IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Re: Security Consideration for draft-turner-lamps-nist-pqc-kem-certificates

Mike Ounsworth <Mike.Ounsworth@entrust.com> Fri, 25 March 2022 13:30 UTC

Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 633CE3A1269 for <spasm@ietfa.amsl.com>; Fri, 25 Mar 2022 06:30:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nSctanV4AUeR for <spasm@ietfa.amsl.com>; Fri, 25 Mar 2022 06:30:36 -0700 (PDT)
Received: from mx07-0015a003.pphosted.com (mx07-0015a003.pphosted.com [185.132.183.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC2983A125E for <spasm@ietf.org>; Fri, 25 Mar 2022 06:30:35 -0700 (PDT)
Received: from pps.filterd (m0242864.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.16.1.2/8.16.1.2) with ESMTP id 22P6sBw4017048; Fri, 25 Mar 2022 08:30:31 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=mail1; bh=fk87Cd0l6UPfYlOnnDk7guM80EKOsEH9JTx3X7Xw9Rs=; b=SXN9tlYOmm7DYsabbEZJ3aw1EWOdUTZK7oedcqF3ElzzAwaM6Gi/l+z5PLoWAsEhQVO9 T08lE9sYUj2niCqfvn0y6XEMp02cxwN6QmqRz0qrlKou55iRqoZyTi90X+atAcO7a6LF OIWH15N4yBaCdfoX8StSMgPBho2maMA85qmHvho5M1EdUslOhP10eyBvj3+Ydrff7XAj XZUX8nZ6sev0tLJuELd8b2g6VSpZuqW5FLxitRDmBGHyxmTNWx0csl/rHsKcCme8Xwct yvgelgVcB1Ei11zXWo3RAmqgU/TgjJuCu8O5308NVR2RcWWVcixDuQvWzr89h/qQIlBH 5g==
Received: from nam02-sn1-obe.outbound.protection.outlook.com (mail-sn1anam02lp2043.outbound.protection.outlook.com [104.47.57.43]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3ewbv1u517-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 25 Mar 2022 08:30:31 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FvSnE49K9fzlkEU9IkARANbw/P5UT/3P0KbUcRu/pM3qFlZm9MCr56tkf0yEwwSWExKXCRWp1esz2crt443GveKipNXLvxq31/HXyrOF3/6BUwPhYN2gZLnZdRosrg1C783n1h/8eveBrMDbwgZit5cgal2OU1y7laKV6VVPheuyPQYJeM9yW7Vn4np41Tp69zLKkQYEbc/IuOSUBzo5ee3P03ZKRAq0NZVzgEbPVumOJIqjTCPPbomUaEwE9074N2I2bWbA0bZGmUv1WGJHtzCkMPsG5U4wv9Y12OR4IdHIeuvHPW6MJOWPoQco+TTKkYvGei/VjMOxTDPMLMATDw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=fk87Cd0l6UPfYlOnnDk7guM80EKOsEH9JTx3X7Xw9Rs=; b=lUZgCmRCdUtBDKnl8r+aDe0fdeWye5ss6DeEqTZkPAUHq3tIiwd5dtIv4bdpbdT9ohYSmsbxcTPT5wLQKgj2OZPg91/0IQF5nDqpsExTAyYHFZ0bC/e0jeOOLvIszHhiAMOC4Ey37dhqqhNQc0JlR3Yf5QrVLfP8uO7gpO8hS/eoZpLjmHWH8JMUL6d161gn3Ccsu8w5EKlBSeluk27UuxWWR+roWXhTsZn4t8Fe5jf2gzHr4NxtRvzE23EqcAvzmSfR6lb69uhpWkc3EkfAhKOqP0bkGYU7tAFHi1RGUi/FHTOYYPWYvJfVC+WBM8KaW4tplpHOeJN0y4C2GNTNsA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by MWHPR11MB1789.namprd11.prod.outlook.com (2603:10b6:300:108::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5081.17; Fri, 25 Mar 2022 13:30:28 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::305d:3a11:c1f0:e5e8]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::305d:3a11:c1f0:e5e8%7]) with mapi id 15.20.5102.017; Fri, 25 Mar 2022 13:30:28 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: Douglas Stebila <dstebila@gmail.com>
CC: Florence D <Florence.D=40ncsc.gov.uk@dmarc.ietf.org>, LAMPS <spasm@ietf.org>, Nimrod Aviram <nimrod.aviram@gmail.com>
Thread-Topic: [EXTERNAL] Re: [lamps] Security Consideration for draft-turner-lamps-nist-pqc-kem-certificates
Thread-Index: AQHYQEmUH9N98Gv8HEWUkbx2SV4yt6zQEuUggAADo4CAAAD5AA==
Date: Fri, 25 Mar 2022 13:30:28 +0000
Message-ID: <CH0PR11MB5739FFCC0723B521224BE9C59F1A9@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <CH0PR11MB5739B640691C4692D6343E219F1A9@CH0PR11MB5739.namprd11.prod.outlook.com> <LO0P123MB404186BF69C1FCC6275E7560D71A9@LO0P123MB4041.GBRP123.PROD.OUTLOOK.COM> <CH0PR11MB5739C9106FBE6D82E6B1EC1D9F1A9@CH0PR11MB5739.namprd11.prod.outlook.com> <19CA2384-E8A9-4E8F-9AA7-F8175393F065@gmail.com>
In-Reply-To: <19CA2384-E8A9-4E8F-9AA7-F8175393F065@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 541a3114-a98e-4887-dd4e-08da0e63a08b
x-ms-traffictypediagnostic: MWHPR11MB1789:EE_
x-microsoft-antispam-prvs: <MWHPR11MB1789F764F91813D9A563F9299F1A9@MWHPR11MB1789.namprd11.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: OXaxoMLPbyWNwJKa9VQRSpUaKlgsRIV18oM4AT42F3dYA53Jl1d89xCV7B1+o63I3pMNZGN+aB/yvqXAw5YTQxSwy8eQfYPyk4fn066OL0Rfsq0h2VUKkc+8o7cGhK7BQ6ZHCpN9RRnODBBr1c55M8BLbO0wosMO7gHQcX3+XrHeM0AuvWCZ10Vg7e0M5bc1Y7usHfJmb6uCyDBKWpuocaOtc0X+lZHaLBDcaghSZhAiyqw2Uew1fw85NpFNtTNCWPvcrKWa6gmuzKA29q/vN2ZQl4LbhzHJnw3xUwZ/5e+zOOY94glcrFAhKW+xLgkCJnv9WHgIR4PbYigmver8KF/Hw8NlWf7dysFgCS+TOvc8CCVy1GyOaykRTZLr7Zkhru65o/d5xMd9ST3uZs3RWILsAvICQMDbgFDSMyG9NQkLXUpSu15f9Qv18WoM5oWfwEFuwB6JehN3mmg/WcUNJaJAY/k7IvyYB5YcfHSnpsy1Su2j6oldrWESJEtJw0yNNVuqswi68SWcbFsoH/uLiflj9Luxt1CioByFFwyej20SRVKhk3bXgVuzAf6N6WdcUEKo52jt1P6NOyVxVh02BCT1HWp8wtcwJteTq6CN2gSqnOpo4m2cEEPDcGykD93DTccT6ekKa9D4Lc2P95/vcoxwjCrloAfMO2HuYye3iDUj2ixLloNBW2bbQF8tq3DGjYVdTkMP7TVPTTsB3IaD+g==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5739.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(366004)(38100700002)(76116006)(66556008)(15650500001)(33656002)(8936002)(122000001)(66946007)(38070700005)(508600001)(316002)(66476007)(71200400001)(83380400001)(64756008)(4326008)(66446008)(186003)(54906003)(55016003)(6506007)(53546011)(26005)(8676002)(7696005)(86362001)(6916009)(52536014)(2906002)(9686003)(5660300002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: RqsK43NuSyUez4jz7UjG7F4OkWefC8Hnm+zZSZ0bga0x8eFGnedruLTEaznmOgbkYoDARAo5bn4/3v1f3zfF/8QWxmR6PPPA2lCHZhmBTnFoWfZ9gJswEsmPjEnS/WSSCgZmJ38n/fBYMYM4790A2D26fDz0/DsnDEt+GARcmG7lQEAQ71A+z/wkbt3eSDlQ/LC3f/aCqA0lvYH8ftwB08bnh6I4Mn+guTzpYVcSpA6ib9u88J+sHpJRWDc+E0eMCAM9j/OYZmnc8ZUJ4GyYqwDjs9NLQbOdx2bpqjbsz6GeSXU5JsqN6Ot1ifxYa3S/+Tc0Z5HBY8rCaaQVgSwb+FsAGSmcALi6eZpV02M+hSqk7mddrJVhabtNTn3589DXRvp58pjz1VrOmTMfKFKezZlEMgxbyZB7wFs5DkLG7Ez4svjhMDVx0vBHCQCN520ZK/KeC+urImPeIGAFiHiHWGiRtxBHlQ73ZGGhPReWpjbgMYXU3PauGy/yQOqxxDaCYx8jDl8CQXGgNP7XbWfNA38AmBaXSbZArVJ379iU5oI3O91OXFB19Xg91EXpk+qgePnkWzk2UBd4pNDo7u1hSWq50DhjLUPwmLzASVmObL36WfDxDjeW8Pkli46TgBkeoHWr1TJJCl/3gVHPfPvpLCw0a94VcxJVdijVTc+R4HDvwtcws+jEssiB5oIXA8z8jUw0vTTt/aRyeu8MmQ+0qSzNMyOlX2Sd3hHN9EJTbK2u34gHDI6Y/Z0rZaMvJCQeYEpqoGpkbkoZQDO7TcwsRrTl7/o4vQ+lH0PzOGqKOw/JjmQWhaSHb0WHwQHELirdvR/kJ0cgNgIDIC8+noIzKvI44KlPLRtxkyRpp7V8Vzgme3rF6LBjG3F6uqk7S2t1LwnUEgDiaRRkkHXxZWijAeG2928yy7xf/A9FNKHOEAbPPXBN87/qPZBfoT+UMkyXZ8fyZF32zLmfa8pSE74sqxI6xyOvbDgslXeH0wRCmyyO+qhyRuIOdDVJ6QQpgW2xqLwlS1c2VhI+nQstARBVtj9BaOAg8ltmTqqPnKrMjkCDZtsJqpO/voSvl6yEUZVzpKYtV1MJuRSr8mcYNMPSY6rRO3Y9+AgQOgio1jaWoSme4v6BP2WzUAz2T38o4ANa6IVQq/F0n7qtLFq78BhhECLNO0Cfq1gKj54ixIzCCMdPkFTP8QyAxL/V6eIExV6M4Rb4XWaIAMX+V5p2ECvJHWb2kYllrJMlFiB2MIP/r+NTDzItOM5+L2ZuZATy3lOqelsaqdzCjtBTKv9+hbELhw8/5WPPIV1GCKXmNkBnW3dSUxaQ6k6pbBfr7kbHEg171q0ikV+sjq4+pfOCUVQJoHp0ZL+vAFhodLfxQvqu84SvKKCUxNAWItQRCnNk0AgfcsyOxWUBquv2el03EpGn0FXu67vJqNhKfotdoDgVgxVX8UNy6V/AKmQhuA1eteQ2bdfbNA7LEPdbt5M9+rifCg==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 541a3114-a98e-4887-dd4e-08da0e63a08b
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Mar 2022 13:30:28.3624 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: b0Kngs/UhsMM72nimN1CIoUAC9YQMfIa2cEpys2wlOMR0zqaUExwwr/uEbHGFhpl07IUQoKoXMVpg1Gt+VVPeHNf24OTJK1GiD8k/TBPFL4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR11MB1789
X-Proofpoint-ORIG-GUID: I9W7Utldh4-pEqM3sfOYXr3F4vIq3sp0
X-Proofpoint-GUID: I9W7Utldh4-pEqM3sfOYXr3F4vIq3sp0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.850,Hydra:6.0.425,FMLib:17.11.64.514 definitions=2022-03-25_04,2022-03-24_01,2022-02-23_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 impostorscore=0 bulkscore=0 mlxlogscore=999 mlxscore=0 priorityscore=1501 lowpriorityscore=0 adultscore=0 phishscore=0 suspectscore=0 clxscore=1011 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2203250075
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/kr6sDqFsZj2E1oGLJqgfFdsN_L0>
Subject: Re: [lamps] [EXTERNAL] Re: Security Consideration for draft-turner-lamps-nist-pqc-kem-certificates
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Mar 2022 13:30:41 -0000

> So if your scenario envisions concatenating a traditional (RSA/FFDH/ECC) shared secret and a PQ shared secret, one would want to be sure the first component of the concatenation is not variable length.

Another good point!

Thinking out loud: does padding solve the problem?

H(ss_1 || ss_2 || .. || ss_n)

if ss_i are each padded / truncated to, say, the security level of the underlying hash function, does that work?

---
Mike Ounsworth

-----Original Message-----
From: Douglas Stebila <dstebila@gmail.com> 
Sent: March 25, 2022 8:24 AM
To: Mike Ounsworth <Mike.Ounsworth@entrust.com>
Cc: Florence D <Florence.D=40ncsc.gov.uk@dmarc.ietf.org>; LAMPS <spasm@ietf.org>; Nimrod Aviram <nimrod.aviram@gmail.com>
Subject: [EXTERNAL] Re: [lamps] Security Consideration for draft-turner-lamps-nist-pqc-kem-certificates

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.

______________________________________________________________________
On Mar 25, 2022, at 9:14 AM, Mike Ounsworth <Mike.Ounsworth@entrust.com> wrote:
> 
> > assuming that we use the NIST algorithms as they’re defined, the length of the shared secret shouldn't be ambiguous as it will be part of the parameter set for the KEM. 
>  
> Oh that’s good to know! 
> I saw that many (most? all?) of the remaining KEMs use SHAKE as their last internal step, so in theory they are variable-length, but if the NIST specs will fix the output length then that’s probably sufficient.

All of the round 3 KEM finalists and alternate candidates have fixed length shared secrets, even if they happen to be using the extendable output function SHAKE internally while generating the shared secret.

But it's not just the PQ shared secret that would need to be fixed length.  If one is concatenating two shared secrets and then hashing -- H(ss_1 || ss_2) -- the concern arises when ss_1 is variable-length.  So if your scenario envisions concatenating a traditional (RSA/FFDH/ECC) shared secret and a PQ shared secret, one would want to be sure the first component of the concatenation is not variable length.  For TLS 1.3 key exchange, the number of standardized curves is quite small so one can reasonably have confidence the scenario won't arise.  For general certificates with arbitrary algorithms, I can see there being a long tail of peculiar algorithms, some of which might be variable-length, so this scenario might merit some extra care.

> At the TLS WG this week, Douglas Stebila presented on a known issue in the hybrid KEM combiner they’re proposing for TLS (draft-ietf-tls-hybrid-design): it gets into trouble if the attacker gets to play with the lengths of the shared secrets at runtime. Obvious solution: KEM codepoints need to fix the SS length in the spec so that it’s not variable at runtime.


To be clear on the context here, there are additional requirements that have to be satisfied for there to be trouble, not the least of which is the ability to find collisions in the hash function used on concatenated secrets.

Douglas

>  
> The experts in this case are @Nimrod Aviram, and @Douglas Stebila.
>  
> ---
> Mike Ounsworth
>  
> From: Florence D <Florence.D=40ncsc.gov.uk@dmarc.ietf.org> 
> Sent: March 25, 2022 8:09 AM
> To: Mike Ounsworth <Mike.Ounsworth@entrust.com>; 'LAMPS' <spasm@ietf.org>
> Subject: [EXTERNAL] RE: [lamps] Security Consideration for draft-turner-lamps-nist-pqc-kem-certificates
>  
> WARNING: This email originated outside of Entrust.
> DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
> > We’re putting together a draft which provides essentially the same combiner for hybrid CMS content encryption (yuck terminology hell. Florence D. please save us and write a terminology draft!).
>  
> Very happy to write something.  I suspect the word hybrid is already so overloaded that agreeing on anything will be much more difficult but I’m happy to get started.
> 
> > At the TLS WG this week, Douglas Stebila presented on a known issue in the hybrid KEM combiner they’re proposing for TLS (draft-ietf-tls-hybrid-design): it gets into trouble if the attacker gets to play with the lengths of the shared secrets at runtime. Obvious solution: KEM codepoints need to fix the SS length in the spec so that it’s not variable at runtime.
> On the shared secret length, assuming that we use the NIST algorithms as they’re defined, the length of the shared secret shouldn't be ambiguous as it will be part of the parameter set for the KEM.  If we’re proposing doing something different then this probably merits some security analysis of its own.   I’ll defer to more experienced protocol designers on whether it’s worth encoding the length in the codepoint if it’s implicit from the scheme, I’m not sure of the precedent.
>  
> Flo
>  
> From: Spasm <spasm-bounces@ietf.org> On Behalf Of Mike Ounsworth
> Sent: 25 March 2022 11:17
> To: 'LAMPS' <spasm@ietf.org>
> Subject: [lamps] Security Consideration for draft-turner-lamps-nist-pqc-kem-certificates
>  
> The comment I was going to make at the mic:
>  
> At the TLS WG this week, Douglas Stebila presented on a known issue in the hybrid KEM combiner they’re proposing for TLS (draft-ietf-tls-hybrid-design): it gets into trouble if the attacker gets to play with the lengths of the shared secrets at runtime. Obvious solution: KEM codepoints need to fix the SS length in the spec so that it’s not variable at runtime.
>  
> We’re putting together a draft which provides essentially the same combiner for hybrid CMS content encryption (yuck terminology hell. Florence D. please save us and write a terminology draft!).
> For that combiner to avoid the attack, I think we need Sean’s KEM OIDs draft to fix the shared secret length for each KEM that it specifies.
>  
> So for now I think I’m just asking @Sean to throw a Security Consideration into his draft so we don’t forget that it’s important.
>  
> ---
> Mike Ounsworth
> Software Security Architect, Entrust
>  
> Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk. All material is UK Crown Copyright ©

v2.40.4 | Report a Bug | By Email | System Status