Re: [lamps] [EXTERNAL] Re: Security Consideration for draft-turner-lamps-nist-pqc-kem-certificates
Mike Ounsworth <Mike.Ounsworth@entrust.com> Fri, 25 March 2022 16:33 UTC
Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EADE3A0831 for <spasm@ietfa.amsl.com>; Fri, 25 Mar 2022 09:33:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NGcQn_fCWVes for <spasm@ietfa.amsl.com>; Fri, 25 Mar 2022 09:33:22 -0700 (PDT)
Received: from mx07-0015a003.pphosted.com (mx07-0015a003.pphosted.com [185.132.183.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E40D3A10DA for <spasm@ietf.org>; Fri, 25 Mar 2022 09:33:21 -0700 (PDT)
Received: from pps.filterd (m0242864.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.16.1.2/8.16.1.2) with ESMTP id 22P6sBMM017048; Fri, 25 Mar 2022 11:33:19 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=mail1; bh=KhbDKrVOvnqkmFHOP00V/ryTTUh0ZgH/t+si0D94BTk=; b=ezp6uXKzYlZdNvpweY69By8CnNsmX8vL7pNc5HA6RmFnVyELxTA8hPmgCwjos3TneWro 8A4aipTOT9BsU9Sm4/Iw2MBJR/eYloDFVQsnbdUbQf3+SuSCkf9OSpGLstg+2ggTO0R/ xJ2qHi7hZFfJav6jJpTF2pnph0A74TRRZxPf1Hcym3plC9jq360n8J1F3jCHc12jC9d9 hnRmDMLiM898XkWMKUudkiRF9MVNY+hvzT4Wzpde2oa/5/yaV061FN7q6hIs8h4gxuvn 7H/vOSIJshxis5g0fRDEVNs1UrbY2sF3hsrtiiTcbAL5jJVzD9TmuGonf5u9Pf91sBPU 9Q==
Received: from nam10-mw2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2106.outbound.protection.outlook.com [104.47.55.106]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3ewbv1ur6n-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 25 Mar 2022 11:33:18 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Q3K6seXnLPK+AiJUVBSzYPYQap5hmKoih+sULQbmwZOrP+NI+SwWxnIr9HEPdNxYQ7uLusBsuo5dYSCQe7OrHDu79Mc8P68CuPsiE8TYdaWYAFjIAWldeMiw0ZllQY3ljuT+FrLBW4u+e+Jb0bgkX4VPB34LFV6eIYihkKcDpiQrlEDuz8HYTvgjxPof8npwlPAzYwoJ67yXUYuXTPiy0V4QfU+iv6sgLm8laPXr4nry/O7iC5T5SdRdIIKJ9p1xf11u9qZISBK94wiZRz/A7xH3zA48/r+hLXD3RxNjCGf0po8sqxRwQqy78WPiSR6VwDaN+lMLG0lrp9V8CW2FQA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=KhbDKrVOvnqkmFHOP00V/ryTTUh0ZgH/t+si0D94BTk=; b=E/YBmmgbCkv7EClbAN+3+Cy8FB8ynr3m2CAj7v9e/rhtO8Q8j9LIJVD2k7P2hs8PY1mIMXM3Y6ncJDQMu/dfX7/0cFPPAY9vf3mtbXdpTHSpkXk4qKVUC6x7Md70sex2bgXqPx3W/wMSr4KbEUfp6id6HEunJEaswmX04gLLdsPXPCxWBgZJBzgzx1qiPerPO9xT9YjldK3aInnmxRYX3ru8KqqwQUjxX+Vq90bYLN3W5uJVR5itk0TdJwCRCAMTdgCmevNdN5WkFYIXFWYsrkgA6jtdAN/B90BNixHjSy2LClx1M25eHGVd6ZQFjw7H2dPi8LYKOa/pS4qnp7CDjQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by MWHPR1101MB2253.namprd11.prod.outlook.com (2603:10b6:301:52::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5102.19; Fri, 25 Mar 2022 16:33:14 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::305d:3a11:c1f0:e5e8]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::305d:3a11:c1f0:e5e8%7]) with mapi id 15.20.5102.017; Fri, 25 Mar 2022 16:33:14 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>, Ilari Liusvaara <ilariliusvaara@welho.com>, LAMPS <spasm@ietf.org>
Thread-Topic: [lamps] [EXTERNAL] Re: Security Consideration for draft-turner-lamps-nist-pqc-kem-certificates
Thread-Index: AQHYQE8813y0p/wZC0iR1Pq22T5aCqzQK5eAgAAfSYA=
Date: Fri, 25 Mar 2022 16:33:14 +0000
Message-ID: <CH0PR11MB573988FA4304F34C8892F55F9F1A9@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <CH0PR11MB5739B640691C4692D6343E219F1A9@CH0PR11MB5739.namprd11.prod.outlook.com> <LO0P123MB404186BF69C1FCC6275E7560D71A9@LO0P123MB4041.GBRP123.PROD.OUTLOOK.COM> <CH0PR11MB5739C9106FBE6D82E6B1EC1D9F1A9@CH0PR11MB5739.namprd11.prod.outlook.com> <19CA2384-E8A9-4E8F-9AA7-F8175393F065@gmail.com> <CH0PR11MB5739FFCC0723B521224BE9C59F1A9@CH0PR11MB5739.namprd11.prod.outlook.com> <Yj3IeJaGWX02kBk4@LK-Perkele-VII2.locald> <B9BA6885-4AF4-4BC0-9280-C39DB569603E@ll.mit.edu>
In-Reply-To: <B9BA6885-4AF4-4BC0-9280-C39DB569603E@ll.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ef70f427-5a8b-4f21-e361-08da0e7d2907
x-ms-traffictypediagnostic: MWHPR1101MB2253:EE_
x-microsoft-antispam-prvs: <MWHPR1101MB2253663C6DAF050B0DEB6BA39F1A9@MWHPR1101MB2253.namprd11.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 0GhJNW0NaYfPQxeBZoSgBHS5G9MeQsfEdBYB2lKPP9ugACl+WqN2w5F+PZJxeavizrNKzofb6CWAIScmeSmpFb2HK03j5fBJprk6kkio2hSeLC8wk7+0wtUc+z4XXztrQ2pnWA6ELxexdvO25SwcH+XoGA5h6IZBIuI2F/1U6PUdfP/K8L8KhmGLq2wdgD+dgEc7QfQqFJEHhB56raio7zJFfrv+/eE+nOdoHKdpPvt+tqpCmRyyVsYpDT7zpQrDe79q8hgKYEPJcRXVOqsxX/ZyHwFAofjUUYaiQaA6KEOiNI6lVQO5tOIEJE0aXl8Z3bf7ShYFOSaxZAgcbrFZl5H3QPHLtRnlrHbhzT5887goOqpYytfehKZsfaQu3eVQHb8ZKbZWbXYKjGU3lf1/wPsBjgHiG687CdhJYRsWXGNzloh3yr42EAQyLt2Z06Ie7QbuHOUb2zYgchwfq0JrU6iLpW3AkdBpR2F9GpVVAwiIMfWLZwW5tkqCDtRQcUntPR2pKlx9NBH1o/KFkYKVDr3/T5OQLi6H52q8YDXOqdk9yLC1zjRHvS3uAxqBcdN0MmE/VfxL55ewOU7hPkRFQZUZbJ1av8APsb3FlRD0mkB/IveSmT4CpgH94maVY/TgFZc3qF396NHqVEm8os62+R56Qk35biXQX5AGSPCy2FE2C6jTuaNFa+G/VPyNpDDROkLxN6cSLKoZHVKXX7eNT4vM1l12cnVOhzeNNd1x4ngbiPV4rY1d2RmKQv8b9bxwTBJAkm6nW0Jt7clQXkkrweIzasbuqvNmS83TSi0GXho=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5739.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(366004)(7696005)(53546011)(33656002)(6506007)(52536014)(86362001)(508600001)(110136005)(8936002)(966005)(5660300002)(26005)(186003)(2906002)(9686003)(83380400001)(15650500001)(166002)(38070700005)(55016003)(122000001)(38100700002)(66946007)(8676002)(64756008)(66556008)(76116006)(316002)(66476007)(66446008)(71200400001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: xxD01IHYOmw1IhFZWcEZNcXREmKDRvngcFh9herLnRkxBMuzf3gKsT5WwtELoByxmnn0oa/v5fqqICfxVjrGhFI6dLXonbARsIf6zHi1G3gGXgvB8qBMbkSRQM+BjO9gFIKW23NTH5jC5qvFYjuhgPkPCbpLD1UmLVZgjprhWf3cGJyhNmSszcO7r2cu4rqMi4tAE732QMo7lqsTRb5/au+GIMM/AmccCZL8mgs2UPSO9KAnuNYbyDbdXi1TpoTEoUXWDXk1lGwFD3sKwtE0cKKPp7gUxYwYHctXue+SB9HVDkVbXdYy3ntUqdpJZbi0ASEXHJcsYQyUUjX602afDpNGDkoUNvV4fgqova5TewOn0cRLTkO8+XjJcYVS3WVZUnbIkGh8KP3qVJaa2FCUk+sIcN2gm4wAVjZN+918W7FVfrtrXdLXTZa/AHHxDBFIerNKzr6HCNGwS3eRZhewMuoCtiFfXWdf8WWW6sB2kJP9ArxYYd8N4n9nm11wlI/06kdjOO/kC1OPRpOkkCgXTkbsOfyV6Cbp5t3diuzwIBqNGMvEcOK4OpMEHD9TQMl6mqPLizCzchXVQFRcdbFvATfttxRMiiSmOgXv7yGH5vwMIXaEDujEoBGiW8/a2d9rWGAy1g/2wL8FG8nj7OOWxDf4SXOoktfxjwGhM3EFw9SfuUwE9IcNZFxOdWO1PMOprHgPZqvsPiDfzLJYfYyPMRRqNOZbOTQUwbYA9y69/C0I1BTZN770US8z2P6QSyUGrM4wtxNu7ddhPxm3PjlTVVieEZjN0TlDyKLlYzk2PR/vAu3ukAwX8k5xdyZxNRpdv4ZOfUg2oDUNLEYCuOibwKZssk1z79na+KDgGfCf+Wti+vuMPRxO+k+lwGpAWiag8oSoB3b/qsRxJ03t0vmnRih7xVW3VI0KwlAfh4FK9GnzuCw1dZuB0VofKEmQlFkuvPATPjxLQLz5wsu3UiSxKC+Wa9jCGOwDQTBdmPv/vR2P3q04ZJTmaFKgZUzU8u/mzfvW0BQejmafsnizvvYJa/m/PmltLHMQWPbXUjGRNb6nZX50D6sO7grxu85TeewzG+96t/ZzqCS0b6mOwUEYl1yuwpblmkrEnwW0IjLhW1xrYlYMAIAKn21XGyj1t0ezf6v/iIlNi1CiZRYHLsB3oOdkTL8Ri/w7WqZqyIYYp082RJ+w2hdxmQxMATJ20AKKpQ1V6uWFw3PadQ16gpoa4CBMOJk6gE5CyUx5wzjF+nsn73WV+8/Yq3ynNMrwzY8xBBfvkn//xf30qKFD15Z+etWJetf2eOkKKK2mPGZcihL3NkvEYAPZQqzUcGd5ofeataT1yJvN2wyS94PtljjRz87c/sK16HbzLGPUArDStTQDwZlQtUNlSJiPhx3MllOAz2qTYLXfzZuOUxSvy9g0RhrWI+avDHj70DsQ6Sj3yOpcW2uA7KessAvRtV59VkRgzrUeZUVftnCKTeOrpKnPblClCOJhByepnqk5IFYlKPxPrZoVECszUdEmpq8zLc1VzWKBnPvFsr71546msV2kHm6u8zLU5PN3fSniTa60LRXBpQnWoV9AFIg6Ta09um0KZFTJcXWdhE/AIy3nA4pdX4P8mzwaQOBKD0AGfc9zqkiP1owQji3ANpeK+V3GMbvQ4w36cPj1FyWV4BBqJUGCh+MhbXanxlsFyPqRkK9gbAlLsUhPY+a8wPBbH/pVFw5j9XjZYj2CgdfUTtSnGvWmu5/1kfiBfJ3lwSDZnQe4x/Y=
Content-Type: multipart/alternative; boundary="_000_CH0PR11MB573988FA4304F34C8892F55F9F1A9CH0PR11MB5739namp_"
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ef70f427-5a8b-4f21-e361-08da0e7d2907
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Mar 2022 16:33:14.7649 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: bEc714eYsRxDn4x6F6E814wvQhYew+ZFK5maLBja1+gSqrxHwI2b+oQNnAhuFPTqjIMNS/7vYZ82eTnmayts2Qc7W/frUYCwTiZVnx7SrzM=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR1101MB2253
X-Proofpoint-ORIG-GUID: rc5aDPVCcZ6ulztHRtzo4Gq14xvO97To
X-Proofpoint-GUID: rc5aDPVCcZ6ulztHRtzo4Gq14xvO97To
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.850,Hydra:6.0.425,FMLib:17.11.64.514 definitions=2022-03-25_05,2022-03-24_01,2022-02-23_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 impostorscore=0 bulkscore=0 mlxlogscore=999 mlxscore=0 priorityscore=1501 lowpriorityscore=0 adultscore=0 phishscore=0 suspectscore=0 clxscore=1011 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2203250090
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/b4yZW1dZQRDDMF3wWcJjEsAL4uM>
Subject: Re: [lamps] [EXTERNAL] Re: Security Consideration for draft-turner-lamps-nist-pqc-kem-certificates
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Mar 2022 16:33:28 -0000
Thanks Uri.
Can you provide the concrete construction you have in mind when you say “include the length field in the hash”? I will add a note to our composite kem combiner draft, but I do not want to mis-interpret your suggestion.
---
Mike Ounsworth
Software Security Architect, Entrust
From: Spasm <spasm-bounces@ietf.org> On Behalf Of Blumenthal, Uri - 0553 - MITLL
Sent: March 25, 2022 9:39 AM
To: Ilari Liusvaara <ilariliusvaara@welho.com>; LAMPS <spasm@ietf.org>
Subject: Re: [lamps] [EXTERNAL] Re: Security Consideration for draft-turner-lamps-nist-pqc-kem-certificates
In general, I agree with the points Ilari made. However…
* I think it’s good to allow SS of variable length;
* When you allow variable length, you must include the length field into the hash;
* I don't think padding is necessary in this case;
* We should be careful regarding “max possible SS length”: while I don’t expect to ever see SS of, e.g., 56MB - I doubt it would stay at 32 or 48 bytes forever. I definitely don’t want to see “max possible SS len = 32”.
What’s the purpose of padding, if you included the length?
Re. RACOON attack – besides being pretty darn difficult to launch, it’s rather limited in applicability, IMHO – to the point I don’t really care. Besides, offhand, it isn’t applicable to NIST KEMs.
Thanks
--
V/R,
Uri
On 3/25/22, 09:50, "Spasm on behalf of Ilari Liusvaara" <spasm-bounces@ietf.org on behalf of ilariliusvaara@welho.com<mailto:spasm-bounces@ietf.org%20on%20behalf%20of%20ilariliusvaara@welho.com>> wrote:
On Fri, Mar 25, 2022 at 01:30:28PM +0000, Mike Ounsworth wrote:
> > So if your scenario envisions concatenating a traditional
> (RSA/FFDH/ECC) shared secret and a PQ shared secret, one would want
> to be sure the first component of the concatenation is not variable
> length.
>
> Another good point!
>
> Thinking out loud: does padding solve the problem?
>
> H(ss_1 || ss_2 || .. || ss_n)
>
> if ss_i are each padded / truncated to, say, the security level of
> the underlying hash function, does that work?
One could solve the issue for variable length SS by adding a length
field and padding to the maximum possible SS length. I think truncating
is a bad idea, and could interact badly with some oddball KEMs.
However, using KEMs with variable-length SS seems like a bad idea
anyway. E.g., see the TLS RACCOON attack.
-Ilari
_______________________________________________
Spasm mailing list
Spasm@ietf.org<mailto:Spasm@ietf.org>
https://www.ietf.org/mailman/listinfo/spasm
Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
- [lamps] Security Consideration for draft-turner-l… Mike Ounsworth
- Re: [lamps] Security Consideration for draft-turn… Sean Turner
- Re: [lamps] Security Consideration for draft-turn… Florence D
- Re: [lamps] Security Consideration for draft-turn… Mike Ounsworth
- Re: [lamps] Security Consideration for draft-turn… Douglas Stebila
- Re: [lamps] [EXTERNAL] Re: Security Consideration… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: Security Consideration… Ilari Liusvaara
- Re: [lamps] [EXTERNAL] Re: Security Consideration… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] [EXTERNAL] Re: Security Consideration… Nimrod Aviram
- Re: [lamps] [EXTERNAL] Re: Security Consideration… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: Security Consideration… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] [EXTERNAL] Re: Security Consideration… Douglas Stebila
- Re: [lamps] [EXTERNAL] Re: Security Consideration… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] [EXTERNAL] Re: Security Consideration… Douglas Stebila
- Re: [lamps] [EXTERNAL] Re: Security Consideration… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] [EXTERNAL] Re: Security Consideration… Blumenthal, Uri - 0553 - MITLL