Re: [saag] PQC in ZRTP (RFC6189) and hybrid KEM
Johan Pascal <johan.pascal@linphone.org> Tue, 23 November 2021 22:48 UTC
Return-Path: <johan.pascal@linphone.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 573E73A08B9 for <saag@ietfa.amsl.com>; Tue, 23 Nov 2021 14:48:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.851
X-Spam-Level:
X-Spam-Status: No, score=-1.851 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, NICE_REPLY_A=-1.852, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URI_DOTEDU=1.999] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=linphone.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nY3prRnvHyzK for <saag@ietfa.amsl.com>; Tue, 23 Nov 2021 14:48:08 -0800 (PST)
Received: from smtp.belledonne-communications.com (smtp.belledonne-communications.com [178.32.112.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F1B93A08B0 for <saag@ietf.org>; Tue, 23 Nov 2021 14:48:08 -0800 (PST)
Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp.belledonne-communications.com (Postfix) with ESMTP id 7A89DC00DFD for <saag@ietf.org>; Tue, 23 Nov 2021 23:48:05 +0100 (CET)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp.belledonne-communications.com 7A89DC00DFD
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linphone.org; s=default; t=1637707685; bh=nIeEE5YIWDQfnRUZY+Gp0cOZ15psjraKhEQU451SI/A=; h=Date:Subject:To:References:From:In-Reply-To:From; b=Ed7RZtxrhOoRCjRGRT57jCuqg5BnEgviisROs1TiDFUV1tw08VW3u/rMDBt6MdEvk 8CNaOe8IbMXPyL4jqRq4/7Bj5HDAiEou8z0gNeuXmqEWPOF/v3omupm5K8pEYBw7z+ Bjec2hMqoz3AF+Sdm7dCYkym8urRj7h7oXxSZd4ySEFBq+l0lNmBDOecK9KjtBrEOB lSona2PY78h+K/IxwPlRNCwBe31uvbFVryY2JJjWn5CoRi5Ysdeg3AydbEWdjgBxSj AYMM/B9QLHfS8Q7xf4eEtm7+2MNDVVhclfbVkGClgMHAs8s4nNCx52n/folEy0ObqM 5NPkHmGnVuqZg==
X-Virus-Scanned: amavisd-new at belledonne-communications.com
Received: from smtp.belledonne-communications.com ([127.0.0.1]) by localhost (smtp.belledonne-communications.com [127.0.0.1]) (amavisd-new, port 10026) with LMTP id qOy_emlWmYPt for <saag@ietf.org>; Tue, 23 Nov 2021 23:48:05 +0100 (CET)
Received: from [192.168.1.100] (unknown [80.215.117.89]) by smtp.belledonne-communications.com (Postfix) with ESMTPSA id 26D18C00A27 for <saag@ietf.org>; Tue, 23 Nov 2021 23:48:05 +0100 (CET)
Message-ID: <aa5dba05-dd9f-663d-0dce-782af0037271@linphone.org>
Date: Tue, 23 Nov 2021 23:48:04 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.3.2
Content-Language: en-US
To: saag@ietf.org
References: <0c359a65-386e-8c09-4c8f-9cefb066cffc@linphone.org> <CABcZeBPME1Eos8SFQdmAGRP5smn=bfAdPVOTrxF10nU3wkEbeA@mail.gmail.com> <B8A00186-3F5E-4075-8244-B4B9F069BD5B@csperkins.org> <f0aaeb33-0bf7-c5e0-5df3-d251a4c24b9f@linphone.org> <CABcZeBNb4qEJscEHb44PjrHEQKs08R6vCZfFM0HWk67OLMZykA@mail.gmail.com> <20211123062712.GB93060@kduck.mit.edu> <CABcZeBNaiQuod2hsm0-Lm68zTiOvZnK+f8FygNuN9_KEPCZvhA@mail.gmail.com> <DBBPR08MB5915BA7BF9B7D3E115B974DBFA609@DBBPR08MB5915.eurprd08.prod.outlook.com> <CABcZeBPyNzj5NMZbSqEEJ2tdrRWvtOrtnuSvF8WdJvNoJuWYFA@mail.gmail.com>
From: Johan Pascal <johan.pascal@linphone.org>
In-Reply-To: <CABcZeBPyNzj5NMZbSqEEJ2tdrRWvtOrtnuSvF8WdJvNoJuWYFA@mail.gmail.com>
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/r5G-2KSDiRgOGzID5JAbZ9qGhSA>
Subject: Re: [saag] PQC in ZRTP (RFC6189) and hybrid KEM
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Nov 2021 22:48:13 -0000
Thanks all for your replies,
Ekr, I think ZRTP is still relevant despite progress in voice synthesis. Yes it is easy to generate a SAS code impersonating someone voice but then you have to insert it with the right timing in a live conversation.
This publication https://nsaxena.engr.tamu.edu/wp-content/uploads/sites/238/2019/12/ss-ccs14-1.pdf" rel="nofollow">https://nsaxena.engr.tamu.edu/wp-content/uploads/sites/238/2019/12/ss-ccs14-1.pdf is I think the one addressing the more directly the subject and indeed prove that speech synthesis can easily fool real people in the context of SAS comparison. However I don't think they fully cover the SAS insertion without introducing painful delay in a live call.
Jon, Colin, I just posted both on this list and on avtcore a small synthesis of how I plan to modify ZRTP to use KEM instead of (EC)DH. I have two slightly different solutions, any comments will be more than welcome.
Regards,
Johan
Ben,
this shows that even IETF experts have a hard time differentiating IETF consensus documents from those who aren’t.
I wonder how often people believed that ZRTP was the product of an IETF working group.
A few years have passed since the publication of ZRTP and attacker capabilities have changed. I am wondering whether the security model of ZRTP is still meaningful today.
I think at this point we have fairly strong evidence that of in-band confirmation of SAS codes is fairly subject to impersonation via modern voice synthesis techniques.
See: https://www.rfc-editor.org/rfc/rfc8826.html#section-4.3.2.2" class="moz-txt-link-freetext" rel="nofollow">https://www.rfc-editor.org/rfc/rfc8826.html#section-4.3.2.2
-Ekr
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
Ciao
Hannes
From: saag <saag-bounces@ietf.org> On Behalf Of Eric Rescorla
Sent: Tuesday, November 23, 2021 1:16 PM
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: IETF SAAG <saag@ietf.org>
Subject: Re: [saag] PQC in ZRTP (RFC6189) and hybrid KEM
On Mon, Nov 22, 2021 at 10:27 PM Benjamin Kaduk <kaduk@mit.edu> wrote:
On Mon, Nov 22, 2021 at 09:47:46PM -0800, Eric Rescorla wrote:
> On Mon, Nov 22, 2021 at 9:28 AM Johan Pascal <johan.pascal@linphone.org>
> wrote:
>
> > Hi,
> >
> > thanks for your suggestions. I know the work on hybrid design is already
> > done in TLS and others . While looking for some documentation on that
> > specific problem I found several protocols addressing it, each of them with
> > specific details related to the protocol and that is mainly what led me to
> > think that a document dedicated to hybrid scheme might make sense: it would
> > save the next person trying to achieve exactly what I'm trying to do for
> > ZRTP the work of reading the different specifications, parting what is
> > protocol related and what is not. But the hybrid mechanism can be described
> > in the PQC-ZRTP I-D itself.
> >
> > Colin, as the problem of updating ZRTP to a PQ-KEM scheme is mostly
> > security related it made more sense to me to post it on Saag. The perfect
> > list to discuss it would be the potential "PQC Agility" WG if it is charted
> > at some point (
> > https://mailarchive.ietf.org/arch/msg/saag/5uV72m80X9PTGFWFyDY5VrNyK-c/" target="_blank" class="moz-txt-link-freetext" rel="nofollow"> https://mailarchive.ietf.org/arch/msg/saag/5uV72m80X9PTGFWFyDY5VrNyK-c/).
> > Is there any update on this?
> >
> Well, discuss it, perhaps, but given that ZRTP is not an IETF protocol, we
> generally would not publish this document out of that group.
Sorry for splitting hairs, but RFC 6189 does have the "represents the
consensus of the IETF community" boilerplate, that would seem to make it
an IETF protocol by at least some definitions.
Without taking a position on whether this was hair splitting, ZRTP was not
developed by an IETF WG. It was externally developed and then published
as Informational.
-Ekr
_______________________________________________ saag mailing list saag@ietf.org https://www.ietf.org/mailman/listinfo/saag" rel="nofollow">https://www.ietf.org/mailman/listinfo/saag
- [saag] PQC in ZRTP (RFC6189) and hybrid KEM Johan Pascal
- Re: [saag] PQC in ZRTP (RFC6189) and hybrid KEM Eric Rescorla
- Re: [saag] PQC in ZRTP (RFC6189) and hybrid KEM Colin Perkins
- Re: [saag] PQC in ZRTP (RFC6189) and hybrid KEM Johan Pascal
- Re: [saag] PQC in ZRTP (RFC6189) and hybrid KEM Colin Perkins
- Re: [saag] PQC in ZRTP (RFC6189) and hybrid KEM Eric Rescorla
- Re: [saag] PQC in ZRTP (RFC6189) and hybrid KEM Benjamin Kaduk
- Re: [saag] PQC in ZRTP (RFC6189) and hybrid KEM Eric Rescorla
- Re: [saag] PQC in ZRTP (RFC6189) and hybrid KEM Hannes Tschofenig
- Re: [saag] PQC in ZRTP (RFC6189) and hybrid KEM Eric Rescorla
- Re: [saag] PQC in ZRTP (RFC6189) and hybrid KEM Colin Perkins
- Re: [saag] PQC in ZRTP (RFC6189) and hybrid KEM Jon Callas
- Re: [saag] PQC in ZRTP (RFC6189) and hybrid KEM Johan Pascal
- Re: [saag] PQC in ZRTP (RFC6189) and hybrid KEM Jon Callas
- Re: [saag] PQC in ZRTP (RFC6189) and hybrid KEM Hannes Tschofenig
- Re: [saag] PQC in ZRTP (RFC6189) and hybrid KEM loic.ferreira