IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Re: Security Consideration for draft-turner-lamps-nist-pqc-kem-certificates

Douglas Stebila <dstebila@gmail.com> Fri, 25 March 2022 23:14 UTC

Return-Path: <dstebila@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FD3B3A0E8F for <spasm@ietfa.amsl.com>; Fri, 25 Mar 2022 16:14:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dnXjqCqxm5e4 for <spasm@ietfa.amsl.com>; Fri, 25 Mar 2022 16:14:05 -0700 (PDT)
Received: from mail-io1-xd2b.google.com (mail-io1-xd2b.google.com [IPv6:2607:f8b0:4864:20::d2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72AD73A0E77 for <spasm@ietf.org>; Fri, 25 Mar 2022 16:14:05 -0700 (PDT)
Received: by mail-io1-xd2b.google.com with SMTP id h63so10599590iof.12 for <spasm@ietf.org>; Fri, 25 Mar 2022 16:14:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=LqgoQn77rF+tbh2I2/KQxoBrZfF+lUe1BGxXcaz5uLw=; b=G+AmVasXMVLAFfKW5D6JrwH8v87lTOLqsXthTjvGkt6nDEv5d13de/Oajkl2NhLYW8 aGWoYSqu6JerhBGdhaec/1gfudvSNT4J8Nwpuc84/i0fgdnXya9qX523gdm39AlXTwvw /rwe6d50/hScLTEgKWKphhjXqAGwYA2Nmwe8YCrMqLdM5Z0oISC/4khVbpg505B2iVD4 GPxdKd03P0ejq/1TJILJOt9RdwL2eFwtiNhrwDAa57Pqs1j5upRiczH0UcHInwX1oAkp SJNSr3Vcws4KBUGcgcIF06eltAa0wJiIAkkMp9hy0fdCbBm9jFpa24vts/5nkw8gmNpu DnTQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=LqgoQn77rF+tbh2I2/KQxoBrZfF+lUe1BGxXcaz5uLw=; b=X+thYZIpTNl5Ka0bAvIDdFFHYF58v2qsILzbPcHtXwTf6cVNIFZI0DR7IqQDFjBOOb 9MXwpOhFLwQ+oZejNs/e/DAwxueMRUO82VdvoP7f3xKD9qv3e9bi4rokCZMgXaMCUfDy Gjiz7NGI/tDRscbbnzhLUnPL/ZE+T4+qbbvu22mWv3s1IeIn0336LsNxt9MKR0SSTN5o X1Hwo5JCxInkvPwq5o4+kWn1KY3QDxIZXh8U7QB/+2SC1jPAmhvFxLNQucIzMey60G1U wzUU62OXlR/IhX+jv9ApUqVwucdQ+DvLdBIrVfXE31TatDsQZZE12VoT64o1wLWA2gr7 7WSw==
X-Gm-Message-State: AOAM531ZlO78olb4+SMjwBDtNP95UsKA4hrjN7NMa464wr2hvXMAZV9m ZI3kkuqAaPMxvpZVWitaNJw=
X-Google-Smtp-Source: ABdhPJwpPRriHuqudMe1v1YwWoiF1f+EeuU86hXlzhCStmXasLpcWPObSpSIMN2yZmF2vjAuDdwGkg==
X-Received: by 2002:a05:6638:1302:b0:321:41a3:afda with SMTP id r2-20020a056638130200b0032141a3afdamr7182791jad.254.1648250044368; Fri, 25 Mar 2022 16:14:04 -0700 (PDT)
Received: from laptop-picard.coleridge (cpe881fa12cf37b-cma84e3fc93e50.cpe.net.cable.rogers.com. [99.250.203.26]) by smtp.gmail.com with ESMTPSA id n7-20020a056e021ba700b002c63098855csm3532152ili.23.2022.03.25.16.14.03 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 25 Mar 2022 16:14:03 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
From: Douglas Stebila <dstebila@gmail.com>
In-Reply-To: <7C1A852F-0433-4E58-8A56-E3CB74CB7FA3@ll.mit.edu>
Date: Fri, 25 Mar 2022 19:14:02 -0400
Cc: Mike Ounsworth <Mike.Ounsworth@entrust.com>, Ilari Liusvaara <ilariliusvaara@welho.com>, LAMPS <spasm@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <64D97E59-8FC3-40B5-A07B-AA927AF2C671@gmail.com>
References: <CH0PR11MB5739B640691C4692D6343E219F1A9@CH0PR11MB5739.namprd11.prod.outlook.com> <LO0P123MB404186BF69C1FCC6275E7560D71A9@LO0P123MB4041.GBRP123.PROD.OUTLOOK.COM> <CH0PR11MB5739C9106FBE6D82E6B1EC1D9F1A9@CH0PR11MB5739.namprd11.prod.outlook.com> <19CA2384-E8A9-4E8F-9AA7-F8175393F065@gmail.com> <CH0PR11MB5739FFCC0723B521224BE9C59F1A9@CH0PR11MB5739.namprd11.prod.outlook.com> <Yj3IeJaGWX02kBk4@LK-Perkele-VII2.locald> <B9BA6885-4AF4-4BC0-9280-C39DB569603E@ll.mit.edu> <CH0PR11MB573988FA4304F34C8892F55F9F1A9@CH0PR11MB5739.namprd11.prod.outlook.com> <7C1A852F-0433-4E58-8A56-E3CB74CB7FA3@ll.mit.edu>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/IjD-5sTV5_y4Z0haHfK0aiDva3k>
Subject: Re: [lamps] [EXTERNAL] Re: Security Consideration for draft-turner-lamps-nist-pqc-kem-certificates
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Mar 2022 23:14:11 -0000

Length prefixing a variable length shared secret will not avoid this type of attack.  It doesn't arise from ambiguity about how long something is (which is what length prefixing resolves), it arises from being able to control where certain parts of the string land with respect to a hash function block boundary.

Douglas


> On Mar 25, 2022, at 3:58 PM, Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu> wrote:
> 
> What I had in mind was something like (described loosely šŸ˜‰)
>  
> SS_i ::= <len_in_bytes> || <ss_i>
>  
> Len_in_bytes ::= INTEGER (1..65536) ā€“ field taking 4 bytes
> ss_i ::= symmetric shared secret obtained from the given KEM
>  
> SS_final = H(SS_1 || SS_2 || . . . || SS_n)
>  
> Sorry for sloppy handwaving, but Iā€™m sure you understand what I mean.
>  
> TNX
> --
> V/R,
> Uri
>  
> There are two ways to design a system. One is to make it so simple there are obviously no deficiencies.
> The other is to make it so complex there are no obvious deficiencies.
>                                                                                                                                      -  C. A. R. Hoare
>  
>  
> From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
> Date: Friday, March 25, 2022 at 12:34
> To: Uri Blumenthal <uri@ll.mit.edu>, Ilari Liusvaara <ilariliusvaara@welho.com>, LAMPS <spasm@ietf.org>
> Subject: RE: [lamps] [EXTERNAL] Re: Security Consideration for draft-turner-lamps-nist-pqc-kem-certificates
>  
> Thanks Uri.
>  
> Can you provide the concrete construction you have in mind when you say ā€œinclude the length field in the hashā€? I will add a note to our composite kem combiner draft, but I do not want to mis-interpret your suggestion.
>  
> ---
> Mike Ounsworth
> Software Security Architect, Entrust
>  
> From: Spasm <spasm-bounces@ietf.org> On Behalf Of Blumenthal, Uri - 0553 - MITLL
> Sent: March 25, 2022 9:39 AM
> To: Ilari Liusvaara <ilariliusvaara@welho.com>; LAMPS <spasm@ietf.org>
> Subject: Re: [lamps] [EXTERNAL] Re: Security Consideration for draft-turner-lamps-nist-pqc-kem-certificates
>  
> In general, I agree with the points Ilari made. Howeverā€¦
>  
> Ā·         I think itā€™s good to allow SS of variable length;
> Ā·         When you allow variable length, you must include the length field into the hash;
> Ā·         I don't think padding is necessary in this case;
> Ā·         We should be careful regarding ā€œmax possible SS lengthā€: while I donā€™t expect to ever see SS of, e.g., 56MB - I doubt it would stay at 32 or 48 bytes forever. I definitely donā€™t want to see ā€œmax possible SS len = 32ā€.
>  
> Whatā€™s the purpose of padding, if you included the length?
>  
> Re. RACOON attack ā€“ besides being pretty darn difficult to launch, itā€™s rather limited in applicability, IMHO ā€“ to the point I donā€™t really care. Besides, offhand, it isnā€™t applicable to NIST KEMs.
>  
> Thanks
> -- 
> V/R,
> Uri
>  
>  
> On 3/25/22, 09:50, "Spasm on behalf of Ilari Liusvaara" <spasm-bounces@ietf.org on behalf of ilariliusvaara@welho.com> wrote:
>  
>     On Fri, Mar 25, 2022 at 01:30:28PM +0000, Mike Ounsworth wrote:
>     > > So if your scenario envisions concatenating a traditional
>     > (RSA/FFDH/ECC) shared secret and a PQ shared secret, one would want
>     > to be sure the first component of the concatenation is not variable
>     > length.
>     > 
>     > Another good point!
>     > 
>     > Thinking out loud: does padding solve the problem?
>     > 
>     > H(ss_1 || ss_2 || .. || ss_n)
>     > 
>     > if ss_i are each padded / truncated to, say, the security level of
>     > the underlying hash function, does that work?
>  
>     One could solve the issue for variable length SS by adding a length
>     field and padding to the maximum possible SS length. I think truncating
>     is a bad idea, and could interact badly with some oddball KEMs.
>  
>     However, using KEMs with variable-length SS seems like a bad idea
>     anyway. E.g., see the TLS RACCOON attack.
>  
>  
>     -Ilari
>  
>     _______________________________________________
>     Spasm mailing list
>     Spasm@ietf.org
>     https://www.ietf.org/mailman/listinfo/spasm
> Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm

v2.40.3 | Report a Bug | By Email | System Status