[lamps] Hybrid-for-the-sake-of-security, and Composite vs Non-Composite
Mike Ounsworth <Mike.Ounsworth@entrust.com> Tue, 09 November 2021 21:39 UTC
Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EB793A1172 for <spasm@ietfa.amsl.com>; Tue, 9 Nov 2021 13:39:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1ldu01ceF4Cu for <spasm@ietfa.amsl.com>; Tue, 9 Nov 2021 13:39:06 -0800 (PST)
Received: from mx07-0015a003.pphosted.com (mx07-0015a003.pphosted.com [185.132.183.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CFDEE3A10A7 for <spasm@ietf.org>; Tue, 9 Nov 2021 13:39:05 -0800 (PST)
Received: from pps.filterd (m0242864.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.16.1.2/8.16.1.2) with ESMTP id 1A9If5Fq021105 for <spasm@ietf.org>; Tue, 9 Nov 2021 15:39:03 -0600
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h=from : to : subject : date : message-id : content-type : mime-version; s=mail1; bh=Tto4nOVNTqRcnSb8BmIQAgDvsw3axjFAWprlTGdyqlM=; b=m3z87uaMYIOpksA0b1RSFwKRlnJP4ZwXvpDXTflS7xpfsJCUz3tEtMjgsdnLgUvIX/2M RC9p40h0RFIZAz+nJ+9TxI+RLHHoxbfOJFFxEk3/GoWr6PUDB/Y6tCw6ygKJjQCw7GYl sumSVpgTf1ajJhxniDEZCVmybT30cKwJBOr+eDsay2ApyC+HM96TNuUQHKk9+A5czCwH n4ge3xKKo6rUh7grTGSEPOdgU7k6g9Uz7/Uv/5Lsidpcmu/vPsY5bS9Xge+uXXjh41P8 LTQK3qzu6Z3n7r3FJ+4R7oLS/75RgQkAPBjy//yI3SY9SF6Jif3jc0/mNJGspe9hJBB1 GQ==
Received: from nam04-bn8-obe.outbound.protection.outlook.com (mail-bn8nam08lp2048.outbound.protection.outlook.com [104.47.74.48]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3c7xfpgec7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <spasm@ietf.org>; Tue, 09 Nov 2021 15:39:02 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=m46gtis80XV2k83T37H6D8dO3kq+QHBLlkUC8uv+RH1c+hX0bWn7e8ajRgi3frw4omOslKhTIQ3soT236yU9tnFP77W4IiYprBBKd/Gb2Ob+Qc+oADkYcXLOfzu7gU0J9f5wNu26eaS47D/F2iL9jCKpSMCDUAfGKYMu/Z9W82EZ/KdhxrT3MpPY2EfdR8IjqY/AwiAmigFjh5OuxikQri+SkrdLh/8SkmtFLR/YTfjFYrnhb3S4tdNhZiPgp2WzZVbo6GTBSoTATbSSZE7zxRoscc2Lwxq/jTnwHhlayliNL+hNySpjAPi7cF1ZnvcLheAh+UJASIzNwbKxo2Qxyg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Tto4nOVNTqRcnSb8BmIQAgDvsw3axjFAWprlTGdyqlM=; b=WaLUbH3fWyw/6mkNVlnJ9N5/OYVX8rfzITner5qPDCfw4zKwhH2sRFMHJCWL96xS1bzdoPRlLczwL8rgkuGp9WBE8eDzk03RzOddAYnpLsk1wgfPfNfci77k4GCVeoPwuidwmKxYrhtRXpXGvF/aw+Vx/o9uNSw1M8KYkpkoB615a3sN+dhJH49TD8pwlIRUFSqIn29lLjpdY83WN2y0u5FZBnLeDq8OBxYahARQm0MI7VRwNppTCWAJrPjRX40sThm6hAiSkb8SzFl/HKxULVKDZQ5L41jXZOCObrDvAh2fRIH8yLwxpH9KmeI25XAhkCGWS1aDFpLpFRzDqHvhxg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by CH2PR11MB4199.namprd11.prod.outlook.com (2603:10b6:610:39::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4690.15; Tue, 9 Nov 2021 21:38:59 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::bcf2:571f:eb41:1737]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::bcf2:571f:eb41:1737%2]) with mapi id 15.20.4690.015; Tue, 9 Nov 2021 21:38:59 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: LAMPS WG <spasm@ietf.org>
Thread-Topic: Hybrid-for-the-sake-of-security, and Composite vs Non-Composite
Thread-Index: AdfVsjPJvhmRyNYwSd+PO+jOYyc/rA==
Date: Tue, 09 Nov 2021 21:38:59 +0000
Message-ID: <CH0PR11MB5739E8891ABAE189998D03859F929@CH0PR11MB5739.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 7da68a78-e3b6-40e7-b1dd-08d9a3c95745
x-ms-traffictypediagnostic: CH2PR11MB4199:
x-microsoft-antispam-prvs: <CH2PR11MB419982A27278F73C4C45A53F9F929@CH2PR11MB4199.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: tVaDgpcKzDyFkTMR5YWtTbuMWdVcz2Wa0ihjDjld66+O7iX344XxTbw4NbCYOJBDPIXpup33L0kz1jpvKtPNCepLY17bIYo3GzlTIa8Z+U1mvxuWcUswdqPXO86oRBb06AA5VH4E9vzJEaNeLdKTDC8hYo3K9gyMcgW6dgKVlhS63dm3cTM7oBP6toNFx2YOgo7Uswwk+eTynt2bnOdK23whZZ4GY73TDcj+bEa5rRyvy2rHgdmycJg7xNjVGGx7he3JXpC47k6r0A1T4HnpFY+RTjlf5QBtkfoPtqlmSLe13l7ASAWZVhnaaCcQWm65Z1p5v3mjn4n/2ZdAIt4qur3BWFsEi553cVHJkuWP1PL8TFaSOIft6hN/8U10tp4Ax4Mzj02YdyGlnOS50BTx9h/9aba9nX6RbiV7K5B3FVttTdHYc96prPHzjKUpdsE0jMVlDEzMTb8KImRZ5gfr9QqE8ScQ4oLeXjlvuEuGRcacWg1n+Bumlmj3AvjorD/3gUaqr81D6TPdQ9Y87+rNN4tgl/VXVIJrRcF3wsPrwJW92M8G3Z8m0BlUUCXJP2hDHhxaW0X0TBRdDW3hmFUmVIZkvd1RU0KUXzlqDNvHGY7BpC4ZKRcq/dSvft/S0M932Qry0siL5uhjYZebWBEsWTSACZS+5aDpzBkIddygYPavTLTfRHSboDOJySSJhtUJyWc5nYAzUmgs/wVnAYnJVtTYtdSczPOIyvZ1OY1uIamyl/zJ5e7z3x/eYp32F4gccXbvovavla6JazaA59hcwkWlEhCY+9R/gICo9sKKbJWuE8healHiPJmuNUpqElQcniV0BWnDulrqwIi+6lyJtg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5739.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(166002)(86362001)(38070700005)(76116006)(64756008)(66446008)(508600001)(186003)(5660300002)(33656002)(316002)(45080400002)(71200400001)(83380400001)(7696005)(66574015)(52536014)(6506007)(26005)(6916009)(15650500001)(122000001)(8936002)(8676002)(38100700002)(66556008)(9686003)(55016002)(66476007)(66946007)(2906002)(73130200006); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: nh8kFMYHSlYXnyId1ZGFw07Oth5ba6t5hVvXMWo1FnGHmAegaRWJP27476yatpyNXx72bdgbZ/Ml3xbW97r9iMofbQCrlglgN0bvgalf9fK3Yo4JqW4ilY2w/7udTQs1BGl/xioTx7fSYKGmfAbwEPpx2s20ptwTd4ig8tQGZiDwZeAxauqabTspsCOchZHj3QmXM3x0JH61JoxHajEbwX2kuJMun/zKePQtTgT1aOmbIiXQcHDjkOcg2KoL+q1zEXizlVm6hJRkdSRP0UeJm0U5IVfVSxnVUF+xheLmgPxpaKwJjr6zwmRvNMVMpMzHa5FcV8aQ0ChBF06lQ3LvoHmiP20JMfc4+Q72A0eKmsYdu2/UrK2V5keIUTG8yAkG6bZRNGg1NTbE6+4kgbVXNG9O2o/HD/tspnYwa2nUqcbselovzlUUTx6vk2tjbGUkNz+1nKB+0CR6tZIJCZ6l+tdDFldYhvgKb0ZHNqWJPc9gj6ZNPX1YoZ8RELVTgjEguRY+a5L7+Tz1lECuWjUDMSH/BwsXMuG1Nf6aTPo/vfktGSMJi1C1yllgp0ytJCPUuvgFbnxzuFmvseCnSOOeifUXpyGz980inbLU2FNYGVtJuC6NBEs9VVvgC8FUYXy/Dcvz6txWwvvzzNEgPgCHsKFiIJ+H/xaeRYmYgdwj9cLLM4LorzwtUm4sc3iLxPTzlQJAF1GP9roqHJszW+pvV8tGnhCOP7HWJ5LUYXLS+pFFfKaIgDWK6GG14iwcdqdLO/VVL285xARveRHafTOdrMZPhyUHP6FU71v0Wehu3buWVjGtm2fdyf+3pskZBHL5MEodNabk2aix04PVvXcmzUM9BtHTzkSKL8JcHdr+5R3bxZ7iR3EmxG26z7N5Im2Bg+F/2/TbbVVeens384v2M7wlS9Gi8XW7qrauKp3f7GB+yqnNXgJA9ultPMR/nqdvLIvF+kekdUwvPuRZp9z0rI70BzRjHrgi1VPZfT9AFrpdTWVNN8oEBj/3JlDy1WCn0JZ7i1yvnow/zvrL7RwpDQQRpwUtNdXAxLFJPdvkimuF+vy7OCLhlk7ZsoTuxQKGrHtOHz6IIQu7FWG6xRFagduBnDYBdAhlPeY0ihR6eFExdFwtByVt7sxpFYgeCfOS+bEIh915FDpJ3iPy7YWr6+/yeReh1TLJpNO/RDuut3M0Pc17oXD85hepj+CINUrTO/pqzxw40sQNfV2PeOV4zXOgUMmocX9QGT6CNLefakTe9aI7XT8PVKo3H0GIy4J0AQRffc57DkdduGUaq3hriuKkWUROlzNvMZEkcr9hyjnXY+MuDh/RqwuMh3PXzwO0d8QIMh51AUne//LdGjVDIwA3GB6ujrDmvvZ8T1Idy9DWiLEhewG4sGo3dtiSnDwfz82+Zt2zsPqpTbb+JaojeL8Igb84/m+6S2x5aeddaNyynr3mcIvjpXYi8ir4/XMnZTBSLuzK3IIq9KjXe0zJhNeMFADypu16MyFJfR516wUjjecnFZmameD9Grl/oMkkxvB58mPaX72DYz/rUHD8VnHeAGq/EDBCtAQ3XTUOa6LUc11BgOkCtl/L4USR2NIGQ23MGi/xltROzbuauvizMgEfie+xHWtz0NsS8SqrpUUfhuOtmKU8JW91HhvlURKSMy1Oe7j8rZQwoMhCkZFQ2g==
Content-Type: multipart/alternative; boundary="_000_CH0PR11MB5739E8891ABAE189998D03859F929CH0PR11MB5739namp_"
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 7da68a78-e3b6-40e7-b1dd-08d9a3c95745
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Nov 2021 21:38:59.6420 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: A7Yxe2Z9KCdr1I5rWhl8d+nrFFeYVLhlNNnChXpqDtCTVNWWMXNPU2Qn2t/SHrDEhxYEp2EoL3xx1vnEQHfEiPQWxOG629q3iDybme4KI0E=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR11MB4199
X-Proofpoint-GUID: 4bazBrVwd-3Zkj_K1136zKzAQccWkfu3
X-Proofpoint-ORIG-GUID: 4bazBrVwd-3Zkj_K1136zKzAQccWkfu3
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.790,Hydra:6.0.425,FMLib:17.0.607.475 definitions=2021-11-09_07,2021-11-08_02,2020-04-07_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 clxscore=1015 phishscore=0 adultscore=0 spamscore=0 mlxscore=0 malwarescore=0 priorityscore=1501 impostorscore=0 mlxlogscore=902 bulkscore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2110150000 definitions=main-2111090118
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/vHTX_e8y-Bs11Ok8-GTjHvnBrlY>
Subject: [lamps] Hybrid-for-the-sake-of-security, and Composite vs Non-Composite
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Nov 2021 21:39:11 -0000
Thanks Dr. Alison Becker (Ali?) for the presentation on your framework. It's great to have some independent analysis here to guide the design discussions! Point #1: Risk model: First, I'm struggling to understand the risk model that underpins your second slide, which gives the conclusion that hybrid is not for security; only for backwards compatibility. Could you please expand on how you reached that conclusion? I'll explain how we got to the conclusion that Hybrid-for-the-sake-of-security is highly desirable. I understand that by the end of the NIST "competition", theoretical confidence in the winning algorithms will be high. Theoretically, in a perfect world well vetted algorithms won't contain any overlooked weaknesses, and standards bodies will produce precise specifications that everyone will implement perfectly. In the real world there were 18,000 CVEs filed in 2020 because somebody overlooked something in an implementation. Once there are FIPS specs for the PQ algorithms, how many open and closed source implementations will we be written? How many of those will have buffer overflows or timing-invariance issues or other bugs that can lead to key leakage, plaintext leakage, signature forgery, etc? How many XMSS or LMS implementations will have race-conditions or poorly thought-out backup and restore procedures that lead to private state re-use in some bizarre corner-case? How long until we stop seeing new CVEs in both PQ crypto implementations and applications that (mis)use them? If Bleichenbacher's oracle attack against RSA PKCS#1 v1.5 padding can provide a historical example, that was published in 1998, and 19 years later, a new research effort (https://robotattack.org) found a pile of implementations that were still vulnerable because implementors (and many of the big-name ones) didn't follow the spec perfectly. I guess I'm arguing that Hybrid-for-the-sake-of-security would increase the chances of closed- and open-source PQ implementations getting the maturing time the time they need without a devastating breach in the meantime. Expect bugs, design in some defense-in-depth to give us time to patch the bugs that come up. I think dual signatures and hybrid encryption is the optimal place to build in that resiliency. And yes, I would propose applying this equally across PQ algorithms; just because we like hash functions doesn't mean that SPHINCS+ is immune from implementation error, and strong hybrid modes would also mitigate the consequences of bungling the state-management of your XMSS private key; yes if you produced two signatures with the same state then you would still need to revoke it for key compromise, but with a layer of EC, you would have days - weeks to safely notice and take action as opposed to hours. I also understand that backwards compatibility, ease-of-migration, ease-of-adoption, etc are in fact security goals themselves (fewer reasons to stay on the old broken stuff), so in a conflict between migratibility and cryptographic strength, migratibility wins. But I don't believe there is a conflict here; I don't believe it's Composite VS Multi-Cert; I believe the two play harmoniously together, which brings me to the next point. Point #2: Are composite and multi-cert competing or complementary in TLS and IKE? I would like to clarify what I (speaking for myself, not necessarily my co-authors) see as the posture for composite public keys, signatures, and content encryption: The point is well-taken that negotiated protocols want full flexibility to negotiate and don't want to send large PQ keys to legacy clients who won't use them. Really though, nobody is proposing doing that (at least not since draft-truskovsky-lamps-pq-hybrid-x509, which was abandoned in 2018). I think we're all imagining a similar thing where TLS servers are provisioned with multiple certs, for example an RSA cert chain + a PQ cert chain; runtime negotiation gets to choose to use one or the other or both. The question is whether the PQ cert chain should itself be composite, ie PQ := {EC, PQ} to protect against the cryptologic and implementation risks that I outline above until we have confidence in both the algorithms and their implementations. So in my mind composite and multi-cert are complementary: do multi-cert for backwards compatibility, and bury an Ed25519 inside your PQ cert for good measure. Given the size and CPU of most PQ algs, you won't even notice it's there. Point #3: Offline protocols As mentioned in the LAMPS meeting, I would love to see your analysis extended to cover offline protocols (aka non-negotiated, or what I think Russ called "Sign-and-store" or "encrypt-and-store"). I propose that good subjects for this analysis are: the Microsoft X.509-based code-signing infrastructure, document (PDF) signing infrastructures, and S/MIME infrastructures. For this section I'm going to assume a risk model that a code-signed binary or a signed/encrypted document has a security shelf-life of 30 years, during which time we can expect RSA to fall to quantum computers, or the particular PQ alg used to have a bug found in it, or both (though the "both" case is a bit hopeless unless you want to go to hybrid models with more than 2 algs). Research / design questions for offline use-cases: In the signing case, how does a recipient know that there should be two signatures when it only sees one? (aka stripping attacks, assuming one alg is vulnerable to forgery attacks due to the above risks). With PQ hybrid content-encryption (I hate that PQ has overloaded this term.. maybe "multi-key encryption" would be better?), the big risk I see is that it is not the key-holder who gets to decide security, but the sender. Ex.: it is not responsible-disclosure@megacorp.com<mailto:responsible-disclosure@megacorp.com> that gets to choose how its encryption public keys are used, but rather the mail client that whitehat.dude@gmail.com<mailto:whitehat.dude@gmail.com> used to encrypt the super-secret email. In fact, the recipient doesn't even know that somebody is using their keys until the encrypted content has already crossed the internet. If we're proposing a multi-cert model here, then how does the sender know that the recipient actually has two certificates that are expected be used together? You could imagine cross-linking certs (or CAs) with some kind of extension, but A) nobody, as of yet, has proposed a spec for that, and B) that would count as new cert verification logic, which I think goes against your "Non-Composite PRO: Computational processes remain unchanged (but perhaps multiple iterations)". I would love to see your analysis framework extended to cover these sorts of long shelf-life non-negotiated protocols because these are the ones that I feel benefit the most from composite certs. --- Mike Ounsworth Software Security Architect, Entrust Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
- [lamps] Hybrid-for-the-sake-of-security, and Comp… Mike Ounsworth
- Re: [lamps] Hybrid-for-the-sake-of-security, and … aebecke@uwe.nsa.gov