IETF Logo Mail Archive

Re: [Secdispatch] [EXTERNAL] Re: IETF117 - Call for topics

Eric Rescorla <ekr@rtfm.com> Sun, 25 June 2023 23:49 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87D40C15153F for <secdispatch@ietfa.amsl.com>; Sun, 25 Jun 2023 16:49:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.892
X-Spam-Level:
X-Spam-Status: No, score=-1.892 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20221208.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 86al5Oz3o7qY for <secdispatch@ietfa.amsl.com>; Sun, 25 Jun 2023 16:49:04 -0700 (PDT)
Received: from mail-yw1-x1130.google.com (mail-yw1-x1130.google.com [IPv6:2607:f8b0:4864:20::1130]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9BC34C15154A for <secdispatch@ietf.org>; Sun, 25 Jun 2023 16:49:04 -0700 (PDT)
Received: by mail-yw1-x1130.google.com with SMTP id 00721157ae682-57023c9be80so27328557b3.3 for <secdispatch@ietf.org>; Sun, 25 Jun 2023 16:49:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20221208.gappssmtp.com; s=20221208; t=1687736943; x=1690328943; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=EICT6kZRyw/bltwNO78BwhZ4vNo9Ho/g9t2pRNKoxHw=; b=2THPCT0jJLNg31mcrj1UwRAAELdWusqf38oDir4lgGUlC+EWLwuCSxKiud1eo189rY X0jo05zobOjDqZO+HSXqC4wB28NtPWHLeNO2Av8YGb0FrPyalfQ6PVa5PQHv/fLxtWa3 THUIpbMJWaFFM8CUtXZm9LOh+QtRI577IEfAoFh9c2UGMGls4x81Xn4+DQfyowI2NmmL GMvW35NH3oHpSEQZt3EKi2UdhxdK5DnrUbN5amxDFK4/cbdnL3mAgoeGx8ERG2uEiswx ZrEDvgx5ONuSR5eUA/pl1UHzy6nQhsX/HPjwaTrGvGn4pUZH38NHWswtJ+XhGxHVyFva +M3g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687736943; x=1690328943; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=EICT6kZRyw/bltwNO78BwhZ4vNo9Ho/g9t2pRNKoxHw=; b=PbvMuO8zhd9jcbq9wYRV/yzBksDCe35YO9pbxDR35StG5H0fPIFCtD/Mc0ueTb2y2e qP+oixi/7BCtltXl8psdFSaWDb2fpvTzyDPz4R8g40gyVavoJ/8uaXDhynBXixAS2HGF Gi9Pk1H1LJQou7e4eytW/sieJvxMRLHGKV0P0XWYG28r3v2xiJ2rt22Yj85EXrWzAskC uPhsEiOTIl/cemOmCVIvD1+TCF4pF9wRPtCt257BlFkTIYCm7FTdwOCgGOxED1zhajpv yWQ9mh8VK/yzVUO4KeyGiEtYrz+pxLI/PP9kmVdGbW15NErN1Hh21D8zO/GHydfvkmcv k9mQ==
X-Gm-Message-State: AC+VfDxfAWKsfuD2S+OqNZ4SOUhZyJjhBFSvMNlnBwOBOOz9nubYa/3E TXfItBO7eabX5kQn7qJvFfxuDw0PKPp4G0hkqI+weQ==
X-Google-Smtp-Source: ACHHUZ7HgJkguEoAhO7+x6yyxxdEhuoXFSRqcblxTbgLclwqY234aj3vmeZRxN68/KEOr7qc1QDR9IJqpT8AWDeaE2Q=
X-Received: by 2002:a81:8492:0:b0:56f:f7f6:52d8 with SMTP id u140-20020a818492000000b0056ff7f652d8mr26445323ywf.5.1687736942570; Sun, 25 Jun 2023 16:49:02 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP8D_qp6fPvWkWnw7hDRppHSkaxpTSBtMbcRkE+ZpS+WBw@mail.gmail.com> <3A66635D-6087-4D87-901A-A9C936A01C12@gmail.com> <CADNypP9h7TaC+VnmUihkcq3pWmqzuq3U1E9z4x3F_9PA8Vn8Aw@mail.gmail.com> <5b77f2aa7b39fe8add9bb6459db323609e2671e8.camel@infradead.org> <54209.1687443106@dyas> <1943D5A5-71B2-42CC-8FD8-832CC1971E9D@gmail.com> <CH0PR11MB573982AEAC43E1B40B2F4D4C9F22A@CH0PR11MB5739.namprd11.prod.outlook.com> <10b52b08-c102-329e-dfbd-9e993dcc923e@cs.tcd.ie> <F6C70FA2-21F9-4135-AE4C-084104A4140C@gmail.com> <7ab40cf9-e051-3554-cfc6-d715f581b6e1@cs.tcd.ie> <DM6PR11MB2585CE078DE5808CEA21915BEA21A@DM6PR11MB2585.namprd11.prod.outlook.com>
In-Reply-To: <DM6PR11MB2585CE078DE5808CEA21915BEA21A@DM6PR11MB2585.namprd11.prod.outlook.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 25 Jun 2023 16:48:26 -0700
Message-ID: <CABcZeBOLZ5_qsagMkAUuJa=ewQQSCs40=2xFctqikCVF0_Loow@mail.gmail.com>
To: John Gray <John.Gray=40entrust.com@dmarc.ietf.org>
Cc: secdispatch <secdispatch@ietf.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, Yoav Nir <ynir.ietf@gmail.com>, Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000efc6e805fefce059"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/2Q6aYKi2u0ope-YHcRs684GBng8>
Subject: Re: [Secdispatch] [EXTERNAL] Re: IETF117 - Call for topics
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Jun 2023 23:49:09 -0000

On Sun, Jun 25, 2023 at 2:17 PM John Gray <John.Gray=
40entrust.com@dmarc.ietf.org> wrote:

> This caught my eye:
>
> >> I think a BoF about hybrid signatures is appropriate as long as one of
> >> the topics is “do we really need them?”
>
> >So one of the problems with that is it'd be about a specific mechanism
> that may or may not
> >form part of a sensible response to the possibility of a CRQC but it'd
> omit consideration of the
> >systemic impacts of adopting such signatures, esp. in PKI and in other
> protocols that make use
> >of PKI. We'd also be passing up the very rare opportunity to consider
> significant changes to
> >PKI that might actually get deployed, which I think would be fairly
> unwise of us.
>
> I agree there is an opportunity to consider changes to PKI, but I don't
> think it is time boxed by the Quantum threat.   I think there is always an
> opportunity to consider significant changes to PKI.  I don't think it
> should prevent us from enhancing existing PKI infrastructure until such
> newer systems become feasible.
>
> It has been clear to many of us, (since at least 2017), that hybrid
> signatures were going to be needed:
>

 Hi John,

I do agree we need post-quantum certificates, but I'm less persuaded
that *hybrid* signatures are the way to go, especially for online
protocols like TLS or IPsec.

My argument here starts with the threat model: unlike confidentiality,
what matters for security is the state of the algorithm at the time of
signature verification rather than at the time of signature
generation. In fact, it doesn't matter much what signature algorithms
were initially used, but rather what the relying party will accept.

As a concrete example, suppose that Alice signs a document with
classical algorithm C and quantum-resistant algorithm Q. If both
algorithms are secure, then it doesn't matter which the RP accepts or
verifies. So, the RP can simply adopt a policy of verifying whatever
signatures are there from its accepted set.  However, if C is broken
then it matters what the RP does. Specifically, if the RP accepts
C-only signatures, then the Q signature doesn't help because the
attacker can generate a new document just signed by C, either de novo
or by stripping the Q signature. What is required for security is for
the RP to reject C.

There are, however, two reasons to sign with both C and Q:

1. If you don't know what the other side supports and you want
   the peer to able to verify it whatever its policies.
2. If you are worried that *either* C or Q might be broken
   in the future and you want the RP to be able to verify
   in either case (this is roughly the rationale for using
   both classical and PQ algorithms for key establishment).

However, neither of these rationales applies to interactive protocols
like TLS, IPsec, etc. because they already negotiate the signature
algorithm, so the RP can just tell the peer what signature algorithm
to use (and by extension, which credential to send). Moreover,
because there are peers which only support the existing non-PQ
algorithms and thus *neither* hybrid nor PQ-only signatures, you
still need to be able to generate non-PQ signatures and to have a
non-PQ credential, so it's equally (perhaps more) convenient to just
have two credentials (assuming certificates here).

- A classical key pair that chains up through classical signatures.
- A PQ key pair that chains up through PQ signatures


Finally, let's consider the case of non-interactive protocols,
where you don't necessarily know the state of the RP, so it's
plausible you would want to sign with both C and Q regularly.
However, the problem here is the same backward compatibility
issue that you have with the interactive protocols, namely that
there are some RPs which will only be able to verify C, so
this means that you have to generate at least one pure classical
signature, and if you want to add a PQ signature then you need
some way to have two signatures, at which point why not just
have the second one be pure PQ.

Can you explain why you think that hybrid is a better design in
these cases?

-Ekr




> 1)  We need to evolve our systems, I can't imagine telling customer x to
> throw away their PKI infrastructure to use this new thing to ensure they
> are protected from the quantum threat.   Do you think that is realistic?
>  Maybe if we knew what the new thing looked like now and had 25 years for
> people to transition to it.  So adding support for the NIST approved PQ
> signature algorithms (when available) seems like a mandatory requirement
> for future PKI systems, and is a natural way to enhance existing systems
> against the quantum threat.
> 2)  Given the uncertainty when a QRCQ will become available, and lack of
> mature implementations of quantum resistant algorithms, it seems prudent to
> add existing signature algorithms (RSA, EC) in combination with the newer,
> larger PQ algorithm.   Adding EC only adds about 128 extra bytes which is a
> small overhead and gives extra security and peace of mind in case problems
> are found in the new PQ algorithm.  This can help to further enhance
> existing PKI systems.
> 3) In the call for adoption, we did have a lot of support for the work and
> it looks like many organizations are planning to deploy hybrid signatures
> of some kind.   We have proven this works in all the existing PKI
> structures we have tested it with as part of our Hackathon which currently
> has at least 6 different vendor supplied implementations of composite
> "hybrid" signatures:  https://github.com/IETF-Hackathon/pqc-certificates
> We are simply trying to work out a common standard for what this looks
> like.  Isn't that the point of the working group (LAMPS in this case has a
> charter item 5.b.ii. for hybrid signatures).
>
> Cheers,
>
> John Gray
>
>
> -----Original Message-----
> From: Secdispatch <secdispatch-bounces@ietf.org> On Behalf Of Stephen
> Farrell
> Sent: Friday, June 23, 2023 8:37 AM
> To: Yoav Nir <ynir.ietf@gmail.com>
> Cc: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>; Michael
> Richardson <mcr+ietf@sandelman.ca>; David Woodhouse <dwmw2@infradead.org>;
> Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>; secdispatch <
> secdispatch@ietf.org>
> Subject: Re: [Secdispatch] [EXTERNAL] Re: IETF117 - Call for topics
>
>
> Hiya,
>
> On 23/06/2023 10:29, Yoav Nir wrote:
> >
> >
> >> On 22 Jun 2023, at 21:06, Stephen Farrell <stephen.farrell@cs.tcd.ie>
> >> wrote:
> >> On 22/06/2023 19:01, Mike Ounsworth wrote:
> >>> I also support a BoF about hybrid signatures.
> >>
> >> FWIW: I would not support the above. The BoF I think we need would
> >> address evolving PKI in the face of a CRQC.
> >>
> >> Discussion of hybrid signatures would be a part of that, but just a
> >> part.
> >
> > That’s not going to happen. If everything’s in scope then the BoF will
> > discuss everything all at once, and take forever and not reach any
> > conclusions.
>
> Of course, an ocean-boiling BoF is always possible, but I don't think one
> on how to evolve PKI in the face of a possible CRQC is likely to be that.
>
> > I think a BoF about hybrid signatures is appropriate as long as one of
> > the topics is “do we really need them?”
>
> So one of the problems with that is it'd be about a specific mechanism
> that may or may not form part of a sensible response to the possibility of
> a CRQC but it'd omit consideration of the systemic impacts of adopting such
> signatures, esp. in PKI and in other protocols that make use of PKI. We'd
> also be passing up the very rare opportunity to consider significant
> changes to PKI that might actually get deployed, which I think would be
> fairly unwise of us.
>
> Cheers,
> S.
>
> >
> > Yoav
> >
> >
> >
> >
> Any email and files/attachments transmitted with it are confidential and
> are intended solely for the use of the individual or entity to whom they
> are addressed. If this message has been sent to you in error, you must not
> copy, distribute or disclose of the information it contains. Please notify
> Entrust immediately and delete the message from your system.
> _______________________________________________
> Secdispatch mailing list
> Secdispatch@ietf.org
> https://www.ietf.org/mailman/listinfo/secdispatch
>

v2.23.0 | Report a Bug | By Email