Re: [Secdispatch] Problem statement for post-quantum multi-algorithm PKI

"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Thu, 12 September 2019 19:08 UTC

Return-Path: <sfluhrer@cisco.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05063120220 for <secdispatch@ietfa.amsl.com>; Thu, 12 Sep 2019 12:08:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.489
X-Spam-Level:
X-Spam-Status: No, score=-14.489 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=M0FhHhOy; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=dy8k/rt9
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y5ttuxnFSooM for <secdispatch@ietfa.amsl.com>; Thu, 12 Sep 2019 12:08:54 -0700 (PDT)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B61112021C for <secdispatch@ietf.org>; Thu, 12 Sep 2019 12:08:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=25519; q=dns/txt; s=iport; t=1568315334; x=1569524934; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=saTDJqJ09FbTioRH+NoA74x5YYP/oY9RwXIQybWZH3s=; b=M0FhHhOyCPqM2eKaC7bh/Se08sXkVU8NN1nwM7AMPL6YS3/yN5FykVp0 lpwN2S8hzvF1i6RjjCYj/5sfoIgYMMba7javIF22nshgka4obMZvKRREV sSk6++LwG508p0ml+dGDYE1zaxIe48Lt4UZ2zD/ywFJMK8xHKFDNl+4ki 8=;
X-Files: image001.png : 3146
IronPort-PHdr: =?us-ascii?q?9a23=3ATmyIvhfvyKlnruAngmm3jjWqlGMj4e+mNxMJ6p?= =?us-ascii?q?chl7NFe7ii+JKnJkHE+PFxlwGQD57D5adCjOzb++D7VGoM7IzJkUhKcYcEFn?= =?us-ascii?q?pnwd4TgxRmBceEDUPhK/u/dCI+AcRYWUVN9HCgOk8TE8H7NBXf?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AtAABHl3pd/5BdJa1mGgEBAQEBAgE?= =?us-ascii?q?BAQEHAgEBAQGBVgIBAQEBCwGBFS9QA21WIAQLKgqEF4NHA4pqTYIPfpIWhFy?= =?us-ascii?q?CUgNUAgcBAQEJAQIBASMKAgEBgUuCcAICAheCRiM3Bg4CAwkBAQQBAQECAQY?= =?us-ascii?q?EbYUuDIVKAQEBAQMFAQwRAggBEgEBOA8CAQgRBAEBBgEBASICAgIFEAEODB0?= =?us-ascii?q?IAgQBEQEGAgYGBweDAYFqAx0BDqBAAoE4iGFzgTIfgl4BAQWBRkGDABiCDwc?= =?us-ascii?q?DBoE0AYo0gUMYgUA/gRFGghc1PoJhAgMBgTYRGBUWgl4ygiaMYC8BgjCFIYE?= =?us-ascii?q?PjReCW4V7bgqCIYVrAYEVhQ2JBII0h0CPFoRGiA2BLIgEkGoCBAIEBQIOAQE?= =?us-ascii?q?FgWgigT8RCHAVgyeBSXmDcoUUhT9zgSmMK4ExAYEiAQE?=
X-IronPort-AV: E=Sophos;i="5.64,498,1559520000"; d="png'150?scan'150,208,217,150";a="628324420"
Received: from rcdn-core-8.cisco.com ([173.37.93.144]) by rcdn-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 12 Sep 2019 19:08:52 +0000
Received: from XCH-RCD-009.cisco.com (xch-rcd-009.cisco.com [173.37.102.19]) by rcdn-core-8.cisco.com (8.15.2/8.15.2) with ESMTPS id x8CJ8qvM004678 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 12 Sep 2019 19:08:52 GMT
Received: from xhs-rcd-001.cisco.com (173.37.227.246) by XCH-RCD-009.cisco.com (173.37.102.19) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 12 Sep 2019 14:08:52 -0500
Received: from xhs-rcd-001.cisco.com (173.37.227.246) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 12 Sep 2019 14:08:51 -0500
Received: from NAM04-CO1-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Thu, 12 Sep 2019 14:08:51 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Z0hJfDUK1ESmYi/2wdaI7fp6A8Bfgvj5GvNc9OCEshX1HBx4B5zptPCw7ImnFGlS0CPqtYYInhgjEvPVr37rPuZZ2Mo3urQdhx+TcfTADD8SBL/K5bbvu297aVEZAjeenxppg0IKAvRek15UWNr2jZkb49rM/1KH8Yxc1NWCfKebyiMZS8LjaQC035r6BOgNkO0xfv71d+HQA8V34imN60MvVDUetmJUXu6vBmql8idWHDgMFlnvMyOao/h8OBxZwEXm5e8kZHnR9rTlTp0OPTThcYDZ0f6ty6vkVBINP/77oOrtkMUb3p42mGRocLHGON1r/3+37HBdCTlCAqxhiA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=F7UdVEt9nSP2b3INYTW2oWT7JvKJq3HAIj7ZZU/0sy8=; b=nYmWlgDs6jdi6eGl0/8GKxAOVfOLplrkSLY8ZUxeH7NI889NfOtFP22zLPumtOGJJ4VsS4jz1NEFUFm55m3MUtL7JVE8p8PAHt2rJAQgpjDOpBQd+f9dw33eOYuIbLd3olPmINlnmXVWmCJ1I+DPsadBahLY3q/ZibqVNvZHJEsLcvgRAXdsSs0u1d2dGLzw4POWWQVI+PKyFeMm1z6uVnQqsxv8r7r63FLXoAGqxQqrY6Pd+X54MEekxO5Sw30VFvPD9ZUYd4K+i/w+/ARQQNEXE6FDvglDB7GyIcq565gbLjNK6KtsaJ7ZDB0VS236w52YwaA3UGCxXLaBrjeU9A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=F7UdVEt9nSP2b3INYTW2oWT7JvKJq3HAIj7ZZU/0sy8=; b=dy8k/rt9/BKfgaZUx54+opIo6TrH7MIDN1wYIxfwS7rfqnXjS/gJ5szrFnr/oFHtsSPkpWZei/aXEh5OzvYDae3AZrzWxyyJaAYgYYbqDpvHS72ehrLL3Q0XnrAzTylB8xnEWVgGzQeew0MdrqiBRSfzwASlc0s7NyQl8sKsiss=
Received: from BL0PR11MB3172.namprd11.prod.outlook.com (10.167.182.222) by BL0PR11MB2881.namprd11.prod.outlook.com (20.177.205.147) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2241.20; Thu, 12 Sep 2019 19:08:50 +0000
Received: from BL0PR11MB3172.namprd11.prod.outlook.com ([fe80::de4:ce0b:65fc:5b12]) by BL0PR11MB3172.namprd11.prod.outlook.com ([fe80::de4:ce0b:65fc:5b12%4]) with mapi id 15.20.2241.021; Thu, 12 Sep 2019 19:08:50 +0000
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: "Dr. Pala" <madwolf@openca.org>, "secdispatch@ietf.org" <secdispatch@ietf.org>
Thread-Topic: [Secdispatch] Problem statement for post-quantum multi-algorithm PKI
Thread-Index: AQHVaXfhQhjRM9jS8U+Srd37gdUEBacoZg1w
Date: Thu, 12 Sep 2019 19:08:49 +0000
Message-ID: <BL0PR11MB317285DF599EC58CCF26FD5EC1B00@BL0PR11MB3172.namprd11.prod.outlook.com>
References: <a2e32c33-8589-f3fb-97e5-c5977dfc64b4@openca.org>
In-Reply-To: <a2e32c33-8589-f3fb-97e5-c5977dfc64b4@openca.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=sfluhrer@cisco.com;
x-originating-ip: [173.38.117.87]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d26580a8-8650-4e2d-c46f-08d737b4a526
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600166)(711020)(4605104)(1401327)(2017052603328)(49563074)(7193020); SRVR:BL0PR11MB2881;
x-ms-traffictypediagnostic: BL0PR11MB2881:
x-ms-exchange-purlcount: 5
x-microsoft-antispam-prvs: <BL0PR11MB288146245651BBA260842531C1B00@BL0PR11MB2881.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 01583E185C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(346002)(366004)(396003)(136003)(39860400002)(376002)(189003)(199004)(14444005)(2501003)(6506007)(606006)(76116006)(53936002)(66446008)(66946007)(74316002)(2906002)(55016002)(9686003)(71190400001)(14454004)(8936002)(478600001)(66066001)(6116002)(71200400001)(76176011)(6306002)(54896002)(66476007)(86362001)(53546011)(33656002)(446003)(186003)(66556008)(26005)(102836004)(5660300002)(6246003)(236005)(966005)(316002)(99286004)(486006)(476003)(25786009)(229853002)(110136005)(64756008)(790700001)(3846002)(66616009)(52536014)(733005)(11346002)(81156014)(81166006)(99936001)(7736002)(7696005)(8676002)(256004)(6436002); DIR:OUT; SFP:1101; SCL:1; SRVR:BL0PR11MB2881; H:BL0PR11MB3172.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: qRTYBxZJ62DWiXE1RBxP1PPUIwIxg4SRJnj6HX2g+P+P/jaG9mmypxkqYavr/zuDgTRCU0632O1OEY4d27Pa7EtSax0pkhWt5GSYI944iuWdULwBJL/Y7iRKtgVzSgDYnZR89WAcDdsW8xVPPrfXNwbcdllamuKRFYHYBlyu3qYfj3ehSJVepR/QgnBX3OR5X+Vhs9EkorRTJb0bWYkaOyPDLnh3E23OZJixN7L0RO0Z3GvMV3M44xdyyWUSCF8vnoLLpkWHeYHYmV2yF8mWcaz3fhhGE6lNUFSFLvlrFWkF8E20fxM0w8gzmLYD+ByUegUXJBVlF393qKYR5wL1k93juH2EFPWy791xBBjgh8JL0w7E/d2Oy6c2VEjLo32P/HBjl6RvA/tj5uvhpz4XahpVwJ04B2N5n8M0TzhnM4Y=
x-ms-exchange-transport-forked: True
Content-Type: multipart/related; boundary="_004_BL0PR11MB317285DF599EC58CCF26FD5EC1B00BL0PR11MB3172namp_"; type="multipart/alternative"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: d26580a8-8650-4e2d-c46f-08d737b4a526
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Sep 2019 19:08:49.9297 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: zWU7Fs9k8Dwg2DyJ66FYvYt2ptfZ2L3BAw2LY9h0+EaR3Yh/GIMG2J3kpX7fG5j6Rzg8SRPVvWufvezUqOOmOA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR11MB2881
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.19, xch-rcd-009.cisco.com
X-Outbound-Node: rcdn-core-8.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/LDrHLduhrOEkPCxYpwaFTiZ2SGQ>
Subject: Re: [Secdispatch] Problem statement for post-quantum multi-algorithm PKI
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Sep 2019 19:08:57 -0000

I agree that this is an important problem to solve.

One might think we have plenty of time, given that Real Quantum Computers are, more than likely, more than 10 years away, and even once you have one, you cannot use your Quantum Computer to break the authentication of recorded conversations.

On the other hand, authentication also brings in additional issues; instead of having a two party system (where as long as both the client and the server support a postquantum algorithm, they can negotiate it), we now have an (at least) three party system, the client, the server, and the CA.  this additional party makes the upgrade path more complicated.  So, while we have more time, we may need it.

I don’t think it’s too early to start thinking about the issues..

From: Secdispatch <secdispatch-bounces@ietf.org> On Behalf Of Dr. Pala
Sent: Thursday, September 12, 2019 10:39 AM
To: secdispatch@ietf.org
Subject: Re: [Secdispatch] Problem statement for post-quantum multi-algorithm PKI


Hi SecDispatch, Mike,

Our industry (Cable) is working on this problem already - some of our members have started investigating few things in the post-quantum field and in particular how to protect our PKIs in this uncertain environment.

With few billions certificates issued across the industry, we heavily rely on certificates for device authentication and, therefore, we need to work on a solution today.

For us, the use of Composite Crypto is quite an interesting path to pursue because it provides an easy way to protect today our PKIs against the factorization threat (not only certificates, but all the data structures for PKIX) thus allowing to verify the authentication with Post-Quantum algorithms when we will need to make the switch (deferred Algorithm Agility).

We intend to support this idea and actively deploy it for our PKIs and eventually expand the adoption of this approach in other environments we are engaged in (e.g., medical devices, cellular networks, WiFi Alliance and WBA, etc.)

Looking forward to find a good home for this project within the IETF - a simple but powerful tool for our "PKI toolboxes"

Cheers,
Max



Hi SecDispatch,



This got bounced here from LAMPS because the scope is potentially more than a "limited" pkix change, and because this needs multi-WG visibility to decide on a category of solution.







Background / history

--------------------



The Post-Quantum community (for example, surrounding the NIST PQC competition), is pushing for "hybridized" crypto that combines RSA/ECC with new primitives in order to hedge our bets against both quantum adversaries, and also algorithmic / mathematical breaks of the new primitives.





A year and a half ago, a draft was put to LAMPS for putting PQ public key and signatures into X.509v3 extensions. This draft has been allowed to expire, but is being pursued at the ITU.

https://datatracker.ietf.org/doc/draft-truskovsky-lamps-pq-hybrid-x509/





Earlier this year, a new draft was put to LAMPS for defining "composite" public key and signature algorithms that, essentially, concatenate multiple crypto algorithms into a single key or signature octet string. This draft stalled in LAMPS over whether it is the correct overall approach.

https://datatracker.ietf.org/doc/draft-ounsworth-pq-composite-sigs/





Now I'm taking a step back and submitting a draft that acts as a semi-formal problem statement, and an overview of the three main categories of solutions.

https://datatracker.ietf.org/doc/draft-pq-pkix-problem-statement/









My Opinion

----------



Personally, I'm fairly agnostic to the chosen solution, but feel that we need some kind of standard(s) around the post-quantum transition for certificates and PKI. Personally, I feel that Composite is mature enough as an idea to standardize as a tool in our toolbox for contexts where it makes sense, even if a different mechanism is preferred for TLS and IPSEC/IKE.









Requested action from SECDISPATCH

---------------------------------



1. Feedback on the problem statement draft. https://datatracker.ietf.org/doc/draft-pq-pkix-problem-statement/



2. Discussion of how to progress this.









PS I'm a new IETF'er, please be gentle :P



Thanks,

- - -

Mike Ounsworth | Software Security Architect

Entrust Datacard

--
Best Regards,
Massimiliano Pala, Ph.D.
OpenCA Labs Director
[OpenCA Logo]