Re: [TLS] Hybrid key exchange in TLS 1.3 and variable-length secrets
Douglas Stebila <douglas@stebila.ca> Thu, 17 September 2020 14:12 UTC
Return-Path: <dstebila@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A2103A0B74 for <tls@ietfa.amsl.com>; Thu, 17 Sep 2020 07:12:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.421
X-Spam-Level:
X-Spam-Status: No, score=-1.421 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.248, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4IEaN48v0Beb for <tls@ietfa.amsl.com>; Thu, 17 Sep 2020 07:12:49 -0700 (PDT)
Received: from mail-ej1-f52.google.com (mail-ej1-f52.google.com [209.85.218.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82ED03A09E1 for <tls@ietf.org>; Thu, 17 Sep 2020 07:12:49 -0700 (PDT)
Received: by mail-ej1-f52.google.com with SMTP id j11so3576995ejk.0 for <tls@ietf.org>; Thu, 17 Sep 2020 07:12:49 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Q9FGeEBpTP5x5hiqGNA8aMty4wNaMzWg5QmOpnrJZig=; b=ZmHQqY26RoRTjOykjjXMNhd+O9dZEOFWf9jEEWC4tgnhXZ4azIuU5H/zCra8hL6dNx hcDdOWF2MzOSlAjoLw6nBK/MoAXefgRfevamgvTcygbLQaQTjh+5SbEmvGuznoT2zvyD wBTqMrypF1QvsUj7BGYnjCtiwL40rJ3WAP8kbeV4Y56eUr14alj74B/gxota0jvaNosC 2l3lroutSozWBXkGbixJHa56Z8U7wMq1Kpvd5l+BZDW4mKbiGmxnXX1iXuss0lHOfweb NvtWaOOgA1bFZWmKiNt/ObRE5emtzNCht/RDHYCvwEzOvTEj+OaA6ZYOe4l+bEj2hw1Y AnGw==
X-Gm-Message-State: AOAM531JixmCiawLNC2ETysIay9SYiHZE+186ZZi4VFQdZzsDOMYpjuo JFQc5kIZ3dakU5Z8N/gy1GupbHmyF11e2OtzMRs=
X-Google-Smtp-Source: ABdhPJzFIAMEC1kjNvwGJ9GaOx6JshazAGTIbydj8hroxzOtxqAQrguBk3CgXgNRuEAZfFfFMyevWi7fhtQCkD/r1G4=
X-Received: by 2002:a17:906:12c7:: with SMTP id l7mr30506511ejb.306.1600351967870; Thu, 17 Sep 2020 07:12:47 -0700 (PDT)
MIME-Version: 1.0
References: <CABiKAoSGpodvQAegOhDxKxvDWoUsZBZL2JFWbtyseH+19cj6VQ@mail.gmail.com>
In-Reply-To: <CABiKAoSGpodvQAegOhDxKxvDWoUsZBZL2JFWbtyseH+19cj6VQ@mail.gmail.com>
From: Douglas Stebila <douglas@stebila.ca>
Date: Thu, 17 Sep 2020 10:12:37 -0400
Message-ID: <CAFBh+SQmzEyoFZS70W3btSS41yr4H4+vMV24fBBwsQsi5G0pbA@mail.gmail.com>
To: Nimrod Aviram <nimrod.aviram@gmail.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/9Tg0AuwWvAXudIqpifju3F_yJ9A>
Subject: Re: [TLS] Hybrid key exchange in TLS 1.3 and variable-length secrets
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Sep 2020 14:12:51 -0000
Given that all the finalists and alternate candidates have fixed length shared secrets, and your observations on the potential for timing attacks, I'm fine with dealing with only fixed length secrets, removing the paragraph discussing the possibility for variable-length shared secrets from the TLS 1.3 hybrid KEX draft, and adding a note regarding the risks as identified by the Raccoon attack. Douglas On Wed, Sep 16, 2020 at 12:27 PM Nimrod Aviram <nimrod.aviram@gmail.com> wrote: > > Dear all, > > We are writing to ask about the possible security impact of > variable-length secrets on the "Hybrid key exchange in TLS 1.3" RFC > [1]. > > As you probably know, when using key material of variable length > and processing this material using hash functions, a timing side > channel may arise. In broad terms, when the secret is longer, the hash > function may need to process more blocks internally. In some unfortunate > circumstances, this has led to timing attacks, e.g. Lucky Thirteen [2] > and the newly-disclosed Raccoon Attack [3]. To be clear, we are not > aware of any attack on the proposed standard. Rather, we view this as > an opportunity to defend-in-depth against such attacks, while work on > the standard is in progress. > > Our proposal is to add language to the RFC explaining that variable-length > secrets may enable such attacks, and should therefore be avoided when > possible. Currently, the language seems to allow for variable-length > secrets, should the need arise: > "Variable-length shared secrets ... if it is envisioned that this specification > be used with algorithms which do not have fixed-length shared secrets ..." > > We also note that a related RFC exists, "Hybrid Post-Quantum Key > Encapsulation Methods (PQ KEM) for Transport Layer Security 1.2" > [4]. However, that RFC apparently only uses BIKE, Kyber or SIKE as the > PQ KEM. To our knowledge, all three KEMs have fixed-length secrets. It > may be prudent to add cautionary language to that document as well, > in case other KEMs are used in the future. > > Kind regards, > The Raccoon Team > > [1] https://www.ietf.org/id/draft-ietf-tls-hybrid-design-00.html#name-open-questions > [2] https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6547131 > [3] https://raccoon-attack.com/ > [4] https://tools.ietf.org/id/draft-campagna-tls-bike-sike-hybrid-05.html#name-key-exchange-algorithms > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- [TLS] Hybrid key exchange in TLS 1.3 and variable… Nimrod Aviram
- Re: [TLS] Hybrid key exchange in TLS 1.3 and vari… David Benjamin
- Re: [TLS] Hybrid key exchange in TLS 1.3 and vari… David Benjamin
- Re: [TLS] Hybrid key exchange in TLS 1.3 and vari… Ilari Liusvaara
- Re: [TLS] Hybrid key exchange in TLS 1.3 and vari… Douglas Stebila
- Re: [TLS] Hybrid key exchange in TLS 1.3 and vari… Nimrod Aviram
- Re: [TLS] Hybrid key exchange in TLS 1.3 and vari… Nimrod Aviram
- Re: [TLS] Hybrid key exchange in TLS 1.3 and vari… Douglas Stebila
- Re: [TLS] Hybrid key exchange in TLS 1.3 and vari… Benjamin Kaduk
- Re: [TLS] Hybrid key exchange in TLS 1.3 and vari… Douglas Stebila