Re: [TLS] PQC key exchange sizes
Ilari Liusvaara <ilariliusvaara@welho.com> Wed, 27 July 2022 14:41 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF3F4C14F732 for <tls@ietfa.amsl.com>; Wed, 27 Jul 2022 07:41:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.91
X-Spam-Level:
X-Spam-Status: No, score=-6.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r7RGrfSu_p7i for <tls@ietfa.amsl.com>; Wed, 27 Jul 2022 07:41:35 -0700 (PDT)
Received: from welho-filter3.welho.com (welho-filter3b.welho.com [83.102.41.29]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78A61C14F72B for <tls@ietf.org>; Wed, 27 Jul 2022 07:41:35 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id 49F961A5DB for <tls@ietf.org>; Wed, 27 Jul 2022 17:41:32 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id 8LStxYDcOv8v for <tls@ietf.org>; Wed, 27 Jul 2022 17:41:32 +0300 (EEST)
Received: from LK-Perkele-VII2 (87-92-216-160.rev.dnainternet.fi [87.92.216.160]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id 25A892315 for <tls@ietf.org>; Wed, 27 Jul 2022 17:41:31 +0300 (EEST)
Date: Wed, 27 Jul 2022 17:41:31 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Message-ID: <YuFOm9bUWkPBOBw3@LK-Perkele-VII2.locald>
References: <CABzBS7nsbEhR-bmHG_ViSJFSH-0_5p0O3vKndS4+wFR=iGQzhw@mail.gmail.com> <YuABORXSaes9Wqwo@LK-Perkele-VII2.locald> <a643450d5fdb40cf8af3f5b96cdbd922@amazon.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <a643450d5fdb40cf8af3f5b96cdbd922@amazon.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/LPSHUI9tLZsiIAyVnSHIMep2vSw>
Subject: Re: [TLS] PQC key exchange sizes
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jul 2022 14:41:36 -0000
On Wed, Jul 27, 2022 at 02:27:12AM +0000, Kampanakis, Panos wrote: > Hi Ilari, > > > - DTLS-level fragmentation. There are buggy implementations that > > break if one tries this. > > DTLS servers have been fragmenting and sending cert chains that don’t > fit in the MTU for a long time. Is this buggy on the TLS client side? These problems are specific to fragmenting Client Hello. Handling fragmented DTLS Client Hello is different from handling fragmented DTLS Certificate (and even more so in DTLS 1.3). I think DTLS specification just pretends both cases are the same. They are not. QUIC implementations could have similar issues with multiple initial packets, but operating QUIC with fast failure-independent fallback would make failures soft. There is the general principle that if some protocol feature is not used in the wild, it tends to break, even if required part of the protocol. Either by implementation being poorly tested and buggy, assuming the feature does not exist, or being missing entierely. Combine this with interop failures having outsize impact and old versions sticking around far longer than desriable. And I do not think fragmented Client Hellos in DTLS or multiple initials in QUIC are seen much. One trick with DTLS would be sending client hello with no key shares. Causes extra round-trip, but any server that selects PQC causing fragmentation would presumably be capable of handling that. -Ilari
- [TLS] PQC key exchange sizes Thom Wiggers
- Re: [TLS] PQC key exchange sizes Ilari Liusvaara
- Re: [TLS] PQC key exchange sizes Stephen Farrell
- Re: [TLS] PQC key exchange sizes Martin Thomson
- Re: [TLS] PQC key exchange sizes Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] PQC key exchange sizes Martin Thomson
- Re: [TLS] PQC key exchange sizes Kampanakis, Panos
- Re: [TLS] PQC key exchange sizes Kampanakis, Panos
- Re: [TLS] PQC key exchange sizes Martin Thomson
- Re: [TLS] PQC key exchange sizes Ilari Liusvaara
- Re: [TLS] PQC key exchange sizes Kampanakis, Panos
- Re: [TLS] PQC key exchange sizes Bas Westerbaan
- Re: [TLS] PQC key exchange sizes Rob Sayre
- Re: [TLS] PQC key exchange sizes Sofía Celi
- [TLS] Before we PQC... Re: PQC key exchange sizes Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Sofía Celi
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Rob Sayre
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Scott Fluhrer (sfluhrer)
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Benjamin Kaduk
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Benjamin Kaduk
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Ilari Liusvaara
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Rob Sayre
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Benjamin Kaduk
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Rob Sayre
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Stephen Farrell
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Ilari Liusvaara
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Peter Gutmann
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Bas Westerbaan
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Sofía Celi
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Sofía Celi
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Sofía Celi
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Scott Fluhrer (sfluhrer)
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Rob Sayre
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Stephen Farrell
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Robert Relyea
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Rob Sayre
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Thom Wiggers