IETF Logo Mail Archive

Re: [TLS] A suggestion for handling large key shares

David Benjamin <davidben@chromium.org> Tue, 19 March 2024 20:42 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC423C151093 for <tls@ietfa.amsl.com>; Tue, 19 Mar 2024 13:42:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.257
X-Spam-Level:
X-Spam-Status: No, score=-9.257 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sdsflk9xMtXW for <tls@ietfa.amsl.com>; Tue, 19 Mar 2024 13:42:42 -0700 (PDT)
Received: from mail-yw1-x112e.google.com (mail-yw1-x112e.google.com [IPv6:2607:f8b0:4864:20::112e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C7D9C15107A for <tls@ietf.org>; Tue, 19 Mar 2024 13:42:42 -0700 (PDT)
Received: by mail-yw1-x112e.google.com with SMTP id 00721157ae682-60cbcd04de8so2384697b3.0 for <tls@ietf.org>; Tue, 19 Mar 2024 13:42:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1710880961; x=1711485761; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=uKm4eLuc1x6mhSd5ShZ+ci5FSLCgK92B+9U2waTtBq0=; b=G/sX8i1eMulx5OCPmuf/B8LpVApZLMYvfThCQBTdcJ0mqmjKhCYTuCkUoY5j56tzJV 29CJiVQbFEFjIgexZt/MFHEpCM7hlVjn8DHk3IbJMo6WlF6ljvIgmDsT0b7ntAYzF2ro X62RyhCfD455sdE+OmxYN2P7fc5MCLPJzZVy4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710880961; x=1711485761; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=uKm4eLuc1x6mhSd5ShZ+ci5FSLCgK92B+9U2waTtBq0=; b=K8skdniqR41BvcgffcCMVoXnTpMnnAQC+/bPUTTmMS1FGy7w+CfrjsDnyrEc7sspcr pQbNnDJGD4KU+4oKYhM9F75MC0xxnasHew/OU82tg/IWIfxRovpgZc0AgJ7HfdXbSue7 VtuWLxNg9/CmRJCTB+yZGRWqUmKHheoM66oHbRaIrGoUmu7cAaXmgysS8/oAeDRTlW0I KQd8zRYa+dLtBixKwY7PmCBbWEvblKvWphUP8sYO8yqNb5IdxpUtF7Vus5G/pLPFTIsF zXW2Zv8UyOCtRh8s7HvV/kv/S+T9IEyApyXHvqZVWV3gSzFUMD8XwE5DiCPFAaXrVMBm W/Dg==
X-Forwarded-Encrypted: i=1; AJvYcCWJuh4BbWQh5hkH6K01XuKjp7G0UO8W2P19XfHfX7NsZQ1X2WEFvsPJppBw32L7E5sZBOIWiM3We/iOIlo=
X-Gm-Message-State: AOJu0Yxe018iH0SxCPPa+rlWjbVrwCHmSyw4kuMbfYZDQFRuMoUoEu0Z Sm5PfhHyZtkH6vSMUVlaMl5Re55iU+g3toE1hh/Bo07RK+99dE3fOfUkW67xo2TJ7clfJN0xKyv BBTKdxWMcUYoPW2ZH8t3w1divwyY7gjuj5eHsqZKvn9ytYVl4ysY=
X-Google-Smtp-Source: AGHT+IH/NGQPrqY33n/IJgaVPRaJa7tQVFbnyzABOzbKtTxY+GqWlPakRW+1l15rPpTt1ZEnDiIKGFmxsNMZdzqQG+8=
X-Received: by 2002:a81:be08:0:b0:610:e130:d6af with SMTP id i8-20020a81be08000000b00610e130d6afmr2002230ywn.8.1710880960774; Tue, 19 Mar 2024 13:42:40 -0700 (PDT)
MIME-Version: 1.0
References: <CH0PR11MB544488B051C041EB32541AB6C12C2@CH0PR11MB5444.namprd11.prod.outlook.com> <CAF8qwaDmYMprxW4aYCiEEWKAw04xoSEZU=6fXCHqOcqjnhG6_w@mail.gmail.com> <6c94e7dd71d94b769c72b29318e1208f@amazon.com>
In-Reply-To: <6c94e7dd71d94b769c72b29318e1208f@amazon.com>
From: David Benjamin <davidben@chromium.org>
Date: Wed, 20 Mar 2024 06:42:22 +1000
Message-ID: <CAF8qwaBw2JWV+EsbaB5B-528u9_RvfL14C3s_BBV2j1c0WESfQ@mail.gmail.com>
To: "Kampanakis, Panos" <kpanos@amazon.com>
Cc: "Scott Fluhrer (sfluhrer)" <sfluhrer=40cisco.com@dmarc.ietf.org>, "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ecb993061409838e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Ky9UsEtSo_AnY3GrdtJgxSNU1Z4>
Subject: Re: [TLS] A suggestion for handling large key shares
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2024 20:42:46 -0000

I think you're several discussions behind here. :-P I don't think
draft-ietf-tls-hybrid-design makes sense here. This has nothing to do with
hybrids, but anything with large key shares. If one were to do Kyber on its
own, this would apply too. Rather, per the discussion at IETF 118, the WG
opted to add some clarifications to rfc8446bis in light of draft-00.

It has also turned out that:
a) RFC 8446 actually already defined the semantics (when I wrote draft-00,
I'd thought it was ambiguous), though the clarification definitely helped
b) The implementation that motivated the downgrade concern says this was
not bug from misunderstanding the protocol, but an intentional design
decision

Given that, the feedback on the list and
https://github.com/davidben/tls-key-share-prediction/issues/5, I concluded
past-me was overthinking this and we can simply define the DNS mechanism
and say it is the server's responsibility to interpret the preexisting TLS
spec text correctly and pick what it believes is a coherent selection
policy. So draft-01 now simply defines the DNS mechanism without any
complex codepoint classification and includes some discussion of the
situation in Security Considerations, as you noted.

Of what remains in Security Considerations, the random client MAY is
specific to this draft and does not make sense to move. The server NOT
RECOMMENDED is simply restating the preexisting implications of RFC 8446
and the obvious implications of believing some options are more secure than
others. If someone wishes to *replicate* it into another document, they're
welcome to, but I disagree with *moving* it. In the context of the
discussion in that section, it makes sense to restate this implication
because this is very relevant to why it's okay for the client to use DNS to
influence key shares.

David

On Wed, Mar 20, 2024 at 6:08 AM Kampanakis, Panos <kpanos@amazon.com> wrote:

> Hi Scott, David,
>
>
>
> I think it would make more sense for the normative language about Client
> and Server behavior (section 3.2, 3.4) in
> draft-davidben-tls-key-share-prediction-00 (
> https://www.ietf.org/archive/id/draft-davidben-tls-key-share-prediction-00.html
> ) to go in draft-ietf-tls-hybrid-design. These are now discussed in the Sec
> Considerations of draft-davidben-tls-key-share-prediction-01, but the
> “SHOULD” and “SHOULD NOT” language from -00 section 3.2 and 3.4 ought to be
> in draft-ietf-tls-hybrid-design.
>
>
>
> I definitely want to see draft-davidben-tls-key-share-prediction move
> forward too.
>
>
>
> Rgs,
>
> Panos
>
>
>
> *From:* TLS <tls-bounces@ietf.org> *On Behalf Of * David Benjamin
> *Sent:* Tuesday, March 19, 2024 1:26 AM
> *To:* Scott Fluhrer (sfluhrer) <sfluhrer=40cisco.com@dmarc.ietf.org>
> *Cc:* TLS@ietf.org
> *Subject:* RE: [EXTERNAL] [TLS] A suggestion for handling large key shares
>
>
>
> *CAUTION*: This email originated from outside of the organization. Do not
> click links or open attachments unless you can confirm the sender and know
> the content is safe.
>
>
>
> > If the server supports P256+ML-KEM, what Matt suggested is that, instead
> of accepting P256, it instead a ClientHelloRetry with P256+ML_KEM.  We then
> continue as expected and end up negotiating things in 2 round trips.
>
>
>
> I assume ClientHelloRetry was meant to be HelloRetryRequest? If so, yeah,
> a server which aims to prefer P256+ML-KEM over P256 should, well, prefer
> P256+ML-KEM over P256. :-) See the discussions around
> draft-davidben-tls-key-share-prediction. In particular, RFC 8446 is clear
> on the semantics of such a ClientHello:
>
>
>
>    This vector MAY be empty if the client is requesting a
>    HelloRetryRequest.  Each KeyShareEntry value MUST correspond to a
>    group offered in the "supported_groups" extension and MUST appear in
>    the same order.  However, the values MAY be a non-contiguous subset
>    of the "supported_groups" extension and MAY omit the most preferred
>    groups.  Such a situation could arise if the most preferred groups
>    are new and unlikely to be supported in enough places to make
>    pregenerating key shares for them efficient.
>
>
>
> rfc8446bis contains further clarifications:
> https://github.com/tlswg/tls13-spec/pull/1331
>
>
>
> Now, some servers (namely OpenSSL) will instead unconditionally select
> from key_share first. This isn't wrong, per se. It is how you implement a
> server which believes all of its supported groups are of comparable
> security level and therefore prioritizes round trips. Such a policy is
> plausible when you only support, say, ECDH curves. It's not so reasonable
> if you support both ECDH and a PQ KEM. But all the spec text for that is in
> place, so all that is left is that folks keep this in mind when adding PQ
> KEMs to a TLS implementation. A TLS stack that always looks at key_share
> first is not PQ-ready and will need some changes before adopting PQ KEMs.
>
>
>
> Regarding the other half of this:
>
>
>
> > Suppose we have a client that supports both P-256 and P256+ML-KEM.  What
> the client does is send a key share for P-256, and also indicate support
> for P256+ML-KEM.  Because we’re including only the P256 key share, the
> client hello is short
>
>
>
> I don't think this is a good tradeoff and would oppose such a SHOULD here.
> PQ KEMs are expensive as they are. Adding a round-trip to it will only make
> it worse. Given the aim is to migrate the TLS ecosystem to PQ, penalizing
> the desired state doesn't make sense. Accordingly, Chrome's Kyber
> deployment includes X25519Kyber768 in the initial ClientHello. While this
> does mean paying an unfortunate upfront cost, this alternative would
> instead disincentivize servers from deploying post-quantum protections.
>
>
>
> If you're interested in avoiding the upfront cost, see
> draft-davidben-tls-key-share-prediction-01. That provides a mechanism for
> clients to predict more accurately, though it's yet to even be adopted, so
> it's a bit early to rely on that one. Note also the Security Considerations
> section, which further depends on the server expectations above.
>
>
>
> David
>
>
>
> On Tue, Mar 19, 2024 at 2:47 PM Scott Fluhrer (sfluhrer) <sfluhrer=
> 40cisco.com@dmarc.ietf.org> wrote:
>
> Recently, Matt Campagna emailed the hybrid KEM group (Douglas, Shay and
> me) about a suggestion about one way to potentially improve the performance
> (in the ‘the server hasn’t upgraded yet’ case), and asked if we should add
> that suggestion to our draft.  It occurs to me that this suggestion is
> equally applicable to the pure ML-KEM draft (and future PQ drafts as well);
> hence putting it in our draft might not be the right spot.
>
>
>
> Here’s the core idea (Matt’s original scenario was more complicated):
>
>
>
>    - Suppose we have a client that supports both P-256 and P256+ML-KEM.
>    What the client does is send a key share for P-256, and also indicate
>    support for P256+ML-KEM.  Because we’re including only the P256 key share,
>    the client hello is short
>    - If the server supports only P256, it accepts it, and life goes on as
>    normal.
>    - If the server supports P256+ML-KEM, what Matt suggested is that,
>    instead of accepting P256, it instead a ClientHelloRetry with P256+ML_KEM.
>    We then continue as expected and end up negotiating things in 2 round trips.
>
>
>
> Hence, the non-upgraded scenario has no performance hit; the upgraded
> scenario does (because of the second round trip), but we’re transmitting
> more data anyways (and the client could, if it communicates with the server
> again, lead off with the proposal that was accepted last time).
>
>
>
> Matt’s suggestion was that this should be a SHOULD in our draft.
>
>
>
> My questions to you: a) do you agree with this suggestion, and b) if so,
> where should this SHOULD live?  Should it be in our draft?  The ML-KEM
> draft as well (assuming there is one, and it’s not just a codepoint
> assignment)?  Another RFC about how to handle large key shares in general
> (sounds like overkill to me, unless we have other things to put in that
> RFC)?
>
>
>
> Thank you.
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>

v2.23.0 | Report a Bug | By Email