IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Re: Security Consideration for draft-turner-lamps-nist-pqc-kem-certificates

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Mon, 28 March 2022 13:20 UTC

Return-Path: <prvs=20867f6aa8=uri@ll.mit.edu>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A82143A0DD4 for <spasm@ietfa.amsl.com>; Mon, 28 Mar 2022 06:20:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.904
X-Spam-Level:
X-Spam-Status: No, score=-1.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rPjYezhye1Xv for <spasm@ietfa.amsl.com>; Mon, 28 Mar 2022 06:20:00 -0700 (PDT)
Received: from MX3.LL.MIT.EDU (mx3.ll.mit.edu [129.55.12.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F8AB3A0DE2 for <spasm@ietf.org>; Mon, 28 Mar 2022 06:20:00 -0700 (PDT)
Received: from LLEX2019-3.mitll.ad.local (llex2019-3.llan.ll.mit.edu [172.25.4.125]) by MX3.LL.MIT.EDU (8.16.1.2/8.16.1.2) with ESMTPS id 22SDJto1092060 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 28 Mar 2022 09:19:55 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=R7P04L4QvMep1OC2VjByfahuXWzzewg7YQpJ6kZ794AqUOokYBkre7U1Rzraegx8klS0SgIn5lHUqb02N2bnYrbeN5pA8ckwjpx3ZTDN7lMQqeGGTlmaQC4OB9RsFSKwb9YmvH14sFy+EsIfS3m4AuWjVVxf7CAn5gccRmXyz7ekN9vKlpDHY7WeQq5ZfttPftQpF/mkxYtP9zkbDdW5RCaO/wFVW0hu1dwtwCU1HXrM/1lOHmA3U47I+shWs3Tdt93cS3YV9dCPLdQpsVVXSjMxzetKGqYG+oJ0/Z39RPd3ZOmpHaL0gLLlcaUo7wFrEqHhdEqnHCaul4CXPxR/ow==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=yTU9YrwxzC2hdKcCTZILGi354hu56q9l8AWPTsSQdqQ=; b=w3Alo2rPcqsk+93GD+76LN+Mv5E33tj7M7Obaw/2hw69qcI6Fnao+faWKuCod5WpKH5uIjb5W6Lm1CFqrnxnD8HVd+shr5948zQPoqBRpEAScHKRWM58JWsM0xiRrsaY/afU46ELeZz9E77PlyIYiyVbocYe5FuDUitXcjta7jM28d7IhVxK3GbES4cfcXAGF6qkVvRTomUZUIPIBPamtjo/VgRc5xyFnOApmNkOwa+sylNRfTo6cTLrQJi1i+C41OnnOvaelrR+vhwZwBPuahBrtS1qT9crQRHNgVPJmvI3hLkXmFkqUb4OMBDgT5rvNl1kdKTJgmmw8vg0avQmGQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Douglas Stebila <dstebila@gmail.com>
CC: LAMPS <spasm@ietf.org>, Ilari Liusvaara <ilariliusvaara@welho.com>, Mike Ounsworth <Mike.Ounsworth@entrust.com>
Thread-Topic: [lamps] [EXTERNAL] Re: Security Consideration for draft-turner-lamps-nist-pqc-kem-certificates
Thread-Index: AQHYQEyo8K0tmEpyyE6bsCxeF/uu0qzQHcQA///KyQCAAGLlAP//9lMAgAB5qQCAAsz5gIABQt4A//++FwA=
Date: Mon, 28 Mar 2022 13:19:53 +0000
Message-ID: <4CE27EF5-411F-42B5-95B2-E8719411481F@ll.mit.edu>
References: <64D97E59-8FC3-40B5-A07B-AA927AF2C671@gmail.com> <5338244B-B1AC-4735-9F4A-B643663499E8@ll.mit.edu> <A8E459F0-F654-4167-A7CE-2CF5157D5D6F@gmail.com>
In-Reply-To: <A8E459F0-F654-4167-A7CE-2CF5157D5D6F@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.58.22021501
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 55e6d83f-5afd-4f59-e8f9-08da10bda57c
x-ms-traffictypediagnostic: BN0P110MB1292:EE_
x-microsoft-antispam-prvs: <BN0P110MB129218BDCAB76BA7BC5CFD21901D9@BN0P110MB1292.NAMP110.PROD.OUTLOOK.COM>
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: pnh32v1DmnJGPmoLDfOAv8xky5uN3LZXxRJ3AsUgxcBp658Yp0aZqyLQRWK/sZRy18FvsKI4H3wXpOxUbjr3AeKkPvMLH69dTCkrYrNQ91IVE+SDlERYuzs65iAE0YoNKuGiw9vQeAe0SlIvxjuzvlI0sSMrS+Ap4OGcrKCBv3GmccepyDXfwtsP/s8y66AdUAPWVpqXT6rS250I1ToK4mt1L9Mxpq95tZmSssUci5xVt0CQ1o2SuenQbpZYdBrL7ZbIhUhXWabJW+bzTkSmJYDCHI7vvefc7ZIQj6P2kY+2RotrOCQfrR1CaLF5Iv5QIimVdrySd/bHRN3Lgb5P0ieauERFHb04v2NzyYbqIml9lUx36KLB/xC4ey90NbBttWDr0ZVDk7piV1GZw3p852R6Ht58ahfzsYaXLWCM2ZvxiIAkNi0x6DDbrkt7wFnsRT3tJccyP4ZQRNRsqZbGQ/YJn2ytAix88rtyh+/CQxJl0rMpOn4jfimw/Gq+3lQgeSBAREY6hHIXxWrppnAYGHerFNzPaWr7MN2Y4+Uw79V+vDXJ13FosYiTSCJxRQoNN15tZvJDSnR4OvENG/XdiyNs0iCTduX2dO5aWvZj9romdzyLTjdQY0TkR+8l+mV61bt7c0fjq0HUT9c1oL1Atx0mEtwtjfoHh2r460qTQDcgOgc1A/HjxsLtB22sYZqdCcNOfz0C2A6bpSl8N2yujcIMuvEdp5hSCev8bDORKoU1oGSvSgmhNRd+uOhd+Rc93ei5bnlLlZDvk2g8qikV2w==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230001)(366004)(166002)(86362001)(122000001)(33656002)(38070700005)(6512007)(75432002)(66476007)(8676002)(76116006)(99936003)(54906003)(38100700002)(316002)(6916009)(4326008)(66946007)(2906002)(64756008)(83380400001)(508600001)(15650500001)(66556008)(8936002)(71200400001)(2616005)(186003)(26005)(966005)(6486002)(5660300002)(6506007)(53546011)(66446008)(11970500015)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: DnZYONfAUcgDCpJPcjrQfIzxn9rv3+LtlLl/BhdYf5efHo6+CvnnDYTLXiWhazo/4DyPMBaiwuIZRaqEsT3uX78YcI6vNV5MwLRD/OtichxQqaexfdRKJrcs1lAoXE1BYnhQkZHuv3T2SFTTxKDgLAw3lSJARUGTzviJFbM9oYwV9cwteYQXUFIZaojwPOheNR68Xn8SNYbAKRGT4SYtr73dCN1VtkBPE0XY3g5d6BZJ5AuoibVq/TiYi73ZEvXxwtqVJvU45A3FgAaxer0Um0YkEiCrhx/x4rFKo/BSAGIvgXHXk/c0IHQdMjH6fIvc37xCtymw2jqaDIjjeNQCf4Nz3brXa8jjK9r55vzzrPSNyrEyKZLocZRlispB2Fhvnirn2FRAegxdsbPCss28ZoPVIXjfFbCriNWRc6ZLNV4=
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3731303993_1316041182"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 55e6d83f-5afd-4f59-e8f9-08da10bda57c
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Mar 2022 13:19:53.7012 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0P110MB1292
X-Proofpoint-ORIG-GUID: AYiNz2EmJIwragMuWNLf6pLLUtTO4Q9g
X-Proofpoint-GUID: AYiNz2EmJIwragMuWNLf6pLLUtTO4Q9g
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425, 18.0.850 definitions=2022-03-28_05:2022-03-28, 2022-03-28 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 mlxlogscore=999 adultscore=0 malwarescore=0 spamscore=0 bulkscore=0 phishscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2203280077
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/kbkZCmnQ_kOBhVE8419rmMRNpIE>
Subject: Re: [lamps] [EXTERNAL] Re: Security Consideration for draft-turner-lamps-nist-pqc-kem-certificates
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Mar 2022 13:20:06 -0000

Length prefixing a variable length shared secret will not avoid this type of attack.


Would you mind clarifying - what attack/type-of-attack you mean?

 

https://github.com/nimia/kdf_public#readme

 

Thanks!

It doesn't arise from ambiguity about how long something is (which is what length prefixing resolves), it arises from being able to control where certain parts of the string land with respect to a hash function block boundary.


Now you know where your 32-byte part of the string lands. Variable length would allow moving where your part of the string lands, somewhat. Still, so what? I donā€™t see a viable attack (assuming a decent hash function).

 

That's the whole point of this scenario -- that one is not assuming a decent hash function.

 

Bending over backwards to support screwed-up hash functions does not seem worth it in this day and age. We do know now how to construct good hashes.

 

TNX

 




On Mar 25, 2022, at 3:58 PM, Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu> wrote:

What I had in mind was something like (described loosely šŸ˜‰)

SS_i ::= <len_in_bytes> || <ss_i>

Len_in_bytes ::= INTEGER (1..65536) ā€“ field taking 4 bytes
ss_i ::= symmetric shared secret obtained from the given KEM

SS_final = H(SS_1 || SS_2 || . . . || SS_n)

Sorry for sloppy handwaving, but Iā€™m sure you understand what I mean.

TNX
--
V/R,
Uri

There are two ways to design a system. One is to make it so simple there are obviously no deficiencies.
The other is to make it so complex there are no obvious deficiencies.
                                                                                                                                   -  C. A. R. Hoare


From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
Date: Friday, March 25, 2022 at 12:34
To: Uri Blumenthal <uri@ll.mit.edu>, Ilari Liusvaara <ilariliusvaara@welho.com>, LAMPS <spasm@ietf.org>
Subject: RE: [lamps] [EXTERNAL] Re: Security Consideration for draft-turner-lamps-nist-pqc-kem-certificates

Thanks Uri.

Can you provide the concrete construction you have in mind when you say ā€œinclude the length field in the hashā€? I will add a note to our composite kem combiner draft, but I do not want to mis-interpret your suggestion.

---
Mike Ounsworth
Software Security Architect, Entrust

From: Spasm <spasm-bounces@ietf.org> On Behalf Of Blumenthal, Uri - 0553 - MITLL
Sent: March 25, 2022 9:39 AM
To: Ilari Liusvaara <ilariliusvaara@welho.com>; LAMPS <spasm@ietf.org>
Subject: Re: [lamps] [EXTERNAL] Re: Security Consideration for draft-turner-lamps-nist-pqc-kem-certificates

In general, I agree with the points Ilari made. Howeverā€¦

Ā·         I think itā€™s good to allow SS of variable length;
Ā·         When you allow variable length, you must include the length field into the hash;
Ā·         I don't think padding is necessary in this case;
Ā·         We should be careful regarding ā€œmax possible SS lengthā€: while I donā€™t expect to ever see SS of, e.g., 56MB - I doubt it would stay at 32 or 48 bytes forever. I definitely donā€™t want to see ā€œmax possible SS len = 32ā€.

Whatā€™s the purpose of padding, if you included the length?

Re. RACOON attack ā€“ besides being pretty darn difficult to launch, itā€™s rather limited in applicability, IMHO ā€“ to the point I donā€™t really care. Besides, offhand, it isnā€™t applicable to NIST KEMs.

Thanks
-- 
V/R,
Uri


On 3/25/22, 09:50, "Spasm on behalf of Ilari Liusvaara" <spasm-bounces@ietf.org on behalf of ilariliusvaara@welho.com> wrote:

  On Fri, Mar 25, 2022 at 01:30:28PM +0000, Mike Ounsworth wrote:


So if your scenario envisions concatenating a traditional

(RSA/FFDH/ECC) shared secret and a PQ shared secret, one would want
to be sure the first component of the concatenation is not variable
length.

Another good point!

Thinking out loud: does padding solve the problem?

H(ss_1 || ss_2 || .. || ss_n)

if ss_i are each padded / truncated to, say, the security level of
the underlying hash function, does that work?


  One could solve the issue for variable length SS by adding a length
  field and padding to the maximum possible SS length. I think truncating
  is a bad idea, and could interact badly with some oddball KEMs.

  However, using KEMs with variable-length SS seems like a bad idea
  anyway. E.g., see the TLS RACCOON attack.


  -Ilari

  _______________________________________________
  Spasm mailing list
  Spasm@ietf.org
  https://www.ietf.org/mailman/listinfo/spasm
Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
_______________________________________________
Spasm mailing list
Spasm@ietf.org
https://www.ietf.org/mailman/listinfo/spasm


_______________________________________________
Spasm mailing list
Spasm@ietf.org
https://www.ietf.org/mailman/listinfo/spasm

v2.41.0 | Report a Bug | By Email | System Status