IETF Logo Mail Archive

[TLS] Re: draft-ietf-tls-key-share-prediction next steps

David Benjamin <davidben@chromium.org> Wed, 11 September 2024 17:01 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E69E9C14F6AB for <tls@ietfa.amsl.com>; Wed, 11 Sep 2024 10:01:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.403
X-Spam-Level:
X-Spam-Status: No, score=-9.403 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fejuWFEURrRz for <tls@ietfa.amsl.com>; Wed, 11 Sep 2024 10:01:55 -0700 (PDT)
Received: from mail-ed1-x52b.google.com (mail-ed1-x52b.google.com [IPv6:2a00:1450:4864:20::52b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C20C5C14F68C for <tls@ietf.org>; Wed, 11 Sep 2024 10:01:55 -0700 (PDT)
Received: by mail-ed1-x52b.google.com with SMTP id 4fb4d7f45d1cf-5c3ed267a7bso2627636a12.3 for <tls@ietf.org>; Wed, 11 Sep 2024 10:01:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1726074114; x=1726678914; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=/XSBCVSXrdS+ijAc+6Plgx4btU/vSoFgnRPcoZU/r0A=; b=VpwAQX5S/iGGCNTQv68JTX2g2UJCiY0oIB0AkczQU8qttDxETJ3wVeJ7pFSYU+GhVS FgfesdZoa6O8Gz+fhc6z7aK3yBitoPIB08/rMD4B0KvJCj5kh9DEmYR1eeEusOe6p4Fj 5XWHRxuc1BwLiYisHSS9HEO85bT5/IYK5LsXQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726074114; x=1726678914; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=/XSBCVSXrdS+ijAc+6Plgx4btU/vSoFgnRPcoZU/r0A=; b=FAxQQtGLsBEaQXU9wRfA/nNUuOqisUFZRUREfdX2dC372QEb8oavEh1bDcgtgFZE7i e26twa/bwiL6gTFor60069WPQQYAHk9vpFGwg6ZT5gjUfLqoEeZdH6gS5d/sD9PgRXto bng/PIri7K99lbUacbKXf1vcS2/3zlFV1bg+q/GuexIQFWzBqVFXgpFrojlvV/w0Y2Nq 8L0pExnf9oiXOqT9O0dgZyghwiYkjbAVAuxxLW5dyo1lRMZu5GRlLsL9vqLKNAGQwuEs PxV8elt4sYmfj1kRH3DxAkIZXbfgjY/j/No7zh+6NmroTn4ws6oG8na3wZQAJXNdE0t/ 0lHA==
X-Gm-Message-State: AOJu0Yyw2+0zZU+1i1MiJojPBjFAkXxcEbYbiI4SYQFVXUYXVnLaT84M wD8A6XAtl3LhJJaVl83b8oSd+b/GtbxOPfiuwd6fvYdoNfmXQqCQ3IdY0UVlF3ZReZB9bf5LL/R yaFTG9AVnGZbtjjvhaoVO5UsyAOEtUcohUfM=
X-Google-Smtp-Source: AGHT+IGPrXJngD4e0Uzr6otYiTcgnDvcBTf85g9Qz83j2vH1fD1XsSxVE+8nxc3MYyvFaQuoIf2OzJKNCU2LrkhW5dI=
X-Received: by 2002:a05:6402:295:b0:5c2:7727:6109 with SMTP id 4fb4d7f45d1cf-5c413e53f72mr72589a12.30.1726074112465; Wed, 11 Sep 2024 10:01:52 -0700 (PDT)
MIME-Version: 1.0
References: <CAF8qwaAU+cRapAc3xnySXiq2nOTXAFvLQYdWNC6rXdFj8iA39w@mail.gmail.com> <CAOp4FwTySAHKtwKv4ade9qm19GCvag-PAJxmDndxG5CYsDPvkw@mail.gmail.com> <ZuFNRD6UWgkhAbdl@LK-Perkele-VII2.locald>
In-Reply-To: <ZuFNRD6UWgkhAbdl@LK-Perkele-VII2.locald>
From: David Benjamin <davidben@chromium.org>
Date: Wed, 11 Sep 2024 13:01:32 -0400
Message-ID: <CAF8qwaBmyZR4ky_sMZNbk4ZiKbZche8uXLhbPkLzU-xau77Ciw@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Content-Type: multipart/alternative; boundary="000000000000551f8f0621daf235"
Message-ID-Hash: PGCS5JEKFWIESPWJ6DLXHWCKIXYYB3BU
X-Message-ID-Hash: PGCS5JEKFWIESPWJ6DLXHWCKIXYYB3BU
X-MailFrom: davidben@google.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "<tls@ietf.org>" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS] Re: draft-ietf-tls-key-share-prediction next steps
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/7EC18O4CFffQTadxK3n1Dp-32QQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

On Wed, Sep 11, 2024 at 3:58 AM Ilari Liusvaara <ilariliusvaara@welho.com>
wrote:

> On Wed, Sep 11, 2024 at 10:13:55AM +0400, Loganaden Velvindron wrote:
> > On Wed, 11 Sept 2024 at 01:40, David Benjamin <davidben@chromium.org>
> wrote:
> > >
> > > Hi all,
> > >
> > > Now that we're working through the Kyber to ML-KEM transition, TLS
> > > 1.3's awkwardness around key share prediction is becoming starkly
> > > visible. (It is difficult for clients to efficiently offer both
> > > Kyber and ML-KEM, but a hard transition loses PQ coverage for some
> > > clients. Kyber was a draft standard, just deployed by early
> > > adopters, so while not ideal, I think the hard transition is not
> > > the end of the world. ML-KEM is expected to be durable, so a
> > > coverage-interrupting transition to FancyNewKEM would be a problem.)
> > >
> >
> > Can you detail a little bit more in terms of numbers ?
> > -Did you discover that handshakes are failing because of the larger
> > ClientHello ?
> > -Some web clients aren't auto-updating ?
>
> The outright failures because of larger ClientHello are actually web
> server issues. However, even ignoring any hard failures, larger
> ClientHello can cause performance issues.
>
> The most relevant of the issues is tldr.fail (https://tldr.fail/)
> where web server ends up unable to deal with TCP-level fragmentation
> of ClientHello. Even one PQ key (1216 bytes) fills vast manjority of
> TCP fragment (and other stuff in ClientHello can easily push it over,
> as upper limit is around 1430-1460 bytes). There is no way to fit two
> PQ keys.
>
> Then some web servers have ClientHello buffer limits. However, these
> limits are almost invariably high enough that one could fit two PQ
> keys. IIRC, some research years back came to conclusion that the
> maximum tolerable key size is about 3.3kB, which is almost enough for
> three PQ keys.
>
> Then there are a lot of web servers that are unable to deal with TLS-
> level fragmentation of ClientHello. However, this is not really
> relevant, given that the limit is 16kB, which is easily enough for
> 10 PQ keys and more than enough to definitely cause performance issues
> with TCP.
>

Yup. Even adding one PQ key was a noticeable size cost (we still haven't
shipped Kyber/ML-KEM to mobile Chrome because the performance regression
was more prominent) so, yeah, we definitely do not want to send two PQ keys
in the initial ClientHello. Sending them in supported_groups is cheap, but
as those options take a RTT hit, they're not really practical. Hence all
the key-share-prediction work. (For some more background, so the earlier WG
discussions around this draft, before it was adopted.)


> And it is possible for web server to offer both, so even with hard
> client transition both old and new clients get PQ coverage.
>

Yup, although that transition strategy requires that *every* PQ server move
before *any* client moves, if your goal is to never interrupt coverage.
That's not really a viable transition strategy in the long run, once PQ
becomes widely deployed.

David

v2.39.1 | Report a Bug | By Email | System Status