IETF Logo Mail Archive

Re: [Pqc] [TLS] Did TLS AuthKEM die?

John Mattsson <john.mattsson@ericsson.com> Tue, 24 January 2023 18:32 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: pqc@ietfa.amsl.com
Delivered-To: pqc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DE3AC1516E0; Tue, 24 Jan 2023 10:32:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SK5lL8Oncwbp; Tue, 24 Jan 2023 10:32:19 -0800 (PST)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-he1eur04on2054.outbound.protection.outlook.com [40.107.7.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67151C151522; Tue, 24 Jan 2023 10:32:18 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=d5FYSGx0etkFqoaKIdmgS7U/wGUsZJcrS85IwrYX2GCfNPg1f0eiEZyfzVg4EL1/HxAzzGqi6DlVc3l7cLFufvZv2hMrlLhya2QdqHeopJmOh1U4MlWC+C60Cefw6xlYssNvR5nysq3J7qaPEZJfJGchXTUMpJwWZsy9bge59hQeJ8JLhR912Y3kpu6joF8vcIdH2OXPCuafI5mthRVEPD1jHvhE8zlo8DBL+rj2UO139P+2B0APD85S1anLDUNd0hLHaSD+hqgegmBkja/hvAbolOBEC3AC0Ujsjozp04oaSLo35LfTOwedALnyIh9f1z8gGEBD5u14y2TSJpFFhQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Vzs90SbeqkKpgD+TEEtXZPb+wQOH+SmcmMhb8R/elnU=; b=Qfb+o9Ce1p20y6Tm3xPglSBIRBhnstYNziSmFbIOHh1Pwq3n3MOvRSvLR7h6jisj3RM+c7IG6Nn36aFc27bKEIchJxwIms1qoknndQfQgIUN/m1mRM6FzTcWe+iqTDTnPRLQ4Uv0MJN8BfDmtc7gXBIWkYx0AK3B1iraEdip7GVWYoQV3Iwpd+R1lQMMy1/l8UQicmqJ6D8s0AMvI/qCaur68pvE3L0fe5xb6Y2PcrCxc3ySaijsqtnQZgpqoi6O4k7K1TJpQkSWTEXf5TplyvlCu11xjd1pVdYPO//sOEDwgXdmD8KvehSaBCAJYhBuGKwBIAUDidGu1qSqc+gPvg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Vzs90SbeqkKpgD+TEEtXZPb+wQOH+SmcmMhb8R/elnU=; b=gvqUhWNdQ8adUm0LmagZIe128Hf9lPcZfhPayUqTbAyu8n9QX/AUB0IcVCSDK58KUYL3TeztZscfKRfWG6439IZW6EKpztIUWCBQJLN6jmMClJ5wS7utdyeJancFyZuCKaXNfv4ZFMxulrGQa5En8D/lUH+XuOr4FHJZCCcb1fY=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (2603:10a6:3:4b::8) by AS8PR07MB8297.eurprd07.prod.outlook.com (2603:10a6:20b:37c::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.33; Tue, 24 Jan 2023 18:32:14 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::fc77:42d2:1bc6:ec49]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::fc77:42d2:1bc6:ec49%12]) with mapi id 15.20.6002.033; Tue, 24 Jan 2023 18:32:13 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>, Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>, "pqc@ietf.org" <pqc@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Did TLS AuthKEM die?
Thread-Index: AQHZMB/RzobnLHq93kaNE6vkgOZwNq6t4vk+
Date: Tue, 24 Jan 2023 18:32:12 +0000
Message-ID: <HE1PR0701MB30505085B9EDB32A1D30F48789C99@HE1PR0701MB3050.eurprd07.prod.outlook.com>
References: <1CEC4270-E6A8-4081-8D54-8B16234EE968@ll.mit.edu>
In-Reply-To: <1CEC4270-E6A8-4081-8D54-8B16234EE968@ll.mit.edu>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: HE1PR0701MB3050:EE_|AS8PR07MB8297:EE_
x-ms-office365-filtering-correlation-id: 21867765-b04e-4e3a-88cc-08dafe394f97
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 5lpl21PtbdtvlBDSVq506gvi/0R0c6E8ATZY8lBRQDElSvOvad0mmXooqTzzo0w3SRyoyemUN74o6xUUI9SA44zXY9gSF5lseqcGcP9p++soODoWO73rAYDivPdtiDdjbjynYPaa6jxBAYo5tkynC+lrDgidzHHVT/McpOOa0kyRrIFLKLtiusythO6pFN496XYAYU+hU9fjU9oHkHNrsKqdArRS1V2/4qWbBLZTxO/WmZK6C8Bpb581c4vlA5ApxO+iPFv/EDpOwUq3NJdgHnu6RJjkBTjiw4IXqsu1Cfbfs7Y2jJDYK8+0XeLUftzYtYF6oIZR58+E7A7B2OqBmxlmrlx8llM+klrs+1dqHnWfyEjRUpXEqRtpQ7vFuOgW19xUkxxwbOQmWCbPcVIDDXrMSzICEBSEinlcjMhQAfW3LTRnbQ4nwpnpXvLkNEPiVLi1SdUTzcrnUJCaRxXrEXxFOoKEzLF2F7VTOxFsIdNUZxgxsxYhCdkJhlFum4oEIrcidDGnOCENyh0eDzyZuaBu8CodTRAYYr4UXBir0HtUYlxiuOnJ6ilspoSaHO2bf3rXprhclUy9GnxvmxvzgJzD+c+IlpCZ2jYND+/Rkvv06aQ3w+/36ddCoQhrbnikIOHbRJXcCQ+hyZddp7Xs1tnzuPuc+Z4MyeYu70iX8jwWM3euLMWfzPk2OXraDDQPlBYFtPbw3ikacjUsBoz4A7EMuio+4p4H0tEwUs0SLPM=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230024)(4636009)(39860400002)(136003)(396003)(346002)(376002)(366004)(451199017)(38070700005)(966005)(33656002)(2906002)(6506007)(38100700002)(8936002)(122000001)(52536014)(44832011)(82960400001)(5660300002)(66946007)(64756008)(66446008)(76116006)(91956017)(8676002)(66556008)(66574015)(86362001)(66476007)(41300700001)(316002)(110136005)(53546011)(7696005)(26005)(55016003)(9686003)(71200400001)(478600001)(83380400001)(186003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: tNPt2Ali+bSVzwVylyahfYRxmvGO45MrAEFtLaMn4MQn3vQUuttQdqa9rblXA6o8HawKQmCyvgDDYh4FggqaE/Qfex/iWdj7+6zn+rw3FFpMRqwa0ciPXfua3vc0zBqPi3xBqfz/MOxIHoG85kShXHVMLLNmM8zBqkWi8RgwPpxnfiVGOz2WehFcxGyqNjZj1f8J7O8BDoi0kKw7SR5o0jVdVVb1gx2lQfkcuc5jKKjXEJaQ+J+DoJK6dhhOqeA06mkNDTEVxKL79loz0tjrJWvglWtQKFvHHDfX6I7dbxkFi0ldjX9O5xFytIPCX2pN5O6AeDEn9+dv8gHGJY0Pwy5lmTlH15lrAXj+33+iyquVp+aKTORfMCTC/bbzQG+Lka7OnN8WZEJNBLsFeifJu/YUsRQfiWGw/dqNPNo9vrCFlbLFmQZoK1r/K88zswLNFjihGdzbwZCfPIMIbQQ2UZWtavh1fO2cN9QSWRIzRcMPcsIYJxxTt7C228IlHYxqN+Lc5ig4/st1yW4tBnYzeNb7MQuLHHZBuf8ucw0fYgn8IDzmrMfl/bIi9pOWIlpWcxnVIbNuK4t+E0WqAGkT8agD+JiM8vCiov9YG2CtB5qGWY262DmimHGIG4uCny1sHIYsj/CIPCqRDR6anEDCJ1ainn/7/46qVIPsiAoo8iqTIeUPfOptTSMoJpAtSmNvxwkvzizXyE0Yf5kn62HqXrAh2AAiRDShCqw4L5uHgRfQjeBDSp63VatMVZsW5FrkfP9viCZh7TJlmbFPMQqY45+x0biLY/gLrnf3P5syJppomdTOcMCCMGyDOAjItBlXmUur8qL6JEYbzxibvO/3ANogOvuDzIMISCAxchu7pSO3r91Y0XDLoeJhl3bwqDKMHT9bxbG2RmQ3xVASUdIODtQWFk241ObAqAQZDDbdS/RaGqf49HPGEL+YhXLpqNj+RQQm8DJdVwxGNxLVqPknq51V5hscO37Fd0iUYNHFKmzWaYnWOVc/9xFo6bLz/mVwA7GT9dwdWrZOH4VrVDpo8NpoISuYDHQzPVWMcWK32V0PGU2RkOikQEErmy/vLNi9jxAeONNIK8h38NnZ5cf6p/T14kJhERXrYsge+CivK5CVlKLF+XBlA/zEkNnN2nMB88x/g2iGzHnpEQI78GvbUlwwfWsJ9K/fqVsEY/anZovW2ytHPvG3duY72ffgBV8MGtaJM2vvODaf8KYKqKHIg31vwls492nmK8MQO8KkLo5UdsfxihJKl4PN7StaR9mXTvDv8JdABvY2PSK/MbETeCDYSIdMxrMACxRlgZKVDyNVbanoG08rdC40sErkbdRZalQxAhd/SxfAtIfAj5VR+vYwuDtEnwwH+5Me1N0iT3WsjhB5H8nIaB0Kz2WEkk2LSYXotOG2t4bWOLJk/S1g1087DKBVpJA4f00Sc1BxjxxXGvMQDtWD52NN75eZqeQFeLaxzPdP6tRyngVpNz7dMj3P6X30MBSCSZBf5ijeBsTeWcioS5kUZYREDemFefWbE+Kyqu7qwYX2J9h5/gsk8oUUZ/JMcmXxv0/6XjaEMb2ePMThWdyBC7g3mpucqtSengPI0qER0fsjTAsbnJFojJx3qOdATXuIrGgvtb+nIY0=
Content-Type: multipart/alternative; boundary="_000_HE1PR0701MB30505085B9EDB32A1D30F48789C99HE1PR0701MB3050_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 21867765-b04e-4e3a-88cc-08dafe394f97
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Jan 2023 18:32:12.7799 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: IYl0AuuItVqb/vvFHT10nboujaTR+5IcI348Wa2QKTSccndNs6yQNUcmD7UTD7n+QIKMz2EGqlAmXDdTFluDPlw7tGXKER0E7xvFjp/c1bs=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR07MB8297
Archived-At: <https://mailarchive.ietf.org/arch/msg/pqc/ZXleiKjJzbHv7sYRas11Z4lIjlk>
Subject: Re: [Pqc] [TLS] Did TLS AuthKEM die?
X-BeenThere: pqc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Post Quantum Cryptography discussion list <pqc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pqc>, <mailto:pqc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pqc/>
List-Post: <mailto:pqc@ietf.org>
List-Help: <mailto:pqc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pqc>, <mailto:pqc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Jan 2023 18:32:24 -0000

Using ephemeral-static ECDH for implit authentication as in the Noise protocol has several benefits. The benefits of using KEMs instead of signatures seem more limited. The current proposal requires 3 full round-trips instead of 1.5 round-trips for mutual authentication. If I understand correctly, the messages sizes are smaller than Kyber+Dilithium but similar to Kyber+Falcon (probably a bit larger in total).

If continued, I think Kyber KEMs makes a lot more sense than ECDH KEM. For ECDH KEM you can do something much more efficient.

Two comments on the document

- “these proposals require a non-interactive key exchange”
My understandaing of NIKE is that the parties do not have any interaction. One example of NIKE is static-static DH. OPTLS uses ephemeral-static DH. I don't think it is correct to describe that as NIKE.
https://eprint.iacr.org/2012/732.pdf

- The document could mentioned that to derive the application_traffic_secret, an attacker needs more than a single private key. Having a single ephemeral private key is no longer enough as it is the case in ordinary certificate based TLS 1.3.

Cheers,
John


From: TLS <tls-bounces@ietf.org> on behalf of Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu>
Date: Tuesday, 24 January 2023 at 19:15
To: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>, pqc@ietf.org <pqc@ietf.org>, tls@ietf.org <tls@ietf.org>
Subject: Re: [TLS] Did TLS AuthKEM die?
I truly hope AuthKEM is alive.

--
V/R,
Uri

There are two ways to design a system. One is to make it so simple there are obviously no deficiencies.
The other is to make it so complex there are no obvious deficiencies.
                                                                                                                                     -  C. A. R. Hoare


From: TLS <tls-bounces@ietf.org> on behalf of Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>
Date: Tuesday, January 24, 2023 at 12:33
To: "pqc@ietf.org" <pqc@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Subject: [TLS] Did TLS AuthKEM die?

Thom, Sofía,

draft-celi-wiggers-tls-authkem is expired. Is that on purpose? Does it still have steam or is it dead?

---
Mike Ounsworth
Software Security Architect, Entrust

Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

v2.23.0 | Report a Bug | By Email