Re: [TLS] AdditionalKeyShare Internet-Draft
Douglas Stebila <dstebila@gmail.com> Mon, 17 April 2017 19:44 UTC
Return-Path: <dstebila@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F3F81317BA for <tls@ietfa.amsl.com>; Mon, 17 Apr 2017 12:44:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3YMunvvOE5yN for <tls@ietfa.amsl.com>; Mon, 17 Apr 2017 12:44:51 -0700 (PDT)
Received: from mail-io0-x230.google.com (mail-io0-x230.google.com [IPv6:2607:f8b0:4001:c06::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2ADF21317B6 for <tls@ietf.org>; Mon, 17 Apr 2017 12:44:51 -0700 (PDT)
Received: by mail-io0-x230.google.com with SMTP id r16so162068958ioi.2 for <tls@ietf.org>; Mon, 17 Apr 2017 12:44:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=5pHPR5HhTaofLoDqGGICAW8spTN/6cSOkKs1Llf8lKg=; b=qJ0q+RnX5oDwBdV/vHXpjlPgrWkW6rJxmKjpHIM37jt9NeQX03I+ggG8tWFb5f9hiN KTV2LV29wyyKzOaRe4GFydZ0OXqEkdY4RVOSGUjpdwzcDki47oRtNCel/X8agOA+YxDh Ov2uC3wW+d9UfzNeQcWCsK58epBNV8UbwCxrP5Ch/551OaT2qWU/1FBI+A2TNzJrNr9/ r0BO5mUTxcs0twFyYZjzDDAmGez94nym0sym4KMVKy1FoUpr5MkAFsNm+LfTUGPI4PUW b5yJiYXj6JunWNy2Ldu1zbpMbpenfzpy7jvr0GPP+6rxrCA4Cc64X8KPy33oMLURh9M5 tCKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=5pHPR5HhTaofLoDqGGICAW8spTN/6cSOkKs1Llf8lKg=; b=EIBi3t8jVWlPTT7Vz7dPMb2WaJrbkRTbTvO8wlnkWC8Nog89iBQC+01z4JnTZzlZ1z 9937yfc8Ns2wzWeTtGT0ygxYM6BI76LEAs+J9TaLPWSpUqGJ7RyA6kOXxFroXvRypP7w ISY3/etfBl8zpWcLoRLUofGuZOkG/uBTMUadd1RI1kPqLn4cFoEjR5GbEv7eFUO43OBS nYXNF9xKcq20msnejQ92tc+nS8nBTF0GIWG89QGaheOrJMtqm3xyj1ampM2wC+QxjVUQ oWboOZhiypV7oCDLgaRfNuMWdZAOSleguj3Q/HrUoypNOgrfE98MB1kiLAxIFBMlB9Ov Tozg==
X-Gm-Message-State: AN3rC/4sGnDJpdxyDTBB+MQlUjRjloHe6dF0wsaif3q52x3x3kT0QS8c u/7iGkOZ/qoFYQ==
X-Received: by 10.36.19.193 with SMTP id 184mr11560344itz.93.1492458290323; Mon, 17 Apr 2017 12:44:50 -0700 (PDT)
Received: from stebila-imac.cas.mcmaster.ca (stebila-imac.cas.McMaster.CA. [130.113.68.195]) by smtp.gmail.com with ESMTPSA id d12sm5333562iog.41.2017.04.17.12.44.48 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 17 Apr 2017 12:44:49 -0700 (PDT)
From: Douglas Stebila <dstebila@gmail.com>
Message-Id: <E0EDAFAD-E0B5-4BBD-8553-1AC1E448E5D6@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_C9E4F14D-94AB-4EED-A4F0-1646251D6DD6"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Mon, 17 Apr 2017 15:44:47 -0400
In-Reply-To: <CAF8qwaB74gFFdc6jQ0ySddYO4FQJmZdDS=uo5yF5UzQ+5sTP=A@mail.gmail.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>
To: David Benjamin <davidben@chromium.org>
References: <E8836EB8-EFC4-4506-BCBB-2F4FE9BA075F@gmail.com> <CAF8qwaB74gFFdc6jQ0ySddYO4FQJmZdDS=uo5yF5UzQ+5sTP=A@mail.gmail.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/HdUR3-ZgW_2yZSVxxSFCo5aw36w>
Subject: Re: [TLS] AdditionalKeyShare Internet-Draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Apr 2017 19:44:54 -0000
Hi David, Thanks for the feedback. > This seems overly complicated. Why implement a parallel key share mechanism rather than merely defining a new NamedGroup value? > > Using your example of Google's recent New Hope experiment, I would imagine defining, say, NamedGroup.cecpq1. Let its key_shares be the concatenation of New Hope and X25519 public values, and let the resulting shared secret be some combination of the two resulting keys. > > This avoids changing the key schedule or protocol logic and slots in nicely into the existing arrangement. The AdditionalKeyShare proposal has more moving parts and combinatorial combinations to test and worry about. Defining combined NamedGroups, like in the Google New Hope experiment, also incurs a combinatorial explosion, this time in the number of NamedGroups. Given that TLS 1.3 has taken the approach of splitting off each component of a TLS 1.2 ciphersuite into its own negotiable component to avoid combinatorial explosion in standardized values, separately negotiating each parallel key share mechanism seemed to us to follow the TLS 1.3 design approach. > It also requires implementations answer silly questions like: > - What happens the server selects two New Hopes with no X25519? X25519 and P-256 together? In our draft, KeyShare and AdditionalKeyShare form disjoint pools of NamedGroups from which one element can be selected. If the client offers say P256 and X5519 in KeyShare and NewHope in its AdditionalKeyShare, your first problem cannot happen. If the client offers NewHope in both pools, then the situation you propose could happen. This does not negatively impact compatibility or security, although there is obviously no value in doing two NewHopes compared to a single NewHope. I don't think we've put in a MUST NOT/SHOULD NOT here, but we could add that. > - What happens if the client offers New Hope in the normal key shares slot and X25519 in the additional one? > - What happens if the client only offers New Hope and not X25519? This is fine from the draft's perspective. If the client does so and then interacts with a non-NewHope-compatible server that only speaks X25519, the connection would fail because the KeyShare slot contains no mutually compatible key shares. > - How does a client express that it's not willing to do New Hope without ECDH? What if the server sends a HelloRetryRequest for New Hope in the main slot and does not select X25519? The server must pick exactly one NamedGroup from the KeyShare pool, and at most one NamedGroup from the AdditionalKeyShare pool. The client could put ECDH in KeyShare and NewHope in AdditionalKeyShare to indicate this desire; the server would then have to use ECDH from the KeyShare slot and could optionally use NewHope from the AdditionalKeyShare slot. If the client wants "ECDH (KeyShare) and NewHope (AdditionalKeyShare)" and the server says "retry with NewHope (KeyShare)", the client has the option of retrying with "NewHope (KeyShare) and ECDH (AdditionalKeyShare)". If the server rejects, then the client knows its policy cannot be satisfied, and it should not continue. If the server continues with NewHope but discards the AdditionalKeyShare (as it's allowed to do in our draft), the client learns the server is unwilling to satisfy its policy, and the client can drop the connection. > - How can I plausibly expose this complex array of options to the consumer of my TLS library? Yes, there is a complex array of options: - which algorithm(s) the client views as "must have" - which algorithm(s) the client views as "would like to have" - which algorithm(s) should/should not happen at the same time If this functionality is encapsulated anywhere in TLS, then that complexity needs to incorporated somewhere, either already in compound NamedGroups or in configuration of the parallel key share mechanism. As I mentioned above, we thought that combinatorial explosion of NamedGroups was not the TLS 1.3 way. However, we are open to considering that if there's a clear preference for it. Douglas > > > On Mon, Apr 17, 2017 at 2:23 PM Douglas Stebila <dstebila@gmail.com <mailto:dstebila@gmail.com>> wrote: > Dear TLS mailing list, > > We have posted an Internet-Draft > https://tools.ietf.org/html/draft-schanck-tls-additional-keyshare-00 <https://tools.ietf.org/html/draft-schanck-tls-additional-keyshare-00> > for using an additional key share in TLS 1.3. The intended use case is to > provide support for transitional key exchange mechanisms in which both a > pre-quantum algorithm (e.g., ECDH) and a post-quantum algorithm are used. > (Google's experiment with New Hope in 2016 had such an arrangement.) Our draft > replicates the functionality of the KeyShare extension in a new extension called > AdditionalKeyShare. Like KeyShare, the client's AdditionalKeyShare contains a > vector of KeyShareEntry structs. The server can respond with a single matching > KeyShareEntry in the AdditionalKeyShare extension of its ServerHello. The > resulting additional shared secret is included in the TLS key schedule after the > ECDH shared secret. > > While the motivation for our Internet-Draft is to facilitate the transition to > post-quantum algorithms, our Internet-Draft does not specify any post-quantum > algorithms. > > There are a couple of items for discussion related to this draft: > > - We only provide a mechanism for a single AdditionalKeyShare, thus leading to > the session establishing at most PSK + ECDHE + 1 additional shared secret. Is > there a value in even more shared secrets than that? Will someone want > to include more than one post-quantum algorithm? If so, our draft could be > adapted to have AdditionalKeyShare1, AdditionalKeyShare2, etc., but we did not > want to add that complexity unless there was desire for it. > > - TLS 1.3 allows the client to restrict the use of PSKs that they provide in > ClientHello through the "psk_key_exchange_modes" extension. The client may, > for instance, request that the PSK only be used in a PSK+(EC)DHE mode, so as > to ensure that the resumed session has forward secrecy. It is unclear the > best way to reconcile this with support for multiple key shares; we outline > some possibilities in Section 4 of our Internet-Draft, and we welcome input. > > We have also created a pull request to TLS 1.3 draft 19 which includes a > clarification on how additional secrets are to be included in the TLS key > schedule. > https://github.com/jschanck/tls13-spec <https://github.com/jschanck/tls13-spec> > > John and Douglas > > _______________________________________________ > TLS mailing list > TLS@ietf.org <mailto:TLS@ietf.org> > https://www.ietf.org/mailman/listinfo/tls <https://www.ietf.org/mailman/listinfo/tls>
- Re: [TLS] AdditionalKeyShare Internet-Draft David Benjamin
- [TLS] AdditionalKeyShare Internet-Draft Douglas Stebila
- Re: [TLS] AdditionalKeyShare Internet-Draft Eric Rescorla
- Re: [TLS] AdditionalKeyShare Internet-Draft Benjamin Kaduk
- Re: [TLS] AdditionalKeyShare Internet-Draft Douglas Stebila
- Re: [TLS] AdditionalKeyShare Internet-Draft Scott Fluhrer (sfluhrer)
- Re: [TLS] AdditionalKeyShare Internet-Draft William Whyte
- Re: [TLS] AdditionalKeyShare Internet-Draft William Whyte