IETF Logo Mail Archive

Re: [lamps] Security Consideration for draft-turner-lamps-nist-pqc-kem-certificates

Mike Ounsworth <Mike.Ounsworth@entrust.com> Fri, 25 March 2022 13:14 UTC

Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 548693A11F9 for <spasm@ietfa.amsl.com>; Fri, 25 Mar 2022 06:14:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XC8VruslxW5X for <spasm@ietfa.amsl.com>; Fri, 25 Mar 2022 06:14:17 -0700 (PDT)
Received: from mx07-0015a003.pphosted.com (mx07-0015a003.pphosted.com [185.132.183.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86A0B3A11C2 for <spasm@ietf.org>; Fri, 25 Mar 2022 06:14:17 -0700 (PDT)
Received: from pps.filterd (m0242864.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.16.1.2/8.16.1.2) with ESMTP id 22P4jX5R016291; Fri, 25 Mar 2022 08:14:13 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=mail1; bh=UUIsV+UjrNmpSILMHZfhqSmgca4ZbK/N258cKvcXmm4=; b=KrmJve+vm+6sKUy95CCnU8pC/ysljiI9Ov6iYEYC8YVgiOgtPnYEi7x1EASg1BNlgc/6 xw6i0WCqye01gW3B45b/pGen4OrAhtlLtfsouH3M+OuUt/o+pEp9sRrQN7VTA1+3YmUz 0VNN/VKlVBTuq9RVwqK6xbHwBuBZAsH6REh7a0KVwH0KK142PJaX+LMVQEVHuqCgfR0H uyBaI2rt2qHA9DooCG8i0FSKeyIVCO8kEIAC/BvKzlRu++gdPoqQPflLkI/KwAAfhRkb DjrAWciBix/4n07hpidq+TCDy2hY26Fybq/CCPtInXesNfpNI2Vy2oXepEXSs1q3P0pQ wQ==
Received: from nam12-bn8-obe.outbound.protection.outlook.com (mail-bn8nam12lp2173.outbound.protection.outlook.com [104.47.55.173]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3ewbv1u38j-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 25 Mar 2022 08:14:13 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Vhj+oiH24rGLTA1V6NSzKYYaOyNu/ytHSH1JO/rQfWIdEughvCeeiYrc2HPxrwldClSivXXmrQlqUZHdYrb9pDhuTj9lQXaGMj5dhmfe3pQe+RbJ/Vt7WLXWJGdKAilcAnrLyyEVJ79RfJQt8OumOVc49dLb79rM+GmYq8w1dFxH8Kbh8W54AEsmvUXo34OGRiqKJsl5UcPsctB6s4FXkNk6YUnd+WyHM4qcb4sdMCsEgenAmLesEALpDVKVrED2p0TnwRGKYrEJMDbnZeyLeEApeR5er7PSa+9KbFXNHhcL/YF+yUvHUVIHAuM4tnjAEaUPBPTz7AJbaZOaKlM+IA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=UUIsV+UjrNmpSILMHZfhqSmgca4ZbK/N258cKvcXmm4=; b=Znjn1639I1x8GheMrOeBYbtMcUrdi6JYu5E2HoHpCiT6Bv3DEuLbpuLB3BYxWfpeqtKfZt2HbK8yNCRI3fuusFpGtT+Y0IKQBGu+LWCWpLKe/YiauWDtTKBiwo9t3p/BdZrcjfGqlKpTcSciSgmSRx6e90AhQ1aRZDLEPFbsF2wxERkbNtqCqO/NoRLHLrqyCOXiCXDvDdO0kQ86prVitwYiJDplVPmJCxlCLCRxVXRg9fBkuFLBEXIz4GKaXe3EqrUpM+CCBwoRfUPYm4Cn8Y1795PCEeNVDROzjuBovexnBsaukoOOza+JGkjczZtRFLcPY9trumQtHn8eXaHRAQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by SJ0PR11MB5184.namprd11.prod.outlook.com (2603:10b6:a03:2d5::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5102.19; Fri, 25 Mar 2022 13:14:10 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::305d:3a11:c1f0:e5e8]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::305d:3a11:c1f0:e5e8%7]) with mapi id 15.20.5102.017; Fri, 25 Mar 2022 13:14:09 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: Florence D <Florence.D=40ncsc.gov.uk@dmarc.ietf.org>, 'LAMPS' <spasm@ietf.org>, Nimrod Aviram <nimrod.aviram@gmail.com>, Douglas Stebila <dstebila@uwaterloo.ca>
Thread-Topic: [lamps] Security Consideration for draft-turner-lamps-nist-pqc-kem-certificates
Thread-Index: AQHYQEmUH9N98Gv8HEWUkbx2SV4yt6zQEuUg
Date: Fri, 25 Mar 2022 13:14:09 +0000
Message-ID: <CH0PR11MB5739C9106FBE6D82E6B1EC1D9F1A9@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <CH0PR11MB5739B640691C4692D6343E219F1A9@CH0PR11MB5739.namprd11.prod.outlook.com> <LO0P123MB404186BF69C1FCC6275E7560D71A9@LO0P123MB4041.GBRP123.PROD.OUTLOOK.COM>
In-Reply-To: <LO0P123MB404186BF69C1FCC6275E7560D71A9@LO0P123MB4041.GBRP123.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-Mentions: nimrod.aviram@gmail.com,dstebila@uwaterloo.ca
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9693ac49-bb09-47c0-8454-08da0e6158ed
x-ms-traffictypediagnostic: SJ0PR11MB5184:EE_
x-microsoft-antispam-prvs: <SJ0PR11MB5184E732A4CDC37F914983D19F1A9@SJ0PR11MB5184.namprd11.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: aH/T2ENMO6B0mIrVJpZ/z4uPpogAa13TYfK+nDpvdORu4hAA2C5Gsj8208WXpD96g8IfrUxf6O+uwgm6mqLIq9aYU3ALnTDeggTyqqaJiI6cKf7D2LgkqX5jV9jeX1ahClTc9y1UjSpxR/YOiN6mjITiNGASh5OREuHTvtRt2ex3UXy/fvFKfrsnGtArsikT6AxvgzWd9pqwcexLg3tIs4UoXrEen4AeSlGTC2+Ld+rG4l8Vd1dU9V4FpNDY3qlCKJsTgjrVgQhFhKNYOwTpHfVl3v68ZmkmHncv6OgnYbvQEErpIMZcFySGRoemoKlbwKn969Jxl9A1HYDSG0l/805TrTSyPjFRl2bxXuil9s8H+JVTIhmCWHBcdIb7jAespiUX9XFBMyeUxwAKqpE8OfIjkNGcy36xUXXI1LPVQmCdVKbDsLEdJeZKvP+H3PMITzgdobkpHFTSQyWtSy8iwd0PBO0c5EsMvcrYYyhmmOrKs+0dXAvJRhtgAi73ODzzNj1rkh1ae9I63bkHkpCFau5yaZiPVVJ/0PmoEdSaEOO54sE0tCZU0A40GVQ4hIOju/bxdFtzhIsEOoFzDkmhbMt91Jaq8QmzlMD8ZtnqlrId0iI3zuzrq8fqjwPWFqcz938Dd1srN4j5BngKc22as214lY2punUSYcToX6JhzwM7PRbvw2AHwVqe0TKKaurx6T3wzWLPaoNcujPUwqrgvQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5739.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(366004)(86362001)(26005)(316002)(110136005)(52536014)(186003)(66946007)(83380400001)(66476007)(5660300002)(76116006)(64756008)(66446008)(8936002)(66556008)(15650500001)(2906002)(38070700005)(38100700002)(122000001)(8676002)(6506007)(7696005)(33656002)(71200400001)(9686003)(508600001)(53546011)(55016003); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: kJJBrzCBsNl3nCl8FcTJ2P+yqhyUlAFYoyVuM+egUvqWYqDlVFJHUG+qn7JmJLv+Z1s+auYji5BazuW7KjdhKAa+4dMonGecFKBGkc2/dWObW4SUo+XSByElSWzosdAwchxwOAnAMo7pWl1F69R6ZIshQ1RvbpENfwxnCYGg0uQcqUk/IlKYVePhubL21wdhKsqJrtrQiw7pj7ESwwEMKNdMMD2Si2aJq4++IpRRbCPFiQt7gBNm2UmR/2SdJC7NJkYukcaVFPg3aOyU0Vm2vN91K5lzt+Rt49AjeHaAUMBWzQB3r6jv25k+/54Z8tRfyOFEqvDHSRwb5iyYP6DLfPPSPhk5NCLJl388UJKewQubixLcQdUjXIy8w5wIcLSaoVGn3xOjm8tO36QTnU0pB60iZ2FG/92AY1GtbTh3DtTRdMhXjNsGkUucOGYo2pFzLbgvY8SRBxX1WxKXE1G3oVkAcw9s6Ec+SwoVDwce3WXpyy16NdmCQD3DNkmCL+xg56crMDV4B6fv3nXLfX0mfWobNf6T71GSP3WtdiK8bo6/d6tXjtBvqRYM5bKKLC8gffvl443QRbY4w3rKeS0yHZ5Pv0zuUrKcMblTlgyc65s5KAGMQLG6d6HAU6AtI1tFwQnGCoZAmpw5ma6sMX4/mkhFGD01CKPtEX2NDEdaUnLCdE4OsqqH+hr2Z6fHk/dVnCc1Z3MJ5pA2SR1Q2nYrGcSMeFIERl5r9E1jKaTUHyU8YgTkELf1Oa8XGl146i3RXMaJ2Wjwjw2IolVY5RkjkQoUaga34rlcwxtS38b6qXyeuRYdVdhO9L8bF8t+5cIpsYbOoA0NsE0UzJM3EbBvC85l2uBrKTJRZDgHqkqKtZjZTpb5wQpCtZfeEE4ZbMWl0NdiUaJaIuUQplcEN8Y2N4wxlXePLPsBN6pVtxi9+c6alDdtd8XQJ1zYaSsTaKrRdPhLgGEBrop3IrtUL5egfEzAz3kolQ9vvMXBq0ufWbr/bRdCObD5c2XiTc3cVszebDsMQPa5CblbaQMFJ0sqCLBWoo9iCjGTwSj5Q+utDy5owccG8Y9TDlXttFinR2hfeyOHlg+jxR8OX59q6twCQe+EYeoMrlxXRrJbp8GdHOK3VxCPA3oOSE2QhBhc8/mpbyW51Nn0yyXsR8JQmTG06jLKKN4waa6vPguh4hqpo4ZPRg5cs+/kBMvbAZzWtCRD3dO7/qIDSHXE2Cs05XOuXCslwkSzOql+m2f1aiR5LbVQHbBZjEK0eIg914dwKDODaxXif9nbEWg7Wnzn3GQiKwE3LifFnn8r9Yo1lbtGN3ASijomal07696QAlrDe/mnlDWTk3373gzZxOWN2DVrFEMC2y8RxShC9n0l1diCOMCX2S3li41ZSxleCfzXFaWgL540QGJd0PcZZvNDh1+5FGj+IsjPx6+8cH4HP1hIHCcM8K6UbjcX5gaJVJi/wLQ9jsiISmzBE5xvchIA1rRYGHUTEBypwu7Hg6du5jRSshonAO36Mq2LK3/9LoAadMSWQ3aGCPlave/DKZN5/O+1CMC1c8Y5JTrIT4B9yZivKPbZFrcCJREDwuCwX4syVi1BUdjPS9yBptO4RlkShO9USY2HhTkYzmz8n4Qc5XImYwxfbuvF1mWscRVOwifnQpCSfZtiY+jn4LntiabdOX5rAp8b7uaday2FDW1m99hMpLcmaxekGtSniLv8tYTViPAi/BZVEZIFOUwyNKDbC/2gHDeFs0LFyKlAPPP0A2TQbN0=
Content-Type: multipart/alternative; boundary="_000_CH0PR11MB5739C9106FBE6D82E6B1EC1D9F1A9CH0PR11MB5739namp_"
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9693ac49-bb09-47c0-8454-08da0e6158ed
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Mar 2022 13:14:09.1205 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: /Q86rOAzhi7Yfy8i+/h9cnnH314n1RRJFYIwuQhxBqjveJQK+weW3+Jfx/6VD37EefJNECKfwUsgjTo+AKIVt2TqjE3Gn/Vry9eqm3O2jxE=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR11MB5184
X-Proofpoint-ORIG-GUID: U-g88NqUbBFyFS-cVZbJPMjxG2fFfU4E
X-Proofpoint-GUID: U-g88NqUbBFyFS-cVZbJPMjxG2fFfU4E
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.850,Hydra:6.0.425,FMLib:17.11.64.514 definitions=2022-03-25_02,2022-03-24_01,2022-02-23_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 impostorscore=0 bulkscore=0 mlxlogscore=999 mlxscore=0 priorityscore=1501 lowpriorityscore=0 adultscore=0 phishscore=0 suspectscore=0 clxscore=1015 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2203250074
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/y_Nsu92QWALqtr0oR4FJgFfQrPo>
Subject: Re: [lamps] Security Consideration for draft-turner-lamps-nist-pqc-kem-certificates
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Mar 2022 13:14:23 -0000

> assuming that we use the NIST algorithms as they’re defined, the length of the shared secret shouldn't be ambiguous as it will be part of the parameter set for the KEM.

Oh that’s good to know!
I saw that many (most? all?) of the remaining KEMs use SHAKE as their last internal step, so in theory they are variable-length, but if the NIST specs will fix the output length then that’s probably sufficient.

The experts in this case are @Nimrod Aviram<mailto:nimrod.aviram@gmail.com>, and @Douglas Stebila<mailto:dstebila@uwaterloo.ca>.

---
Mike Ounsworth

From: Florence D <Florence.D=40ncsc.gov.uk@dmarc.ietf.org>
Sent: March 25, 2022 8:09 AM
To: Mike Ounsworth <Mike.Ounsworth@entrust.com>; 'LAMPS' <spasm@ietf.org>
Subject: [EXTERNAL] RE: [lamps] Security Consideration for draft-turner-lamps-nist-pqc-kem-certificates

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
________________________________
> We’re putting together a draft which provides essentially the same combiner for hybrid CMS content encryption (yuck terminology hell. Florence D. please save us and write a terminology draft!).

Very happy to write something.  I suspect the word hybrid is already so overloaded that agreeing on anything will be much more difficult but I’m happy to get started.

> At the TLS WG this week, Douglas Stebila presented on a known issue in the hybrid KEM combiner they’re proposing for TLS (draft-ietf-tls-hybrid-design): it gets into trouble if the attacker gets to play with the lengths of the shared secrets at runtime. Obvious solution: KEM codepoints need to fix the SS length in the spec so that it’s not variable at runtime.
On the shared secret length, assuming that we use the NIST algorithms as they’re defined, the length of the shared secret shouldn't be ambiguous as it will be part of the parameter set for the KEM.  If we’re proposing doing something different then this probably merits some security analysis of its own.   I’ll defer to more experienced protocol designers on whether it’s worth encoding the length in the codepoint if it’s implicit from the scheme, I’m not sure of the precedent.

Flo

From: Spasm <spasm-bounces@ietf.org<mailto:spasm-bounces@ietf.org>> On Behalf Of Mike Ounsworth
Sent: 25 March 2022 11:17
To: 'LAMPS' <spasm@ietf.org<mailto:spasm@ietf.org>>
Subject: [lamps] Security Consideration for draft-turner-lamps-nist-pqc-kem-certificates

The comment I was going to make at the mic:

At the TLS WG this week, Douglas Stebila presented on a known issue in the hybrid KEM combiner they’re proposing for TLS (draft-ietf-tls-hybrid-design): it gets into trouble if the attacker gets to play with the lengths of the shared secrets at runtime. Obvious solution: KEM codepoints need to fix the SS length in the spec so that it’s not variable at runtime.

We’re putting together a draft which provides essentially the same combiner for hybrid CMS content encryption (yuck terminology hell. Florence D. please save us and write a terminology draft!).
For that combiner to avoid the attack, I think we need Sean’s KEM OIDs draft to fix the shared secret length for each KEM that it specifies.

So for now I think I’m just asking @Sean to throw a Security Consideration into his draft so we don’t forget that it’s important.

---
Mike Ounsworth
Software Security Architect, Entrust

Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk<mailto:ncscinfoleg@ncsc.gov.uk>. All material is UK Crown Copyright ©

v2.40.4 | Report a Bug | By Email | System Status