IETF Logo Mail Archive

Re: [TLS] WGLC for draft-ietf-tls-hybrid-design

Douglas Stebila <dstebila@gmail.com> Fri, 29 April 2022 14:24 UTC

Return-Path: <dstebila@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CCCDC15E41B for <tls@ietfa.amsl.com>; Fri, 29 Apr 2022 07:24:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yrUlTISCjFXF for <tls@ietfa.amsl.com>; Fri, 29 Apr 2022 07:24:38 -0700 (PDT)
Received: from mail-il1-x12c.google.com (mail-il1-x12c.google.com [IPv6:2607:f8b0:4864:20::12c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D7F0C159A25 for <tls@ietf.org>; Fri, 29 Apr 2022 07:24:38 -0700 (PDT)
Received: by mail-il1-x12c.google.com with SMTP id y16so4071235ilc.7 for <tls@ietf.org>; Fri, 29 Apr 2022 07:24:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Z+4QaaSHhAhcTYkSokShK2LmCpURVyvFDD2ZYs0TKOM=; b=OyYXA0PtcA5+0Nq4BgjOOHPI28M7J8o87U+OhIE9DxJlBIBZriPMtuvWxwl1sP7xy1 15fG+aEML0W1ZtPZmeFDd0DIq2XNLNdIvMjXoG2D6H2LKZu7qivP4/iiS27mMD9KnbIb vcMEmh+R6mjZw7KmtWESSQwHp1bs1yta54zoBI4LRcxjvpupZuVj5itk88Q3VryVaTtb 6OTnMUg01uK0clWYPK86aj3IbMlwG4y/SYm6n/hya3cKbXr2tvdez6esLW85FhtLgBns oOjvKMQ5/IRVBRb4B0LQlV0i820KzCpZV9S4QalQ1XE3IaGvuxqabhX9sGIH8AX9RAwd 5Wnw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Z+4QaaSHhAhcTYkSokShK2LmCpURVyvFDD2ZYs0TKOM=; b=1ZcIeYSL/eej4BzrnsaQqQxtGQpAAWo8aM4RoCPAL84J5SZYaTjtzfcD5xQ74OQup+ tG43Cl1MWez14+zm2Dpw0aM/ySiKsvpQduGRr8c3DDuUpFYUt8lBGbpiqLg/Oc83mxC2 WKRcRO4kBRwcioJnT4KSQcp3ekPt5x7IwA/aFhcX3ROxrH7WRPaxMtJrjp/xtsVo11Tx aogyqvV2qES/7JdWMi/Wt1vj3fK1ZQrNZdHab7iL+LqjDGwYxM8Qzc91tkZO8S9yEr/9 qaImd89zrp6shpc7tn0r9lkfbruXXOHGL8Xk3f64WSQMFItJSmJlFshxXCd3LhdwQ8ol yEEw==
X-Gm-Message-State: AOAM533wJiGvA3gqV2oDX2WiA+B/F05LxZULyOVpL/+pUef7MkPdJxDj ntc1TH0s1g8rGZydjBMoRMcZTEDG/Q4=
X-Google-Smtp-Source: ABdhPJzpaSgDJQpomzx+dsWH7GjZ7uZDUIQbZ/Jc8gXTAUDoKFpdKfJPJytSyXTeWjDjvoXlWmuY6g==
X-Received: by 2002:a92:ca09:0:b0:2cd:88dd:619b with SMTP id j9-20020a92ca09000000b002cd88dd619bmr11405976ils.74.1651242277000; Fri, 29 Apr 2022 07:24:37 -0700 (PDT)
Received: from smtpclient.apple (cpe881fa12cf37b-cma84e3fc93e50.cpe.net.cable.rogers.com. [99.250.203.26]) by smtp.gmail.com with ESMTPSA id d192-20020a0262c9000000b0032b3a78175bsm601122jac.31.2022.04.29.07.24.35 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 29 Apr 2022 07:24:36 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.80.82.1.1\))
From: Douglas Stebila <dstebila@gmail.com>
In-Reply-To: <96daf32f-dbdb-4e56-8617-d27f53abdff0@beta.fastmail.com>
Date: Fri, 29 Apr 2022 10:24:34 -0400
Cc: tls@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <9D8771DE-3668-4D26-A927-E9BF871CE2FD@gmail.com>
References: <27E9945C-6A0A-46DD-89F0-22BE59188216@heapingbits.net> <96daf32f-dbdb-4e56-8617-d27f53abdff0@beta.fastmail.com>
To: Martin Thomson <mt@lowentropy.net>
X-Mailer: Apple Mail (2.3696.80.82.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/4UlBmiXI7CBoT-qJ1vxYQYgVfSc>
Subject: Re: [TLS] WGLC for draft-ietf-tls-hybrid-design
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Apr 2022 14:24:41 -0000

Thanks for the feedback Martin.  I see what you're getting at regarding phrasing it in terms of KeyGen[i], Encaps[i], etc.  This is a good point:

>> For a hybrid key exchange, the key_exchange field of a KeyShareEntry is the concatenation of the key_exchange field for each of the constituent algorithms. 
> 
> I think that this text is a mistake as it implies that the component key exchange algorithm has a defined key_exchange format.  What you want is a definition in the form above, or as HPKE has it.

Indeed it makes sense to be able to define a hybrid key exchange method independent of whether the all of the component algorithms are already defined standalone key exchange methods in TLS 1.3.  I do however want to tie back somehow to the idea that, *if* one of the algorithms is already defined as a key exchange method in TLS 1.3, then the value that should be put in the key share concatenation is just the key share that was used when it was a standalone method.  Is that okay?


> With something like this, I'd like to see the implication that the TLS key schedule is changed by this draft can be removed (in Section 3.3 specifically).

I don't read Section 3.3 as implying that the TLS key schedule is changed.  It says how one of the inputs to the key schedule is computed, but otherwise I think it's just saying: put this concatenated value into the obvious place in the existing key schedule.  Can you point me to where you read it as implying more changes to the TLS key schedule?

Douglas




> On Apr 27, 2022, at 20:56, Martin Thomson <mt@lowentropy.net> wrote:
> 
> I found the introduction of KeyGen, Encaps, and Decaps to be underutilized.  It would require a little work, but I think that it would be better to describe a method whereby you produce each of these functions by taking an ordered collection of these functions (KeyGen[i], Encaps[i], and Decaps[i]) and constants (Npk[i], Nek[i], etc...).
> 
> With something like this, I'd like to see the implication that the TLS key schedule is changed by this draft can be removed (in Section 3.3 specifically).
> 
> In essence, you are describing a known-good process for composing key exchange methods.  (Not existing TLS 1.3 key exchange methods, as implied by this:
> 
>> For a hybrid key exchange, the key_exchange field of a KeyShareEntry is the concatenation of the key_exchange field for each of the constituent algorithms. 
> 
> I think that this text is a mistake as it implies that the component key exchange algorithm has a defined key_exchange format.  What you want is a definition in the form above, or as HPKE has it.
> 
> I'd prefer to see this work done before publication, but as I'm not able to volunteer to do it, I can't really insist on it.  This is useful work and the document, despite these niggles, is pretty clear and well-reasoned.
> 
> On Thu, Apr 28, 2022, at 01:27, Christopher Wood wrote:
>> This email commences a two week WGLC for draft-ietf-tls-hybrid-design, 
>> located here:
>> 
>>   https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/
>> 
>> We do not intend to allocate any code points at this time and will park 
>> the document after the call is complete. Once CFRG produces suitable 
>> algorithms for consideration, we will then add them to the NamedGroup 
>> registry through the normal process [1] and move the document forward.
>> 
>> Please review the draft and send your comments to the list. This WGLC 
>> will conclude on May 13.
>> 
>> Best,
>> Chris, for the chairs
>> 
>> [1] 
>> https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email