IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Re: Security Consideration for draft-turner-lamps-nist-pqc-kem-certificates

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Fri, 25 March 2022 19:58 UTC

Return-Path: <prvs=1083d2975a=uri@ll.mit.edu>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CAD33A07A0 for <spasm@ietfa.amsl.com>; Fri, 25 Mar 2022 12:58:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.905
X-Spam-Level:
X-Spam-Status: No, score=-0.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MAY_BE_FORGED=1, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XYuNQiWZp26H for <spasm@ietfa.amsl.com>; Fri, 25 Mar 2022 12:58:45 -0700 (PDT)
Received: from MX2.LL.MIT.EDU (mx2.ll.mit.edu [129.55.12.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DEF523A0524 for <spasm@ietf.org>; Fri, 25 Mar 2022 12:58:44 -0700 (PDT)
Received: from LLEX2019-2.mitll.ad.local (llex2019-2.llan.ll.mit.edu [172.25.4.124] (may be forged)) by MX2.LL.MIT.EDU (8.16.1.2/8.16.1.2) with ESMTPS id 22PJwe10269740 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Fri, 25 Mar 2022 15:58:40 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=ALGNSm8jLxe1K4HMNPkSmoWs4QxAArD59gTMvMsbjOjdZeXFFqYeCb6kW42EzgIfQJ/t3xUsneHodVjuLOLXLUj//xQEmcwiNqsqQaRu4VJBWMa7OyX+scaEpIF5hxCIwwvYvTPt9bbnmCentMV2eN8aLIE3NpSnnfcSGzg6qjNAADHK7AORDihb1IImnuUxRNEst+ubiws/O7ut4I6SrcI+yljxJPsgSfSbKjIFWqz+1NcrXhd+mOwrFldT7p2IZg9q2stEgLO1UeldCnbFdmxN3SbqHe1P+BcNu0f7jn1uVXZMrcb03ExeH0ZAy8sFZaJJALftKY8i4PakBzoFZQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=U0i43u/1KyqTVVSHpAfnRjX/eEZkLVYjiPBNCoZTAJ8=; b=un3bbJbVb7eWZmapI0MVaFFdHz6RwWaUIswXXEdOILai6mIQiDvCIZL3v0hIJRhZlK5SgvL+jwtSvCozYJBHAdjLz8VuF4yR0O5mZmgvwqpEbPX1wWmOvBChYjQ8H1QXBXvIMmk+R1W+hs+xKDyvCEGPQx2ix3Ua3AAMQBIuudWfOJ3vufte1bLfWLyYb0Hb0ZgqhLorUI5KKrip+ox5n4OeeTFFp+tiJ5VQrkVAJtRz+SQLLLvBs3/W/5XBJKgBEAYJUq74W8lD9OAI4pqN4GIR0GuXtMLqmTFuSx18d6CEa3HFJ+Fn5lQiatvA9DILZv0j4+cIzRMTdcrt/+3Fwg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Mike Ounsworth <Mike.Ounsworth@entrust.com>, Ilari Liusvaara <ilariliusvaara@welho.com>, LAMPS <spasm@ietf.org>
Thread-Topic: [lamps] [EXTERNAL] Re: Security Consideration for draft-turner-lamps-nist-pqc-kem-certificates
Thread-Index: AQHYQEyo8K0tmEpyyE6bsCxeF/uu0qzQHcQA///KyQCAAGLlAP//9lMA
Date: Fri, 25 Mar 2022 19:58:37 +0000
Message-ID: <7C1A852F-0433-4E58-8A56-E3CB74CB7FA3@ll.mit.edu>
References: <CH0PR11MB5739B640691C4692D6343E219F1A9@CH0PR11MB5739.namprd11.prod.outlook.com> <LO0P123MB404186BF69C1FCC6275E7560D71A9@LO0P123MB4041.GBRP123.PROD.OUTLOOK.COM> <CH0PR11MB5739C9106FBE6D82E6B1EC1D9F1A9@CH0PR11MB5739.namprd11.prod.outlook.com> <19CA2384-E8A9-4E8F-9AA7-F8175393F065@gmail.com> <CH0PR11MB5739FFCC0723B521224BE9C59F1A9@CH0PR11MB5739.namprd11.prod.outlook.com> <Yj3IeJaGWX02kBk4@LK-Perkele-VII2.locald> <B9BA6885-4AF4-4BC0-9280-C39DB569603E@ll.mit.edu> <CH0PR11MB573988FA4304F34C8892F55F9F1A9@CH0PR11MB5739.namprd11.prod.outlook.com>
In-Reply-To: <CH0PR11MB573988FA4304F34C8892F55F9F1A9@CH0PR11MB5739.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.58.22021501
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f3b6d05a-f2cd-42a1-44fc-08da0e99d9ec
x-ms-traffictypediagnostic: BN0P110MB1643:EE_
x-microsoft-antispam-prvs: <BN0P110MB1643B7150F14D9A62034EE6A901A9@BN0P110MB1643.NAMP110.PROD.OUTLOOK.COM>
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: L2pwPVvNIwoUwCcKDmzFS7Juai0NLaSqOvDgRaPvgTW0N/KC5/KessbsJ4LX2EFg/FWAAo8/EKcMPLvba9MXaCdnaOvBzl1gv3yi5tDX8Q/46umMUmx7Y/LkRfeqzg5TtqrXhwTHUNIqtKo0ROVRp2qqnFe1VvNdygX6NXMQbIRhvSl3Rb/qMduIt8LuT+WwiluBJce7OcnDcqAJzA570bjayElnFXRKcUqHv9iWx5lkd31edD14n7pkX+nu9VmfGOMBmz/DxTLM49wd213CXUa6haAnoWUcn9veiITxZH0VciL/VwyjlYhGIinBManeBSXyQr3x7Fd0TMh8Pm4cJUiKIe8wfl94Rhuk+NhLrOPkpUC1Ozh3p/rwPZZnD+FLRiSdJzm5fP+uuGcGV2HCYvaxZUtfyymMJate9d8QiouQZEX79hSGnd00iWvPw23vjNHZ9pFkuDdiLRwUa93I4SnFAdHYSRSAPwJRi0a3xbDkGBB1KsDBNMrt5YPFWzFwN48Q1QNYNSZbto6S7L+CC5/r40yMwNycVBDGuR2kB+iewNiKW45PQG07PXi/tgqmmbenfm8+e5DJWHUyeNDt2LcKDNbSsr8tQjQB1So/eyhHJLBjwiKAt/p3QjI0jWogFrFQC7rAMIPDyD9uJQptZp3ZcIwOMYOgw9LxLvKjjplxbT4ensF17KFeQwjMM3AcGs2nuKUES4o1Ox4tpjVYGCvWZTLSFC9NMTlaSx02fej+MviIAHEG0LAI4BuuSWTOdOI0FD08pSJymE5trfhyxQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230001)(366004)(53546011)(66556008)(316002)(110136005)(166002)(15650500001)(6506007)(99936003)(71200400001)(2906002)(66946007)(8936002)(6512007)(5660300002)(8676002)(2616005)(66476007)(33656002)(66446008)(75432002)(76116006)(38070700005)(966005)(83380400001)(6486002)(38100700002)(122000001)(186003)(86362001)(26005)(64756008)(508600001)(11970500015)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: RDyHMoc/dvjgRSeqlONIlpXgoZM6Y09foQGSpM519E6LXtWCtPu17y5O0WdE42D8CRfY6c3a+6JhCZS92bz/mDyKMhwuPc14ziCBu+o+7jCKmdkbBBhrVsiF7J19yzhuJBhfA80HW7948+Gdn+AXrg==
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3731068716_1895553888"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: f3b6d05a-f2cd-42a1-44fc-08da0e99d9ec
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Mar 2022 19:58:37.4490 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0P110MB1643
X-Proofpoint-GUID: ZmPZNnePrjEZXHT5W4z3gP-RTSQZvZ8b
X-Proofpoint-ORIG-GUID: ZmPZNnePrjEZXHT5W4z3gP-RTSQZvZ8b
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425, 18.0.850 definitions=2022-03-25_06:2022-03-24, 2022-03-25 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 mlxscore=0 spamscore=0 adultscore=0 malwarescore=0 bulkscore=0 suspectscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2203250110
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/UUxiySWDznU0QDXJWgKHMB3ZWaE>
Subject: Re: [lamps] [EXTERNAL] Re: Security Consideration for draft-turner-lamps-nist-pqc-kem-certificates
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Mar 2022 19:58:50 -0000

What I had in mind was something like (described loosely šŸ˜‰)

 

SS_i ::= <len_in_bytes> || <ss_i>

 

Len_in_bytes ::= INTEGER (1..65536) ā€“ field taking 4 bytes

ss_i ::= symmetric shared secret obtained from the given KEM

 

SS_final = H(SS_1 || SS_2 || . . . || SS_n)

 

Sorry for sloppy handwaving, but Iā€™m sure you understand what I mean.

 

TNX

--

V/R,

Uri

 

There are two ways to design a system. One is to make it so simple there are obviously no deficiencies.

The other is to make it so complex there are no obvious deficiencies.

                                                                                                                                     -  C. A. R. Hoare

 

 

From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
Date: Friday, March 25, 2022 at 12:34
To: Uri Blumenthal <uri@ll.mit.edu>, Ilari Liusvaara <ilariliusvaara@welho.com>, LAMPS <spasm@ietf.org>
Subject: RE: [lamps] [EXTERNAL] Re: Security Consideration for draft-turner-lamps-nist-pqc-kem-certificates

 

Thanks Uri.

 

Can you provide the concrete construction you have in mind when you say ā€œinclude the length field in the hashā€? I will add a note to our composite kem combiner draft, but I do not want to mis-interpret your suggestion.

 

---
Mike Ounsworth
Software Security Architect, Entrust

 

From: Spasm <spasm-bounces@ietf.org> On Behalf Of Blumenthal, Uri - 0553 - MITLL
Sent: March 25, 2022 9:39 AM
To: Ilari Liusvaara <ilariliusvaara@welho.com>; LAMPS <spasm@ietf.org>
Subject: Re: [lamps] [EXTERNAL] Re: Security Consideration for draft-turner-lamps-nist-pqc-kem-certificates

 

In general, I agree with the points Ilari made. Howeverā€¦

 

Ā·         I think itā€™s good to allow SS of variable length;

Ā·         When you allow variable length, you must include the length field into the hash;

Ā·         I don't think padding is necessary in this case;

Ā·         We should be careful regarding ā€œmax possible SS lengthā€: while I donā€™t expect to ever see SS of, e.g., 56MB - I doubt it would stay at 32 or 48 bytes forever. I definitely donā€™t want to see ā€œmax possible SS len = 32ā€.

 

Whatā€™s the purpose of padding, if you included the length?

 

Re. RACOON attack ā€“ besides being pretty darn difficult to launch, itā€™s rather limited in applicability, IMHO ā€“ to the point I donā€™t really care. Besides, offhand, it isnā€™t applicable to NIST KEMs.

 

Thanks

-- 

V/R,

Uri

 

 

On 3/25/22, 09:50, "Spasm on behalf of Ilari Liusvaara" <spasm-bounces@ietf.org on behalf of ilariliusvaara@welho.com> wrote:

 

    On Fri, Mar 25, 2022 at 01:30:28PM +0000, Mike Ounsworth wrote:

    > > So if your scenario envisions concatenating a traditional

    > (RSA/FFDH/ECC) shared secret and a PQ shared secret, one would want

    > to be sure the first component of the concatenation is not variable

    > length.

    > 

    > Another good point!

    > 

    > Thinking out loud: does padding solve the problem?

    > 

    > H(ss_1 || ss_2 || .. || ss_n)

    > 

    > if ss_i are each padded / truncated to, say, the security level of

    > the underlying hash function, does that work?

 

    One could solve the issue for variable length SS by adding a length

    field and padding to the maximum possible SS length. I think truncating

    is a bad idea, and could interact badly with some oddball KEMs.

 

    However, using KEMs with variable-length SS seems like a bad idea

    anyway. E.g., see the TLS RACCOON attack.

 

 

    -Ilari

 

    _______________________________________________

    Spasm mailing list

    Spasm@ietf.org

    https://www.ietf.org/mailman/listinfo/spasm

Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

v2.40.4 | Report a Bug | By Email | System Status