IETF Logo Mail Archive

Re: [TLS] Requesting working group adoption of draft-stebila-tls-hybrid-design

"Martin Thomson" <mt@lowentropy.net> Wed, 12 February 2020 20:47 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C52E6120817 for <tls@ietfa.amsl.com>; Wed, 12 Feb 2020 12:47:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=PLmO/Ah0; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=Y9bWuDM7
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LUMVJUpClTrC for <tls@ietfa.amsl.com>; Wed, 12 Feb 2020 12:47:13 -0800 (PST)
Received: from wout2-smtp.messagingengine.com (wout2-smtp.messagingengine.com [64.147.123.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04D90120019 for <tls@ietf.org>; Wed, 12 Feb 2020 12:47:12 -0800 (PST)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id 22BE7FE5 for <tls@ietf.org>; Wed, 12 Feb 2020 15:47:12 -0500 (EST)
Received: from imap2 ([10.202.2.52]) by compute1.internal (MEProxy); Wed, 12 Feb 2020 15:47:12 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm1; bh=iFK9TpHsl/sx1NMwyiYShufS+mDDSf6 xeMsOLZbJmoc=; b=PLmO/Ah0+lLtXq8tGeRiM7PAVHgpEb34w21UgUxN/Y0LG7+ nbGnR9kj54FEmgj6Ce7AI7xA4OArqbYGakT7lrqkPcDgFsiyij+XoAHGSK1CHA0Z NaVKbyELtHAI2P5nnu+bP1Pp/0/y+XSvMSqjUH9joo9SLlS67PwZztxmY97dz1hg VFrZKd2aIoOz/zwik7tJ/iWTkk3cGFewrWLOrp2EQnc+/XYPgfC2H0qIq9TRkCfh KG6loBzVH71RPyzry5uwUNfQxqyZIx9RRsoexHJAYinGV/cuYM+1hij9N4jV5Emy JlpFgnd9cTF1aSIIm9gnZRS7vJJk64B5cMuxZRg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=iFK9Tp Hsl/sx1NMwyiYShufS+mDDSf6xeMsOLZbJmoc=; b=Y9bWuDM758ASMG41elMk3W zNNQxBjlGTkMcmqKTgABW9iG0zotv+ThUsLKnK++eH4tBMz/gQbvvbqQ5F3ltmm2 ZDVxk1wK8hzP2SIFo0+EujPMl7tnRnyaAyfK2svr5AhYoITNud/DbZp/yw107PFr MzSfDBneEDe1X6n7oNbkf5RFCSMNF1VbKClPUnJC0ks+lFt3RhqgBz5VtpEpz4Mc e1y5bopQCoL9D2ZWmcJtFTnAJqk9XXO9QBq/mumZP7uuvpeK7SB0PRfrz6bwPFf6 P5Nnr/TuCukc9E+E9JCpXExI6bIZk3wJxxSEt4LVx3F3wfYZxODWCPOcVwfQpnyg ==
X-ME-Sender: <xms:T2REXq-1ACdWw99WzMqorMB6uJ1nMHpygdZ6KVZ0yxlKDkEIa-0Htw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedugedrieeigddtiecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesthdtre dtreerjeenucfhrhhomhepfdforghrthhinhcuvfhhohhmshhonhdfuceomhhtsehlohif vghnthhrohhphidrnhgvtheqnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpe hmrghilhhfrhhomhepmhhtsehlohifvghnthhrohhphidrnhgvth
X-ME-Proxy: <xmx:T2REXu-KAR8Aot8_tSIxxB1eo9tc406p2wg-dwel_o1aIaCJzfswhg> <xmx:T2REXrDOea5alF77dhmMXNb15itNyT75SUKV4G16PVis07nJguOGeQ> <xmx:T2REXmwqzvJ3ZyZxXv_DfMWUEhjxoj6-UXjWuy7KOptFrfzJFxT6IQ> <xmx:T2REXqlVRSX__MFQsiJbpqJ_dH6NTETfONviR00bphKPzfwl68fNtQ>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 42511E00A2; Wed, 12 Feb 2020 15:47:11 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-802-g7a41c81-fmstable-20200203v1
Mime-Version: 1.0
Message-Id: <284685f0-8b19-4870-aef6-573809827091@www.fastmail.com>
In-Reply-To: <CAFBh+SRAJAbviyrcQM2PjztumAH565i4-ui28OQ-pCJE9nePJg@mail.gmail.com>
References: <CAFBh+SRAJAbviyrcQM2PjztumAH565i4-ui28OQ-pCJE9nePJg@mail.gmail.com>
Date: Thu, 13 Feb 2020 07:46:51 +1100
From: Martin Thomson <mt@lowentropy.net>
To: tls@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/81NtZA8xME2Jpf3eXw3VCa8BIO4>
Subject: Re: [TLS] Requesting working group adoption of draft-stebila-tls-hybrid-design
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Feb 2020 20:47:15 -0000

On Thu, Feb 13, 2020, at 06:26, Douglas Stebila wrote:
> We would like to request the working group adopt
> draft-stebila-tls-hybrid-design, "Hybrid key exchange in TLS 1.3", as
> a working group item.  We have updated the draft based on feedback
> we've received over the past few months, including from our
> presentations at IETF 104 and 105, and think the current version
> represents the view of the WG to date.

I agree that we should adopt this.  I think that the draft is broadly in the right shape.

Skimming through I noticed a few things that I would prefer to see eventually changed, but we can do that in the working group.

At a high level, I think that this would be easier if it were more clearly framed as *recommendations*, especially when it comes to the format of key shares and the input secret.  One advantage of the macro-level design is that the format is can be specified on a case-by-case basis.  For instance, variable-length values might be length-prefixed; fixed size values don't need to be.  That might avoid having to directly specify a single format. 

S 3.1 (Negotiation) suggests that a portion of the named group space be reserved for this use.  I think that is a bad idea because it implies semantics where none are necessary.  Picking codepoints as usual should suffice; indeed, random allocation might be ideal.

The concatenation approach is definitely my preferred approach, but the inconsistency between the design for key shares and secrets is curious.  This design assumes that shares are length-delimited; secrets are not.  The latter implies that the `ss` needs to be fixed length for a given algorithm (both the PQ and classical parts), but `ct`/`pk` does not.  I can guess at why, but when you can avoid the question, then I think you should.  That is, in favour of more generic recommendations on structure.

To answer some of the open questions:

Larger public keys and/or ciphertexts - if we need these, we're in serious trouble.  To give you an idea, even at 1k, these will start being much harder to deploy.  Getting close to 64k adds all sorts of complication.  Better to defer support for big messages.  Acknowledging the limitation should suffice.

Duplication of key shares - not so much an open question as something the draft could acknowledge as a cost.  As previously discussed X25519 is small enough that duplication doesn't hurt enough to care.

Variable-length shared secrets - see above.

Resumption - I would be supportive of policy recommendations about the strength of key exchange on resumption, but as we allow straight resumption without PSKs, this cannot be standardized.

Failures - If this were low enough, I'd be happy to try again.  From our perspective, this isn't technically challenging, it's merely annoying. If this were very low probability (as I would expect), then we might just accept the loss of the occasional connection attempt.

v2.23.0 | Report a Bug | By Email