Re: [lamps] Hybrid pkix isn't needed

Watson Ladd <watsonbladd@gmail.com> Mon, 30 January 2023 01:17 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B01C2C14F72F for <spasm@ietfa.amsl.com>; Sun, 29 Jan 2023 17:17:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id isCeUo4RxowX for <spasm@ietfa.amsl.com>; Sun, 29 Jan 2023 17:17:13 -0800 (PST)
Received: from mail-ot1-x32d.google.com (mail-ot1-x32d.google.com [IPv6:2607:f8b0:4864:20::32d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED23EC14F726 for <spasm@ietf.org>; Sun, 29 Jan 2023 17:17:13 -0800 (PST)
Received: by mail-ot1-x32d.google.com with SMTP id f5-20020a9d5f05000000b00684c0c2eb3fso4134277oti.10 for <spasm@ietf.org>; Sun, 29 Jan 2023 17:17:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=O7eSn6kMoYiiVbbfrzEpc948tPZkmGYpj+w1gzWQHys=; b=nAGbzupL9ANv+Va4Ugq5ai3L4ZwS/jB/Dmgqza1M1NWOzsbwlkUMsBV01pAFrx1oTA 4iIryDxfigZ0mVLFiy9/nT78MjRnp2sLhdF3RAdipppApwYDg4Ut5uWJDRY1sGkpv1j5 FavYPP8Bq22s+se/270kb8lHfwtARZMhcqGgpK51/ooNVGZdJzDHBnovO2wfNGQ11Lhs Law6jF+/luaiXv+clVxVrqxRfFNXhEENnyToprSMbhR+lJEQQhzy7zLfRo90f8EE3RrO A7gNS9xTr1GgfPJ9gc4lezsjcmXnKeOQoXSDy6JPEXtfAumbVqODgIYN40H3DH4hQzxx T5LA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=O7eSn6kMoYiiVbbfrzEpc948tPZkmGYpj+w1gzWQHys=; b=8C4CxKZEh0KwtrMQVpXsUGoJFvtbJZY63i0D7hoqJItgHOroMWdmwk+0Ew5E9gm5eG h/2unt9QbjPpjF2KEaTEcOB8sXFKTp2d9/QOBY1LvM75csX+uCu1xruDn6OJGNIdHjsj fR3rX2wj5cO6lbWCM+Sndxx7vyhc3lowF5zm1ED1XffcAIjJ5/6LxCuJJ9yzPnjpkXzK 7tPTv4F+0fO8jSicyZ58cbpazEIqXxWA7aS0U8ABbCBmddZkHazE8zp4/gPFSFdH1iEN GjGWWYDydaTP5XL0ChDgtGne9KzgTPmqBfLLEq4YqbhEtPEVhttc5qppJyZuzw3Qt1Em RlqA==
X-Gm-Message-State: AFqh2kptJoP5ye87gQUJmnpK4NOXLEOjIn0pktScS0AYkNWKh546Y0b2 H6fB0281MTvZfPyzWQUiagX/hP6XftIU1E5BmRovsUlv
X-Google-Smtp-Source: AMrXdXt6W4w6HYGBMjyyihE+x2sCwi/LRiKulqz+Y2ZIvZfiK0GYMzine3VodVuhRUVmlZ4UgD6XfyZ93VZX9FeSCMU=
X-Received: by 2002:a05:6830:3289:b0:684:9679:acb3 with SMTP id m9-20020a056830328900b006849679acb3mr3046165ott.79.1675041433126; Sun, 29 Jan 2023 17:17:13 -0800 (PST)
MIME-Version: 1.0
References: <CACsn0c=uPvp_hmakpfPff8WkYh1q9NhjfTJYs7iFu_czL2yAyA@mail.gmail.com> <DS7PR12MB5983E36300151BFC47E5CB34AAD39@DS7PR12MB5983.namprd12.prod.outlook.com>
In-Reply-To: <DS7PR12MB5983E36300151BFC47E5CB34AAD39@DS7PR12MB5983.namprd12.prod.outlook.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Sun, 29 Jan 2023 17:17:02 -0800
Message-ID: <CACsn0cn2EpXR0HU5PKtW8vomk_QzsUWHF4ZO9cV3CMu5M5UB7g@mail.gmail.com>
To: Michael Markowitz <markowitz@infoseccorp.com>
Cc: "spasm@ietf.org" <spasm@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/vQtzo2Su8UDjtDbC5Y5Q05peqKI>
Subject: Re: [lamps] Hybrid pkix isn't needed
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Jan 2023 01:17:14 -0000

On Sun, Jan 29, 2023 at 4:59 PM Michael Markowitz
<markowitz@infoseccorp.com> wrote:
>
> Consider the following scenario:
>
>
>
> During enrollment a user obtains a signing cert A. They use A to reauthenticate to their CA and obtain an RSA cert (R1), and then a Kyber cert (K1). Sometime later the same user leverages A to obtain another RSA cert (R2) and another Kyber cert (K2), say with different attributes, from the same CA. Maybe many more RSA and Kyber certs are issued to that user.
>
>
>
> Now imagine that -- according to a security policy specified by the CA -- the pair [R1,K1] must be used for certain purposes  in some protocol P involving a hybrid KDF, while R2, K2, etc. are only to be used for other purposes (maybe separately).

Why would we want to do this? My contention is that we don't actually
want to do this: the right approach to hybrids is to make a RK-cert
containing both an RSA key and Kyber key. In part that's to avoid the
issue when the extension doesn't work and analysis of protocols
doesn't include it (although they likely will be robust to it).

>
>
>
> What's the easiest way to ensure that a relying application when presented with R1, finds K1 rather than K2 as the other input into P? Sure this could be done in proprietary ways, but an innocuous (non-critical) extension linking the paired keys has a certain elegance. Also note that the user, to participate in P's hybrid KDF, doesn't need to do anything different from what they're already doing classically: they simply present the appropriate RSA cert, R1. It's only the relying (server?) app that must be modified to find K1 and carry out P. Kinda' useful in an enterprise environment in which end-entity certs are easy to update, but existing PKI clients are hard (i.e., expensive) to update -- or to even find!

I'm a little confused by the terminology here so I'm not sure I
understand this scenario well enough to respond.
>
>
>
> To your points: a non-critical extension is "optional" -- no one will be forced to do anything with it. And I have trouble imagining another "transition model" that helps a relying server app find K1 rather than K2 without: new info provided by the client, a proprietary repository hack that links paired certs, or worse yet (heaven forbid!), abominable hybrid certs.

How is it that ECDSA certs got rolled out without such a mechanism?
The answer of course is that relying parties signaled their
capabilities and the applications sending end entity certs sent the
chain that used the preferred algorithm. Maybe I'm missing some real
constraint here, but that seems like the right way forward to me.

>
>
>
> -mjm
>
>
>
>
>
> -----Original Message-----
> From: Spasm <spasm-bounces@ietf.org> On Behalf Of Watson Ladd
> Sent: Sunday, January 29, 2023 3:43 PM
> To: spasm@ietf.org
> Subject: [lamps] Hybrid pkix isn't needed
>
>
>
> Dear all,
>
>
>
> I don't think linking certs or special provisions for hybrid encryption or authentication are a good idea.  A hybrid encryption scheme should be an encryption scheme with a public and private key, just like any other key you can put in the PKIX.
>
>
>
> If for backwards compatibility you want to have multiple kinds of keys just like we do with RSA and ECDSA keys in TLS, just do that! Don't add complexities to try to link them or force people to find both keys at once for an operation. We know that the transition model with multiple unrelated certs works, and we have experience and fixed bugs that resulted. Let's use that instead of have new bugs to fix.
>
>
>
> The other thing is hybrid auth is worthless. Authentication breaks are not retroactive: a break of an algorithm at a time in the future doesn't threaten the security properties of authentication in the past. That's different from encryption, where you do potentially want to ensure a new post-quantum algorithm is no worse than a classical one, but the case for it is fairly weak.
>
>
>
> Sincerely,
>
> Watson Ladd



-- 
Astra mortemque praestare gradatim