IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Re: Security Consideration for draft-turner-lamps-nist-pqc-kem-certificates

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Mon, 28 March 2022 13:29 UTC

Return-Path: <prvs=20867f6aa8=uri@ll.mit.edu>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 280183A0F46 for <spasm@ietfa.amsl.com>; Mon, 28 Mar 2022 06:29:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2SFzfb0td69B for <spasm@ietfa.amsl.com>; Mon, 28 Mar 2022 06:29:44 -0700 (PDT)
Received: from MX3.LL.MIT.EDU (mx3.ll.mit.edu [129.55.12.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6973A3A0F40 for <spasm@ietf.org>; Mon, 28 Mar 2022 06:29:44 -0700 (PDT)
Received: from LLEX2019-1.mitll.ad.local (llex2019-1.llan.ll.mit.edu [172.25.4.123]) by MX3.LL.MIT.EDU (8.16.1.2/8.16.1.2) with ESMTPS id 22SDTfkS100231 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 28 Mar 2022 09:29:41 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=PIM3zy501by1wTwkKgWWq8ythPP0pPaEbVgBnLO3e/ANWlYmnQxxWIn45TIQJP9ef2TP7YeOVbSuhks/e9W2gpzzJHi6yVubLfcAGVJruSJDq18ptwc13LdAOrHlC0/41UZVVTdNZPm8qCx+BgHpSH329qsRlPkbGGM+yXt5CkxXl87TwgXrZlBsMYrk+mlaH8cn8Lg/2a3I6qVCTbG4J4fonNs9mylbtaONZJeL8MyRMOcXDKig9+CMMNb3TQjP6XgUbRb+VwtwKgRBfRovxYsDbwJYKz+0RHCn+3oLo9aaQjC6TbBiYwBvoSmzbwNWb4KQ1n3i7B5nbdrxZDWGYQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=FRcOG/DGATlz3VeY/uVUW0nWTzDFsDh6CGoPl5ba2ZA=; b=qGVQgFWrh3EDpp0LTPR+ajo3n0I+vlPhWOSxoRgCrnpTgPmNOCoNJdQtFREwaRhCprlJCHiBRW7eQqxeALEGuD8582mHULo18F5nHef1aqQqZy/3luoVqJI4feXMNu5RpDb7Yz/KvN003iWWxAL2OSWzClUjMxo7ZHzDWxZqSyWvkvdgzLaZBiCCq6mj6lEPljv3nRCdiSEw3hFmoHYYQhDMCDiTgavLndggc9/ymUegCAStBwNgTxFM4K8zqusnIaPYk+nNJz3K8LQyY5fO5ZNyqGzTrQz8YbLi2yZ67MS6X53oIOYSZHfhA9ISyiQ6oLl9TJcOHIoH9yWJjW2eEw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Douglas Stebila <dstebila@gmail.com>
CC: LAMPS <spasm@ietf.org>
Thread-Topic: [lamps] [EXTERNAL] Re: Security Consideration for draft-turner-lamps-nist-pqc-kem-certificates
Thread-Index: AQHYQEyo8K0tmEpyyE6bsCxeF/uu0qzQHcQA///KyQCAAGLlAP//9lMAgAB5qQCAAsz5gIABQt4A//++FwAAAFc7gA==
Date: Mon, 28 Mar 2022 13:29:38 +0000
Message-ID: <5035389F-147B-4282-B007-945E713FEE43@ll.mit.edu>
References: <64D97E59-8FC3-40B5-A07B-AA927AF2C671@gmail.com> <5338244B-B1AC-4735-9F4A-B643663499E8@ll.mit.edu> <A8E459F0-F654-4167-A7CE-2CF5157D5D6F@gmail.com> <4CE27EF5-411F-42B5-95B2-E8719411481F@ll.mit.edu>
In-Reply-To: <4CE27EF5-411F-42B5-95B2-E8719411481F@ll.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.58.22021501
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f66ea216-f556-4f63-14ed-08da10bf01f2
x-ms-traffictypediagnostic: BN0P110MB1125:EE_
x-microsoft-antispam-prvs: <BN0P110MB11251990502A6AF9B3970F83901D9@BN0P110MB1125.NAMP110.PROD.OUTLOOK.COM>
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: aw0Q9BODZjzQdcthdp1VjSZ+r/NTIXknIy7+AeSXG17cDTUYbwIDe+rJxNbOq792ys5wmdl7U+RmZV/cRwBtMeoumrrDFBUs2HHuz+lzUIxeqAl58mQ5ISf3Kj4IVIb9rEeV2/8Fcc6yzMIENV8nNpsOyUkZ4C1tIvd/1CPNXcL+uGDTUDsGl/k0iuAr0q+sGcU/PscLhoO+CPPrjtzhGodsirSXutviyk6myW6Jzw0LbZIiiRmyP1PEozcxy3uevYFXm4rC+e9IY4LTj5iN6doJ6euayr3lV9l+/LAH8BCIdPzJZ6dvA5qTeqDJpRlA65SnBUaM0HwtdbKFJIBtFikqbnVMadPiJDupltlz50uJdcIt++iZEFpGMJ3tWQf9Gt0fGUSEUXyX70X0yBq1rL6SJNZtuz4BT3frlEw50a6thpwJhC68KMb6OCBy4AJa5+ZpEGDdYmWAutVfNg/XoTENJAHGJ/YUsQOZMf9XvlLQo9XOsH55kzZ9zqAkRtlj1k0nO1467jmSghuH1EVuuYDIUQ3qCjp3JrEDMxKIHOHaLwiM1Zjhz6h8T53prKAp1s2VajK0+b0qBiXMYVLdL/m/g+ReV8inD8y9XiLgVlVUDjAzrNOPb3Hed1UBU6FeTQZDPJ2fK/ZVwQkLV/us22o0HQG9pfN+Mnt6OsMR/NTfUI+Yy0vXo4DS3cj6k3u3jvgDwslBHeXcua0ws2BCPNclSjG06DFoZ/snRcG0Wc6T2FMSMr8cvZUYoZa0ILhJv5emkfUOvj7c7ecpOsRQtA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230001)(366004)(8936002)(6916009)(26005)(53546011)(122000001)(5660300002)(6512007)(86362001)(83380400001)(15650500001)(966005)(6486002)(186003)(75432002)(2616005)(66476007)(71200400001)(2906002)(33656002)(76116006)(6506007)(66946007)(498600001)(99936003)(66446008)(8676002)(66556008)(166002)(4326008)(64756008)(38070700005)(38100700002)(11970500015)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 4Xiieju7ZYV2G21eXoJth2zxVsgARku2Igm35WjLoHW2z3ljGrb89oQ2heDoRmtRtetKls3Xmj4dDL8pyhngfifVQsIokt6O7yh75JfwevlhSeWsNDuCn3sDskTCeJ7uAbD9FwW0VSwGR7yLN6WsEtnYxOJLKql4uFbabBTnDYTFBWU4awR7iEJf2KsjRY4GnQ6AY90xrpAIw+keXmODJ8A0nxBWuXOUNHXpsjN4fBfB70BkqnzNFY7avRN7fYb3dVYyaiYjJis3TttHNETcdJlUMHK9mhha9Or2hrzJzCoCqccH+9YXTkJxm3HSM7c87njJ/gy7SBuqBSbxlf36hjQn0TYq2HvqqK2o0ttkmG53S/cUv2Q5gd0EuZGupCso33owb6CXxByKxjpn5iYa+MYL9bb/WAjJKUfNWovhlZY=
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3731304577_894292419"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: f66ea216-f556-4f63-14ed-08da10bf01f2
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Mar 2022 13:29:38.2849 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0P110MB1125
X-Proofpoint-ORIG-GUID: -h0bQqsUxP5DDmJ5NW8-QF4efg9g7Off
X-Proofpoint-GUID: -h0bQqsUxP5DDmJ5NW8-QF4efg9g7Off
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425, 18.0.850 definitions=2022-03-28_05:2022-03-28, 2022-03-28 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 mlxlogscore=999 adultscore=0 malwarescore=0 spamscore=0 bulkscore=0 phishscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2203280077
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/FSPFSExok1ZLr0AKWS8t5tgmPZc>
Subject: Re: [lamps] [EXTERNAL] Re: Security Consideration for draft-turner-lamps-nist-pqc-kem-certificates
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Mar 2022 13:29:49 -0000

Along the same lines – how about “defending in depth” against block ciphers vulnerable to known-plaintext attacks and digital signatures that are easily forgeable, etc. etc.?

 

I understand the need to publish papers, but there got to be a limit in how far one pushes the assumptions.

--

V/R,

Uri

 

There are two ways to design a system. One is to make it so simple there are obviously no deficiencies.

The other is to make it so complex there are no obvious deficiencies.

                                                                                                                                     -  C. A. R. Hoare

 

 

From: Spasm <spasm-bounces@ietf.org> on behalf of Uri Blumenthal <uri@ll.mit.edu>
Date: Monday, March 28, 2022 at 09:20
To: Douglas Stebila <dstebila@gmail.com>
Cc: LAMPS <spasm@ietf.org>, Ilari Liusvaara <ilariliusvaara@welho.com>, Mike Ounsworth <Mike.Ounsworth@entrust.com>
Subject: Re: [lamps] [EXTERNAL] Re: Security Consideration for draft-turner-lamps-nist-pqc-kem-certificates

 


Length prefixing a variable length shared secret will not avoid this type of attack.


Would you mind clarifying - what attack/type-of-attack you mean?

 

https://github.com/nimia/kdf_public#readme

 

Thanks!

It doesn't arise from ambiguity about how long something is (which is what length prefixing resolves), it arises from being able to control where certain parts of the string land with respect to a hash function block boundary.


Now you know where your 32-byte part of the string lands. Variable length would allow moving where your part of the string lands, somewhat. Still, so what? I don’t see a viable attack (assuming a decent hash function).

 

That's the whole point of this scenario -- that one is not assuming a decent hash function.

 

Bending over backwards to support screwed-up hash functions does not seem worth it in this day and age. We do know now how to construct good hashes.

 

TNX

 

 

On Mar 25, 2022, at 3:58 PM, Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu> wrote:

What I had in mind was something like (described loosely 😉)

SS_i ::= <len_in_bytes> || <ss_i>

Len_in_bytes ::= INTEGER (1..65536) – field taking 4 bytes
ss_i ::= symmetric shared secret obtained from the given KEM

SS_final = H(SS_1 || SS_2 || . . . || SS_n)

Sorry for sloppy handwaving, but I’m sure you understand what I mean.

TNX
--
V/R,
Uri

There are two ways to design a system. One is to make it so simple there are obviously no deficiencies.
The other is to make it so complex there are no obvious deficiencies.
                                                                                                                                   -  C. A. R. Hoare


From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
Date: Friday, March 25, 2022 at 12:34
To: Uri Blumenthal <uri@ll.mit.edu>, Ilari Liusvaara <ilariliusvaara@welho.com>, LAMPS <spasm@ietf.org>
Subject: RE: [lamps] [EXTERNAL] Re: Security Consideration for draft-turner-lamps-nist-pqc-kem-certificates

Thanks Uri.

Can you provide the concrete construction you have in mind when you say “include the length field in the hash”? I will add a note to our composite kem combiner draft, but I do not want to mis-interpret your suggestion.

---
Mike Ounsworth
Software Security Architect, Entrust

From: Spasm <spasm-bounces@ietf.org> On Behalf Of Blumenthal, Uri - 0553 - MITLL
Sent: March 25, 2022 9:39 AM
To: Ilari Liusvaara <ilariliusvaara@welho.com>; LAMPS <spasm@ietf.org>
Subject: Re: [lamps] [EXTERNAL] Re: Security Consideration for draft-turner-lamps-nist-pqc-kem-certificates

In general, I agree with the points Ilari made. However…

·         I think it’s good to allow SS of variable length;
·         When you allow variable length, you must include the length field into the hash;
·         I don't think padding is necessary in this case;
·         We should be careful regarding “max possible SS length”: while I don’t expect to ever see SS of, e.g., 56MB - I doubt it would stay at 32 or 48 bytes forever. I definitely don’t want to see “max possible SS len = 32”.

What’s the purpose of padding, if you included the length?

Re. RACOON attack – besides being pretty darn difficult to launch, it’s rather limited in applicability, IMHO – to the point I don’t really care. Besides, offhand, it isn’t applicable to NIST KEMs.

Thanks
-- 
V/R,
Uri


On 3/25/22, 09:50, "Spasm on behalf of Ilari Liusvaara" <spasm-bounces@ietf.org on behalf of ilariliusvaara@welho.com> wrote:

  On Fri, Mar 25, 2022 at 01:30:28PM +0000, Mike Ounsworth wrote:

So if your scenario envisions concatenating a traditional

(RSA/FFDH/ECC) shared secret and a PQ shared secret, one would want
to be sure the first component of the concatenation is not variable
length.

Another good point!

Thinking out loud: does padding solve the problem?

H(ss_1 || ss_2 || .. || ss_n)

if ss_i are each padded / truncated to, say, the security level of
the underlying hash function, does that work?


  One could solve the issue for variable length SS by adding a length
  field and padding to the maximum possible SS length. I think truncating
  is a bad idea, and could interact badly with some oddball KEMs.

  However, using KEMs with variable-length SS seems like a bad idea
  anyway. E.g., see the TLS RACCOON attack.


  -Ilari

  _______________________________________________
  Spasm mailing list
  Spasm@ietf.org
  https://www.ietf.org/mailman/listinfo/spasm
Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
_______________________________________________
Spasm mailing list
Spasm@ietf.org
https://www.ietf.org/mailman/listinfo/spasm


_______________________________________________
Spasm mailing list
Spasm@ietf.org
https://www.ietf.org/mailman/listinfo/spasm

v2.41.0 | Report a Bug | By Email | System Status