Re: [TLS] Requesting working group adoption of draft-stebila-tls-hybrid-design
Douglas Stebila <dstebila@gmail.com> Mon, 17 February 2020 16:34 UTC
Return-Path: <dstebila@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF61512007C for <tls@ietfa.amsl.com>; Mon, 17 Feb 2020 08:34:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lNMZrJhtwxli for <tls@ietfa.amsl.com>; Mon, 17 Feb 2020 08:33:59 -0800 (PST)
Received: from mail-qt1-x832.google.com (mail-qt1-x832.google.com [IPv6:2607:f8b0:4864:20::832]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B60B4120018 for <TLS@ietf.org>; Mon, 17 Feb 2020 08:33:59 -0800 (PST)
Received: by mail-qt1-x832.google.com with SMTP id d9so12404778qte.12 for <TLS@ietf.org>; Mon, 17 Feb 2020 08:33:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=+LKzp6f+oH8LT/SdWT6L9q2IVO6A67lJ3sHKNVPRS7Y=; b=MxuMQ2AkUkRDImS1pjt86w6kfSszcScItbMAQ4rlNNj/2Wfsa5rhPyveaELZLXcvbg 7PRjPao5srbin3FogAfTF31nyICeMjH+WgRMrUwSoOf2uog4oDeh3RwQP1hX69d0kkgc hiOQqb/9xx401gIghk03BP+0XI+drKltlO7GgAZgs6KgIZPI/DDPVCkg0nxdno6eNai5 xKkdQKr+JWZBbqwtgx031IS7uo5PDpwGECUnpjXOdqczFJqvzFw1KFenkF6qxblgI4O5 6LGa3M6XIgCF11qZjeA8R30wLW/PYond6TEPf5UQOn2Gs5tDcRtLZdr7XCjJGJ5s9xy6 fSxw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=+LKzp6f+oH8LT/SdWT6L9q2IVO6A67lJ3sHKNVPRS7Y=; b=pTpzZUFUuEChcIjFmRgwupCJNuRiUPjITF1/dBoSPayvQo0lgCsw3D8fhVqjeEPXYr SZZYo11XdEDWxk3+hdqMnNAecb6Dqaw5bECLNHGCihe+AK3k0NqWrDsdU1DRNCQfdR3o uEFyv/vePP7FbmXtdmgq2FNDZWk9tgBilL8mDA19t/EYyHIzp/U9LNcm9gD3E59UBSVV pzyxrPZBw0O3gC0Vgb/onjgeEzVekEnEPqWYo8D9FmVvF7ei3wJ6BcIAk4FlRTcDFnL+ p9PsJ2xopqXql4uJfHhG0oDDtqIXU49p7Fz0ZU0pnNzAe2gaky/0CHuukY0/V0n0GUgw MYwQ==
X-Gm-Message-State: APjAAAWGxAeUGLIWK8wh18v2WpK3zjjLOKISDLSckcOmoco8v4iQjVXh DYPzPhAygQDislNTbJRZMv4jA0q3
X-Google-Smtp-Source: APXvYqwubTOIPWsPd/2JiAusjkY5SebJu85p7p63HyKO5+FJFtR1J4488nvb0yysgpkSj2qyd2zyWQ==
X-Received: by 2002:aed:2e03:: with SMTP id j3mr13862700qtd.365.1581957237875; Mon, 17 Feb 2020 08:33:57 -0800 (PST)
Received: from laptop-picard.coleridge (CPE881fa12cf37b-CMa84e3fc93e50.cpe.net.cable.rogers.com. [99.250.203.26]) by smtp.gmail.com with ESMTPSA id x126sm476080qkc.42.2020.02.17.08.33.56 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 17 Feb 2020 08:33:57 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\))
From: Douglas Stebila <dstebila@gmail.com>
In-Reply-To: <20200215163946.GA1687026@LK-Perkele-VII>
Date: Mon, 17 Feb 2020 11:33:55 -0500
Cc: "<tls@ietf.org>" <TLS@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <DBAC51F1-4779-49DF-8EF3-E9B3721CD666@gmail.com>
References: <CAFBh+SRAJAbviyrcQM2PjztumAH565i4-ui28OQ-pCJE9nePJg@mail.gmail.com> <20200215163946.GA1687026@LK-Perkele-VII>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
X-Mailer: Apple Mail (2.3608.60.0.2.5)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/4xRzuuf6sPZeqZO5sQ2oGbXeZcs>
Subject: Re: [TLS] Requesting working group adoption of draft-stebila-tls-hybrid-design
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Feb 2020 16:34:03 -0000
Thanks for the feedback and observations, Ilari. Regarding: > - The draft talks about "any KEM used in this document". Which sounds > odd, given that this document does not define any KEMs. Good point; I've updated the language to say "any KEM used in the manner described in this document" and pushed it to my working copy on Github. Regarding the rest of the points, I don't think any of them are specific actions to take, but are good points about the overall direction. Douglas > On Feb 15, 2020, at 11:39, Ilari Liusvaara <ilariliusvaara@welho.com> wrote: > > On Wed, Feb 12, 2020 at 02:26:21PM -0500, Douglas Stebila wrote: >> Dear TLS working group, >> >> We would like to request the working group adopt >> draft-stebila-tls-hybrid-design, "Hybrid key exchange in TLS 1.3", as >> a working group item. We have updated the draft based on feedback >> we've received over the past few months, including from our >> presentations at IETF 104 and 105, and think the current version >> represents the view of the WG to date. >> >> https://datatracker.ietf.org/doc/draft-stebila-tls-hybrid-design/ > > Some comments and related sidenotes: > > - If additional round trips are to be avoided, the public key size > should be kept low so client hello does not grow so large that > significant amount of servers barf on it. [LANGLEY] notes that > 3300 bytes was about the maximum they could use. > > - That TLS 1.3 does not talk about client-side key reuse seems to > be a mistake. It for example says SHOULD NOT reuse tickets, with > rationale that also appiles to client side keys. > > - The draft talks about "any KEM used in this document". Which sounds > odd, given that this document does not define any KEMs. > > - The reasons to not reuse public keys, even with CCA-secure KEMs, > impiles that the relevant benchmarks are: > > * Combined key generation and decapsulation time. > * Single-thread encapsulation time. > * Peak memory usage by key generation and decapsulation. > * Peak memory usage by encapsulation. > * Size of public key > * Size of ciphertext > > For KEMs used as key exchanges, using decapsulation time alone is > perverse due to problems with key reuse, again even with CCA-secure > KEMs. > > - Assigning specific range for Hybrid KEX. What is the use of that? > The server recognizing that client supports Hybrid KEX even if there > is no algorithm overlap? What the server would do with that > information? > > - The draft has specific data structures. This only makes sense if > other drafts are to refer to it or are intended to copy the data > structure definitions. It also has processing algorithms, which only > makes sense to me if other drafts are to refer to this one. > > Being informational, referencing could lead to downref, but this > should not be a significant problem. > > - I do not view supporting large public keys or ciphertexts as > realistic. > > Making larger extension would mean extending TLS to support > "extended extensions". This would impily extra RTT for most key > exchanges, altough it could be absorbed into extra RTT for client > missing speculation on group (so it would be 2-RTT). > > Referencing external key is not acceptable: > > * The client would need to have a way to publish its key. > * Strong incentives to reuse keys, despite problems doing so. > * The server would need to be able to fetch keys, which causes > difficult security issues. > * The server would need to freeze the handshake for obtaining > the public key. Unless the server API already supports handshake > freezing, adding that capability is going to be virtually > impossible (let alone the annoyance of implementing it). > > Additionally, even if blowing the practical ClientHello size limit > (4kB or so) would already force additional round trip, the >64kB > key algorithms have such big keys that result would be severe > performance degradation. > > So in summary, unless all the smaller algorithms are broken beyond > repair (which is highly unlikely due to complexity reasons) the >> 64kB keys should not be accomodiated. And even in that case, external > keys are not acceptable. > > - Avoiding duplication of key shares is difficult problem: > > * Using traditional scheme is easy on client and server, but can > result in duplication of shares. And even single duplication of > PQ share is signficant. > * Making ServerHello key_share a list is clean specification-wise, > but might be anything but clean implementation-wise. > * Making separate extension could cause issues when doing > hybrid -> next-gen transition in future. > * Backreferences could be annoying to implement. > > - On resumption, I do not think there are currently any restrictions > in TLS 1.3 about DH groups used in resumption? > > If that is indeed the case, I suspect that implementing such > restrictions might turn to be annoying to implement. > > - On failures: All CCA-secure key exchanges have negligible failure > rates (because anything else leads to attacks). And even if one > considers non-CCA key exchanges from the NISTPQC 2nd round, AFAIK > all of them meant for actual use have failure rate <10^-9. > > - On schemes vulernable to chosen-ciphertext attack, SIDH (which > underlies SIKE) key can be recovered bit-by-bit (even with just > guess oracle, instead of full decryption oracle) by sending suitable > chosen ciphertexts. This takes a few hundred samples for full key > recovery. > > > -Ilari > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- [TLS] Requesting working group adoption of draft-… Douglas Stebila
- Re: [TLS] Requesting working group adoption of dr… Martin Thomson
- Re: [TLS] Requesting working group adoption of dr… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Requesting working group adoption of dr… Martin Thomson
- Re: [TLS] Requesting working group adoption of dr… Stephen Farrell
- Re: [TLS] Requesting working group adoption of dr… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Requesting working group adoption of dr… Pettis, Darin P
- Re: [TLS] Requesting working group adoption of dr… Carrick Bartle
- Re: [TLS] Requesting working group adoption of dr… Martin Thomson
- Re: [TLS] Requesting working group adoption of dr… Watson Ladd
- Re: [TLS] Requesting working group adoption of dr… Stephen Farrell
- Re: [TLS] Requesting working group adoption of dr… Rob Sayre
- Re: [TLS] Requesting working group adoption of dr… Douglas Stebila
- Re: [TLS] Requesting working group adoption of dr… Douglas Stebila
- Re: [TLS] Requesting working group adoption of dr… Dang, Quynh H. (Fed)
- Re: [TLS] Requesting working group adoption of dr… Rob Sayre
- Re: [TLS] Requesting working group adoption of dr… Ilari Liusvaara
- Re: [TLS] Requesting working group adoption of dr… Loganaden Velvindron
- Re: [TLS] Requesting working group adoption of dr… Douglas Stebila
- Re: [TLS] Requesting working group adoption of dr… Russ Housley
- Re: [TLS] Requesting working group adoption of dr… Scott Fluhrer (sfluhrer)
- Re: [TLS] Requesting working group adoption of dr… Stephen Farrell
- Re: [TLS] Requesting working group adoption of dr… Watson Ladd
- Re: [TLS] Requesting working group adoption of dr… Stephen Farrell
- Re: [TLS] Requesting working group adoption of dr… Watson Ladd
- Re: [TLS] Requesting working group adoption of dr… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Requesting working group adoption of dr… Stephen Farrell
- Re: [TLS] Requesting working group adoption of dr… Watson Ladd
- Re: [TLS] Requesting working group adoption of dr… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Requesting working group adoption of dr… Stephen Farrell
- Re: [TLS] Requesting working group adoption of dr… Carrick Bartle
- Re: [TLS] Requesting working group adoption of dr… Russ Housley