IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Re: Security Consideration for draft-turner-lamps-nist-pqc-kem-certificates

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Sun, 27 March 2022 18:00 UTC

Return-Path: <prvs=1085cfe40f=uri@ll.mit.edu>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FB033A0DE5 for <spasm@ietfa.amsl.com>; Sun, 27 Mar 2022 11:00:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d_tvToVS6YIm for <spasm@ietfa.amsl.com>; Sun, 27 Mar 2022 11:00:21 -0700 (PDT)
Received: from MX2.LL.MIT.EDU (mx2.ll.mit.edu [129.55.12.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 442F63A0DE1 for <spasm@ietf.org>; Sun, 27 Mar 2022 11:00:20 -0700 (PDT)
Received: from LLEX2019-2.mitll.ad.local (llex2019-2.llan.ll.mit.edu [172.25.4.124]) by MX2.LL.MIT.EDU (8.16.1.2/8.16.1.2) with ESMTPS id 22RI0FV3271423 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Sun, 27 Mar 2022 14:00:15 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=Lai2DEE4CcGSC/1nlLppXqmd5QH/I/PpghvJrevrC7md+ME7dhVxx3pd2Z+JDMTGVvwJfgUqo9GeD12a98oidyZ0GSKh+7glrzFagiEgf8r6H9wWQA3k1bwAs6D/UVdaLcd9msFjA/gv3EHiG1Hi53geRVOq/OoBtRCN3O9TwfbgnRV6Lubcg6y1XhJZVF+utzB5kM6D7RlKrxfKpsNo9Y2O2IvbzZXrJZViDw86mO1FCLvo03Ui6hK9gHdLmaCg7kdqhZrUeT2+B3TuSeMKmsjYRx2FPHQeVz/s2lkzezcx4hrMVdPlEZJV08oj3QiU+tkjVNxEBk31lMws2PZa9A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=6QTTD98eEMKzbo2WHl1EoY9snXwtmvQhROJrwWM/0FA=; b=HWMjuiyWid7/9WfZt3+aMQ06D4TB4PBfVzhUYOcRb29LVMTOacc8aGC3HHCDsWZZ+qdiyVyEcSX0qGkuo0tws1TDiU859CoPbuBoi/7XM3ra7pFcFC00hVXWrzEri/0RQdhUjqy+iSEM70AkgGMBoeAtGIfmX7zuk2rhLxNG6j2me7OwC0XLIs4PnZJRE55/7sXIPsot13OVQjMo8bNwtM6AV8eyULZbyMRJK9A3zqzyCw/5dAf4urayA4fpUsWiSO7BGf0cYWuwXYJeE9W3kBvxdV63Gv04bXI8jfQ9hMylTUYQ6FZQQ7IthCj++R8NId+WgrHyHCvWtFcluqQlHA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Douglas Stebila <dstebila@gmail.com>
CC: LAMPS <spasm@ietf.org>, Ilari Liusvaara <ilariliusvaara@welho.com>, Mike Ounsworth <Mike.Ounsworth@entrust.com>
Thread-Topic: [lamps] [EXTERNAL] Re: Security Consideration for draft-turner-lamps-nist-pqc-kem-certificates
Thread-Index: AQHYQEyo8K0tmEpyyE6bsCxeF/uu0qzQHcQA///KyQCAAGLlAP//9lMAgAB5qQCAAsz5gA==
Date: Sun, 27 Mar 2022 18:00:11 +0000
Message-ID: <5338244B-B1AC-4735-9F4A-B643663499E8@ll.mit.edu>
References: <64D97E59-8FC3-40B5-A07B-AA927AF2C671@gmail.com>
In-Reply-To: <64D97E59-8FC3-40B5-A07B-AA927AF2C671@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 602d40fa-f890-4915-bda0-08da101ba36b
x-ms-traffictypediagnostic: BN0P110MB1179:EE_
x-microsoft-antispam-prvs: <BN0P110MB11795AC6295D9380F0446F65901C9@BN0P110MB1179.NAMP110.PROD.OUTLOOK.COM>
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: H6HhC2WvzYy3rLWPhu3+lBejTuW6i63SYskc/wIvFgCqFtBWlChgRJheUSWNRWvQCKLhsHw1SZmG9cWu6UFW2l3otvV1GM7wHYaBlsF3+7fE6Ks12xeeCCJeTfA3b9L6271urIvNz8O61YHebNcypSrjFr9Njqr3inwUPU83bbOPVoPbOUzfubbJFcNRP/bOtB7M6M/CEqCBte7u/xlKn5CCZocBh3QySxCQT4e0nARcxFcFyhzbI3qcRkV8yxuA99mIek1J233jXuegBnpJcjRQfCcE4GJ6oUfz3HLNvAsdIk8o1uWQeWmbUDBnNB9R129bpgkNjmZGrFNQVp/Row+Czc0M4zUAVSLC6LGZdKMaVxp4hrBtCNyJGVqpzPYIZ4+cu1cttWmIIULbhzkbcsTq884A/J5jMPpGntCM2awTf5Qz8zvLdj/EskO3JoarJbBtQv8f8S9Hdlp+kodl1ul4Ac/BmMLPfKKZwD/gNz7hn2rjGRnKlqkOliO69tqcsFpRZKV+vVvvfZHG5ydOfmoGrrNBKeWsY+IWIYv3+1l4IkJHlm61RjMtKnK04dGiCRSeWOOdOgkTIEcQ2a3AHk4vTxu81s/+HnNsxNdsGDEmNhXhToHPx3y/U8+GQeh/aoUTykHc3PJ1oH5r0d5yBccjmARNz9wFWteClO3HPOTQsYR5iKqjo4IFoC+jintPNS1NNNlrREXrLEgJRorltiSDxoq+tfg1x38jVNMBHj8=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230001)(366004)(186003)(6486002)(6916009)(966005)(316002)(53546011)(6506007)(33656002)(75432002)(2616005)(6512007)(508600001)(54906003)(15650500001)(83380400001)(38070700005)(8936002)(2906002)(71200400001)(99936003)(66556008)(5660300002)(8676002)(66946007)(86362001)(4326008)(64756008)(66446008)(66476007)(122000001)(76116006)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: vODdhJZ3XzKDCIQe2yner9CGutuANXuZ6c7WDnxoJCbWNb9WLW48xxrPAqKw1WdpSbC7zm6hT2ciJKhhrY4uA0hdgMInSKl4bli/eoJOj91ettrxaUO5YUKS9qz2LnH+60nQeK+S1pVqsMpSKgHuptauA9izXSrCft/7/8erpm6Bh1dZ4Z8kHhZ0FugG2t7hlfjhXclqax/oOtnKWhAprFtYgQZNF3Q31BoRV1UT2AHQPn7gHPmqysMw0fuJICKTTp+I9gi27DOLYXzhF/kkFrg7zmGbmQepMpJnEm3rljeVBe9qpC3mkma9sxLZyTFL
Content-Type: multipart/signed; boundary="Apple-Mail-6B6626E0-273C-4733-A95E-0F7A682075D9"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 602d40fa-f890-4915-bda0-08da101ba36b
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Mar 2022 18:00:11.7317 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0P110MB1179
X-Proofpoint-ORIG-GUID: cpugbmaCBIAsOpR6MQom2n_F89y9CWYi
X-Proofpoint-GUID: cpugbmaCBIAsOpR6MQom2n_F89y9CWYi
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425, 18.0.850 definitions=2022-03-27_07:2022-03-24, 2022-03-27 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0 mlxlogscore=999 adultscore=0 phishscore=0 bulkscore=0 suspectscore=0 spamscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2203270112
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/zQap4GNJXotRWLkmXzis4EpIbmU>
Subject: Re: [lamps] [EXTERNAL] Re: Security Consideration for draft-turner-lamps-nist-pqc-kem-certificates
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Mar 2022 18:00:26 -0000

On Mar 25, 2022, at 19:14, Douglas Stebila <dstebila@gmail.com> wrote:
> 
> Length prefixing a variable length shared secret will not avoid this type of attack.

Would you mind clarifying - what attack/type-of-attack you mean?

>  It doesn't arise from ambiguity about how long something is (which is what length prefixing resolves), it arises from being able to control where certain parts of the string land with respect to a hash function block boundary.

Now you know where your 32-byte part of the string lands. Variable length would allow moving where your part of the string lands, somewhat. Still, so what? I don’t see a viable attack (assuming a decent hash function).

Thanks


>> On Mar 25, 2022, at 3:58 PM, Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu> wrote:
>> 
>> What I had in mind was something like (described loosely 😉)
>> 
>> SS_i ::= <len_in_bytes> || <ss_i>
>> 
>> Len_in_bytes ::= INTEGER (1..65536) – field taking 4 bytes
>> ss_i ::= symmetric shared secret obtained from the given KEM
>> 
>> SS_final = H(SS_1 || SS_2 || . . . || SS_n)
>> 
>> Sorry for sloppy handwaving, but I’m sure you understand what I mean.
>> 
>> TNX
>> --
>> V/R,
>> Uri
>> 
>> There are two ways to design a system. One is to make it so simple there are obviously no deficiencies.
>> The other is to make it so complex there are no obvious deficiencies.
>>                                                                                                                                     -  C. A. R. Hoare
>> 
>> 
>> From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
>> Date: Friday, March 25, 2022 at 12:34
>> To: Uri Blumenthal <uri@ll.mit.edu>, Ilari Liusvaara <ilariliusvaara@welho.com>, LAMPS <spasm@ietf.org>
>> Subject: RE: [lamps] [EXTERNAL] Re: Security Consideration for draft-turner-lamps-nist-pqc-kem-certificates
>> 
>> Thanks Uri.
>> 
>> Can you provide the concrete construction you have in mind when you say “include the length field in the hash”? I will add a note to our composite kem combiner draft, but I do not want to mis-interpret your suggestion.
>> 
>> ---
>> Mike Ounsworth
>> Software Security Architect, Entrust
>> 
>> From: Spasm <spasm-bounces@ietf.org> On Behalf Of Blumenthal, Uri - 0553 - MITLL
>> Sent: March 25, 2022 9:39 AM
>> To: Ilari Liusvaara <ilariliusvaara@welho.com>; LAMPS <spasm@ietf.org>
>> Subject: Re: [lamps] [EXTERNAL] Re: Security Consideration for draft-turner-lamps-nist-pqc-kem-certificates
>> 
>> In general, I agree with the points Ilari made. However…
>> 
>> ·         I think it’s good to allow SS of variable length;
>> ·         When you allow variable length, you must include the length field into the hash;
>> ·         I don't think padding is necessary in this case;
>> ·         We should be careful regarding “max possible SS length”: while I don’t expect to ever see SS of, e.g., 56MB - I doubt it would stay at 32 or 48 bytes forever. I definitely don’t want to see “max possible SS len = 32”.
>> 
>> What’s the purpose of padding, if you included the length?
>> 
>> Re. RACOON attack – besides being pretty darn difficult to launch, it’s rather limited in applicability, IMHO – to the point I don’t really care. Besides, offhand, it isn’t applicable to NIST KEMs.
>> 
>> Thanks
>> -- 
>> V/R,
>> Uri
>> 
>> 
>> On 3/25/22, 09:50, "Spasm on behalf of Ilari Liusvaara" <spasm-bounces@ietf.org on behalf of ilariliusvaara@welho.com> wrote:
>> 
>>    On Fri, Mar 25, 2022 at 01:30:28PM +0000, Mike Ounsworth wrote:
>>>> So if your scenario envisions concatenating a traditional
>>> (RSA/FFDH/ECC) shared secret and a PQ shared secret, one would want
>>> to be sure the first component of the concatenation is not variable
>>> length.
>>> 
>>> Another good point!
>>> 
>>> Thinking out loud: does padding solve the problem?
>>> 
>>> H(ss_1 || ss_2 || .. || ss_n)
>>> 
>>> if ss_i are each padded / truncated to, say, the security level of
>>> the underlying hash function, does that work?
>> 
>>    One could solve the issue for variable length SS by adding a length
>>    field and padding to the maximum possible SS length. I think truncating
>>    is a bad idea, and could interact badly with some oddball KEMs.
>> 
>>    However, using KEMs with variable-length SS seems like a bad idea
>>    anyway. E.g., see the TLS RACCOON attack.
>> 
>> 
>>    -Ilari
>> 
>>    _______________________________________________
>>    Spasm mailing list
>>    Spasm@ietf.org
>>    https://www.ietf.org/mailman/listinfo/spasm
>> Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
>> _______________________________________________
>> Spasm mailing list
>> Spasm@ietf.org
>> https://www.ietf.org/mailman/listinfo/spasm
> 
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm

v2.40.4 | Report a Bug | By Email | System Status