IETF Logo Mail Archive

Re: [TLS] AdditionalKeyShare Internet-Draft

"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Wed, 19 April 2017 18:43 UTC

Return-Path: <sfluhrer@cisco.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4569129BEE for <tls@ietfa.amsl.com>; Wed, 19 Apr 2017 11:43:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.522
X-Spam-Level:
X-Spam-Status: No, score=-14.522 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K7jnSNka7a7L for <tls@ietfa.amsl.com>; Wed, 19 Apr 2017 11:43:00 -0700 (PDT)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6185129C06 for <tls@ietf.org>; Wed, 19 Apr 2017 11:42:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3903; q=dns/txt; s=iport; t=1492627379; x=1493836979; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=ffW8e2ZSES8UwfUM876JO7nLf3id4zXuSDjZ+agLSJk=; b=Zx2W4UBcJ9rgok2sdbqw03I9/TTwGGvpGtzNap+rzWkeb/hI4fzBiblw 8pOm+1ZbppSjDjV6sAYxnv97Tr5ZDeLwU25sglqmLS1Q1EG6L7phL8Pgf /4Apcgskqv81WtoU13Spl2oiK555vF9AHIeKISzlNr8aHRkZowPff5yKv Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DRAABCrvdY/4ENJK1cGQEBAQEBAQEBAQEBBwEBAQEBg1RhgQsHjXWRY3CQFoRcgg8hC4V4AoQEPxgBAgEBAQEBAQFrKIUVAQEBAQIBAQE4NBcEAgEIDgMBAwEBHwkHJwsUAwYIAgQBEgiKCQgOrF+LIwEBAQEBAQEBAQEBAQEBAQEBAQEBARgFgjGEIoFdgmU0ghWCLIV7BZ0vAYcQi2KRVY9phCcBHzhLOmMVRIRmHIFjdYdegQ0BAQE
X-IronPort-AV: E=Sophos;i="5.37,222,1488844800"; d="scan'208";a="414731970"
Received: from alln-core-9.cisco.com ([173.36.13.129]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 19 Apr 2017 18:42:58 +0000
Received: from XCH-RTP-008.cisco.com (xch-rtp-008.cisco.com [64.101.220.148]) by alln-core-9.cisco.com (8.14.5/8.14.5) with ESMTP id v3JIgwt9008223 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 19 Apr 2017 18:42:58 GMT
Received: from xch-rtp-006.cisco.com (64.101.220.146) by XCH-RTP-008.cisco.com (64.101.220.148) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Wed, 19 Apr 2017 14:42:58 -0400
Received: from xch-rtp-006.cisco.com ([64.101.220.146]) by XCH-RTP-006.cisco.com ([64.101.220.146]) with mapi id 15.00.1210.000; Wed, 19 Apr 2017 14:42:58 -0400
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: Douglas Stebila <dstebila@gmail.com>, "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] AdditionalKeyShare Internet-Draft
Thread-Index: AQHSt6fE4KdrTyvutkKvp1tES2rNtqHNAAOw
Date: Wed, 19 Apr 2017 18:42:58 +0000
Message-ID: <cf779520cb68499385ae3440b5dbbe3e@XCH-RTP-006.cisco.com>
References: <E8836EB8-EFC4-4506-BCBB-2F4FE9BA075F@gmail.com>
In-Reply-To: <E8836EB8-EFC4-4506-BCBB-2F4FE9BA075F@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.98.2.52]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/HLoyxNDfts__KeMuQXcWzfv1b0w>
Subject: Re: [TLS] AdditionalKeyShare Internet-Draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Apr 2017 18:43:02 -0000

> -----Original Message-----
> From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Douglas Stebila
> Sent: Monday, April 17, 2017 2:24 PM
> To: <tls@ietf.org>
> Subject: [TLS] AdditionalKeyShare Internet-Draft
> 
> Dear TLS mailing list,
> 
> We have posted an Internet-Draft
>     https://tools.ietf.org/html/draft-schanck-tls-additional-keyshare-00
> for using an additional key share in TLS 1.3.  The intended use case is to
> provide support for transitional key exchange mechanisms in which both a
> pre-quantum algorithm (e.g., ECDH) and a post-quantum algorithm are used.
> (Google's experiment with New Hope in 2016 had such an arrangement.) Our
> draft replicates the functionality of the KeyShare extension in a new
> extension called AdditionalKeyShare. Like KeyShare, the client's
> AdditionalKeyShare contains a vector of KeyShareEntry structs. The server
> can respond with a single matching KeyShareEntry in the AdditionalKeyShare
> extension of its ServerHello. The resulting additional shared secret is included
> in the TLS key schedule after the ECDH shared secret.
> 
> While the motivation for our Internet-Draft is to facilitate the transition to
> post-quantum algorithms, our Internet-Draft does not specify any post-
> quantum algorithms.

We have a draft with similar goals; draft-whyte-qsh-tls13 .  It also tries to achieve Quantum-safeness through multiple key exchange mechanisms; however in terms of protocol, it works somewhat differently.  You have the 'normal' key exchange (as exists in the protocol), and a second one on the side.  We allows the client to define a hybrid group (which consists of several key exchanges done in parallel).  One of our goals was to stay within the existing TLS architecture as much as possible (and thus limiting the changes needed to the TLS state machine and parsing logic); things such as modifying the key derivation mechanism (such as you do) were considered to be too large.

It may be worth your while to go through our draft,,,

> 
> There are a couple of items for discussion related to this draft:
> 
> - We only provide a mechanism for a single AdditionalKeyShare, thus leading
> to
>   the session establishing at most PSK + ECDHE + 1 additional shared secret.  Is
>   there a value in even more shared secrets than that? Will someone want
>   to include more than one post-quantum algorithm?  If so, our draft could be
>   adapted to have AdditionalKeyShare1, AdditionalKeyShare2, etc., but we
> did not
>   want to add that complexity unless there was desire for it.

Our draft allows for that naturally.

As for the need, well, I expect that some will want it.  We don't have any postquantum key exchanges that are both practical and really well trusted (at least, to the same extent that (EC)DH is); I would expect that some people will want to spread their risk and do (for example) x25519 + Frodo + SIDH.

> 
> - TLS 1.3 allows the client to restrict the use of PSKs that they provide in
>   ClientHello through the "psk_key_exchange_modes" extension. The client
> may,
>   for instance, request that the PSK only be used in a PSK+(EC)DHE mode, so
> as
>   to ensure that the resumed session has forward secrecy.  It is unclear the
>   best way to reconcile this with support for multiple key shares; we outline
>   some possibilities in Section 4 of our Internet-Draft, and we welcome input.
> 
> We have also created a pull request to TLS 1.3 draft 19 which includes a
> clarification on how additional secrets are to be included in the TLS key
> schedule.
>     https://github.com/jschanck/tls13-spec
> 
> John and Douglas
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email