[TLS] Re: [TLS]Working Group Last Call for "Hybrid key exchange in TLS 1.3"

Martin Thomson <mt@lowentropy.net> Mon, 02 September 2024 02:03 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7EC1C151534 for <tls@ietfa.amsl.com>; Sun, 1 Sep 2024 19:03:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b="GbLWusVq"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="nSLftW3/"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VsEbmoAmsBWo for <tls@ietfa.amsl.com>; Sun, 1 Sep 2024 19:03:00 -0700 (PDT)
Received: from fhigh3-smtp.messagingengine.com (fhigh3-smtp.messagingengine.com [103.168.172.154]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1BC12C151062 for <tls@ietf.org>; Sun, 1 Sep 2024 19:02:59 -0700 (PDT)
Received: from phl-compute-05.internal (phl-compute-05.nyi.internal [10.202.2.45]) by mailfhigh.nyi.internal (Postfix) with ESMTP id EE696114017F; Sun, 1 Sep 2024 22:02:58 -0400 (EDT)
Received: from phl-imap-01 ([10.202.2.91]) by phl-compute-05.internal (MEProxy); Sun, 01 Sep 2024 22:02:58 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm2; t=1725242578; x=1725328978; bh=lSnRMN16Y0AxO5YBKwe5jdv2ZTnbb54lD7jRVBy2vxY=; b= GbLWusVqgGUpr/N2TSPsyC8BTbZbbhZP/PM+pi8X1eSEUpXINwk71q9OI8r3PsAU pi5l8Ke886ek/qJPsE1iXOnEzD/XLKWDhwPr8dSNDWgV6PorhVNhoMIonYWO8++z UFYtSj4eYVGeTqHztzfGlrIXdLCe8W0qnas0bt4c/8LiRyZhNvRi3CotNiy+9/TM 8xingyw9gEyO1HqTUIm6WEgNqLW/uSUlzQDd0XafWub0aQVfTYfi1LkKUdAgzq8C JK7Xvdrub851+TYYGVf0Zic54Amtn1j6idnzpIZoAimwoypIHdDsmc1t6sfVq4lr auvGpQAPolW+SSCHvvd1zQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1725242578; x= 1725328978; bh=lSnRMN16Y0AxO5YBKwe5jdv2ZTnbb54lD7jRVBy2vxY=; b=n SLftW3/XlEAT/HdGHq++UBHWDKnrcpnKN0zuSTM6UXV7pkzb493JDy4gnB/cC8h/ PThOOuIuyBiBdqQWOENzQ4pT46vvXwh+gTzO3mVfJRdh7QSfO0dhoYPaMPlQ+3wA tg193sVnbuDQEpBDnHDQUCsBV/9WxdJuCvv0sbumET3WWBKXZgkemmZhQtSSj+Dl TrK/Ehs9Fm7g9I4mIkyuOViAYUNOeczsxVbwi3ZcKJzEOBDw56bG7uEspQmDtTFh gAEvPPpdXfpMLMNgTH5FNEhJ+y/Da7bYc8/NvxDovgKc6QgIhVBI7J2WZNgCux6M 9TpK1WYsbdKljwULhBR4Q==
X-ME-Sender: <xms:0hzVZo8GpcszsR25EeT0DdfUw60zoXoKhVorabSj2YJ4w2U3E1FBbA> <xme:0hzVZgth8k6EBfVTfKmuRh0pMEyEnDEYfXObWKH9AuACTNDp1uzVcS2MaKTYKWjqA Hx8PeCDWTowM3H7vMk>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeftddrudegledgheegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucenucfjughrpefoggffhf fvkfgjfhfutgfgsehtjeertdertddtnecuhfhrohhmpedfofgrrhhtihhnucfvhhhomhhs ohhnfdcuoehmtheslhhofigvnhhtrhhophihrdhnvghtqeenucggtffrrghtthgvrhhnpe dvtdekveeifeethfdvfeeggfevgfefveelgeeikeehhedttedtuefgudekkeduleenucff ohhmrghinhepihgvthhfrdhorhhgpdhgihhthhhusgdrtghomhenucevlhhushhtvghruf hiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmtheslhhofigvnhhtrhhophih rdhnvghtpdhnsggprhgtphhtthhopedvpdhmohguvgepshhmthhpohhuthdprhgtphhtth hopeguuhhruhhmtghruhhsthhulhhumhesghhmrghilhdrtghomhdprhgtphhtthhopeht lhhssehivghtfhdrohhrgh
X-ME-Proxy: <xmx:0hzVZuCL51cQVrHxhA5Q9pmldDdSamjNYP1daO2Y5c3LOCT0Kn6a5w> <xmx:0hzVZoc6pexWrsJgdnGmKBaaeDH5qmUG8QJDQrI9iY766fs2NfmQhQ> <xmx:0hzVZtP5pneMq--no09EXLFTN2RhCQtZ6LErnBK5v2WbpWPfzBYtZg> <xmx:0hzVZimN9r9n80Z1kC8q8sLnfSc0ewoMx9JF5vLEAWSZSk00GsXNEQ> <xmx:0hzVZr1vgIo10drt7wY_iMUoR2FQEEWDst_MDdfZUg1_xEB4mSpA_23V>
Feedback-ID: ic129442d:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id ADA8F3360072; Sun, 1 Sep 2024 22:02:58 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
MIME-Version: 1.0
Date: Mon, 02 Sep 2024 12:02:38 +1000
From: Martin Thomson <mt@lowentropy.net>
To: Deirdre Connolly <durumcrustulum@gmail.com>, "TLS@ietf.org" <tls@ietf.org>
Message-Id: <50e9e946-7627-45c0-b7e0-65559b274515@betaapp.fastmail.com>
In-Reply-To: <CAFR824wCMcyF1szc76P+4i8LKv2-d1ciHWRMFFmZ8hpi=1PHtA@mail.gmail.com>
References: <CAFR824wCMcyF1szc76P+4i8LKv2-d1ciHWRMFFmZ8hpi=1PHtA@mail.gmail.com>
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Message-ID-Hash: VEA5J43APFAH3M52V7IKQINBKY6ETMDH
X-Message-ID-Hash: VEA5J43APFAH3M52V7IKQINBKY6ETMDH
X-MailFrom: mt@lowentropy.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS] Re: [TLS]Working Group Last Call for "Hybrid key exchange in TLS 1.3"
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/OBUpxccmZkrhkm7WQ4e5C2k0cGw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Much belated approval.  One minor issue and some nits.

Section 4 talks about failure, but doesn't really put enough work in.  If this is an error that needs to be retried, then a new error code is necessary.  Decapsulation failure will occur at the server, which will have to indicate that failure to the client in order for the retry to occur.  That error will not be authenticated by the client, but I can't see any serious problem with trying again.  After all, servers are more often the ones who would want to avoid the extra work.

Without this, a server is forced to send a generic error code, which are generally terminal.

This situation is more or less acceptable given the negligible probability of failure with ML-KEM, but this document is generic and so cannot assume that failure won't occur.

Some nits:

Section 2 says: "

Section 3.3 has a very long line that should be trimmed/wrapped:

concatenated_shared_secret = MyECDH.shared_secret || MyPQKEM.shared_secret

Section 4 and the note on FIPS compliance could be broken into section headings rather than being presented as a list.  That would make the text easier to reference.  These all look to be about limitations or caveats on the design.

Can references to Kyber in Section 4 be replaced by mention of either ML-KEM or MyPQKEM, the latter being preferred?

The text in Section 6 about fixed-length inputs and secrets should be a subsection (again, for ease of citation).

On Tue, Aug 13, 2024, at 05:50, Deirdre Connolly wrote:
> This email starts the working group last call for the Internet-Draft 
> "Hybrid key exchange in TLS 1.3", located here:
>
> https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/
>
> The WG last call will end 26th August 2024 @ 2359 UTC.
>
> Please review the draft and submit issues and pull requests via the 
> GitHub repository that can be found at:
>
> https://github.com/dstebila/draft-ietf-tls-hybrid-design
>
> You can also send comments and feedback to tls@ietf.org.
>
> Cheers and thank you,
> Deirdre
>
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org