsworth
- Re: [Pqc] [TLS] Did TLS AuthKEM die? Blumenthal, Uri - 0553 - MITLL
- Re: [Pqc] [TLS] Did TLS AuthKEM die? John Mattsson
- Re: [Pqc] [Ext] [TLS] Did TLS AuthKEM die? Paul Hoffman
- Re: [Pqc] [TLS] Did TLS AuthKEM die? Blumenthal, Uri - 0553 - MITLL
- Re: [Pqc] [TLS] Did TLS AuthKEM die? Thom Wiggers
- Re: [Pqc] [TLS] Did TLS AuthKEM die? Blumenthal, Uri - 0553 - MITLL
- Re: [Pqc] [TLS] Did TLS AuthKEM die? Brockhaus, Hendrik
- Re: [Pqc] [TLS] Did TLS AuthKEM die? loic.ferreira
- Re: [Pqc] [TLS] Did TLS AuthKEM die? Blumenthal, Uri - 0553 - MITLL
- Re: [Pqc] [TLS] Did TLS AuthKEM die? loic.ferreira
- Re: [Pqc] [TLS] Did TLS AuthKEM die? Blumenthal, Uri - 0553 - MITLL
- Re: [Pqc] [TLS] Did TLS AuthKEM die? John Mattsson
- Re: [Pqc] [TLS] Did TLS AuthKEM die? Blumenthal, Uri - 0553 - MITLL