IETF Logo Mail Archive

[TLS] Re: Consensus call for RFC8773bis Formal Analysis Requirement

John Mattsson <john.mattsson@ericsson.com> Sun, 20 October 2024 13:34 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BE4FC1E0D75 for <tls@ietfa.amsl.com>; Sun, 20 Oct 2024 06:34:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.254
X-Spam-Level:
X-Spam-Status: No, score=-2.254 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gGr4RHXz2Ewj for <tls@ietfa.amsl.com>; Sun, 20 Oct 2024 06:33:57 -0700 (PDT)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2050.outbound.protection.outlook.com [40.107.20.50]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91CCFC1DFD24 for <tls@ietf.org>; Sun, 20 Oct 2024 06:32:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=PegJbs9XH5h8hnWlvbLfsE6W0Iss2DSf7yYlOoJ/TjWQKG18C6wpfsD8CVlspHPh/OLNi+jvTEQ2swqiGbP3MY0FytnrFBbrav++rL9b846ZSrhwhVugJzVo/4UlOZerPIzBJ0jx4KdH1b6GTvoXAUEZrfyINzPT4VQGhW+WwjNk95qKHnkqP/GV6XfQpgDZCrvnoiyV4I9+5EuRQjg9NuwoK7RYJlzSMTUQXq8KlyZB8T3UOrzrgVxU5EueqUZDsHSIvecAZdMLEQhqYA5H3vktJeRMlrmYNP4PYkLKiNm+J/sFbNM0deE+uzzReKYknXpZAbjerFcbDpCu+puH4Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=N9VSG13haFiEsWOIZ7dkl2vWokJDGBQFm2O3GL6yRlA=; b=qodV/27eqAswMrTPbc4DxZ1JwemMm3uJJ9dibkGDbYkBrlrZW8l0TJrCA1vB11J6CbCRbQnWZTRd4KweQihSuPSPB63C5lzXKrsujQF0PDis5w68fGV1/gHRb/OMG3pHqhw1873K+e5ZNY7RmxXs+qZZktH6S+H4W9m7Keo9VruG1O45AO7YmhecTmGO3Hz3GEffOAOnEsZqEmRLKdCyG1DlzLcSzwHDRlpZ/Qf7PqsQER9nquP1JDKyxZmxSsL7kHGXHy/Nqy21kP86A4UfKVe4LRXobwuY7pU6xxE8qAjtuqYgL4StJmu8FyIx46Lc4VxlqXv/OSAFAxI8S9PxIw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=N9VSG13haFiEsWOIZ7dkl2vWokJDGBQFm2O3GL6yRlA=; b=YgmTsUkTV3/6u3zMUiy8jUREwhtPb2msvQ88sIUIl2b5kKar2XiGJXKmcsIUxYCGPK8bxQwdJUF3c8VpGFZiUaKpRDzKxwkU85G9byD4shMvO8gnf8mqoqL4wRV3DFy/j2uitrZ7jIvzCFFGZTmV/6TkcKWmAPKENx2bPIgz+pZDmlN4jxZU3Ibz1D2In9RsAO6I25/ow9tSQ89HOdRy+ylKpDA0GIV+E6bJRAmZMZ43wLb9/L7K5EG+qloZ6iAWSoVhZPpvPivPuhSqvl00tju0kxsrWPkWslwJImKoMviIpHL7+7ULfvZf/zq/mwL9ZHU+Rx3RNPgdxWnCGtRT5A==
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by VI1PR07MB9705.eurprd07.prod.outlook.com (2603:10a6:800:1d3::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8069.27; Sun, 20 Oct 2024 13:32:49 +0000
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8%5]) with mapi id 15.20.8069.024; Sun, 20 Oct 2024 13:32:48 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Russ Housley <housley@vigilsec.com>
Thread-Topic: [TLS] Re: Consensus call for RFC8773bis Formal Analysis Requirement
Thread-Index: AQHbDfqYZA+X0KhxjkSGRW/yyDoHO7Jl+yeAgAkDJYCAH0YCK4ABiC7g
Date: Sun, 20 Oct 2024 13:32:48 +0000
Message-ID: <GVXPR07MB9678BBAFFD3F4D4933B4F79A89422@GVXPR07MB9678.eurprd07.prod.outlook.com>
References: <CAOgPGoBxoEhVkzb=WYFvNEhN0sKLDLir0qPVSqx_a=Co7dkXgA@mail.gmail.com> <CAOgPGoCLnLHbO9mTbaqjERbpFtoGyJeVk=mjDvxkJYe8nySTvw@mail.gmail.com> <0BAA3B8C-BAC0-47E1-A202-2BC4B001C48B@vigilsec.com> <CABcZeBNOv0Ghkjk37_3TX0WKVJz0MTPQOPcgud1j8EZm_e3ATg@mail.gmail.com> <GVXPR07MB9678C4A0F6FDA1C4E221206889412@GVXPR07MB9678.eurprd07.prod.outlook.com>
In-Reply-To: <GVXPR07MB9678C4A0F6FDA1C4E221206889412@GVXPR07MB9678.eurprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|VI1PR07MB9705:EE_
x-ms-office365-filtering-correlation-id: 9bd9bc4e-bc3e-4f00-9ff0-08dcf10bb078
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|376014|1800799024|8096899003|38070700018;
x-microsoft-antispam-message-info: aHnPBeG+X3N01pMB5IBYxJIl0JbyKo1fiF73bpCYKl4j4SI7J7HtlvKFQJOPEi1o06KI8QUi8qnBG4W1f971LPY98ZEkFBxzkllmwx6/EiD9hqk89QHq4o6JyiuXBWKvkR/HKzX4DyY+xTN7oXAZ423I7OjsOlkq1Q1TPMReiXWt3zL7gMWvipqYvzBmG6Qj7V8tXWpPgWjeY7mv9RsQ16lA0k7/arhKryO7oK2IDgQZ9SsuARDD1d9nsuGJ9rmlrEhPo1nXTk9MAvD5JcGf++0AgfcpdCCMHrygur1PI6xwLYecWqWvzefLoVsFJontezO29bplSi64Du9e2PdUREX2kPJSIcCn/we1ZMCadtvJaz7bF4iqmsjZZww8BUSBL3fYxBEyeT7luztRNoeBbK4IHiFfJr8uNvl6MdfIVH0l+7h64IP+e/ROFEo7BKD7fav8zidlj1fk5hsh9q+GB2jNk/m+5uwzOdq2jqJrEMLO2+8gqXzMsL3BNMh1LHv1aEic47y62v9DW862xgL5C8KLEBlgApfgUtMeLwWPCJO6kQc/iodvq5Gt2Xu5z1bfO7WXmNM0TZi+zz5fjDLL+AGJhx50xGyVvfYKDHsWSBKEbh5cJ0YB7FyZaLmBYBtThGGg5jcYCciKmP0fq5QTjJGNvatQl8QqAOSL8mym1myTb7N6wW7m/6a1WnjJeiANON7o5fRlgNH8bJAKxpJB3RiMAh6yZkh5EavVLM09lxHTSg6oJKjdBkxw7pm2qAcd4KAqg6lfWCXpCIHcPRkk+2g2e1CW1Gbdi97FRwxGKlnk+fX2qhs6202q2Ad/7FvU3Z3tGTp1HqxYHx/mroJCcZWQM5iV5LR9OUmk5h8DNWg7vO4W+/gkH9bIobmy3Ekg/KhuWCoTSxpWXBHGgBwK1K30MvARdDd3VhoyTjFY+daBaCnaEj99PxbkNJX5PYc+sP+CwVRRebpa6atsbbb/padvn87nR8zLfjs1mFL1bnP8SjWqu0qT+Tlb2HqH1dBWjD/b0+a2Pe3WruprGsp4Y7aDlRPMzE3I9wr8YUnbY4H82ISOgaakdu3/IWh0DzjMQb4SQSmEwDw0Rby0+KcSg2SBBvxSgeWLMD0MqXoRVSqb+A0vTvAoGDcN7BUrP2jMNr8GNQ8JUAb9PPiIB39t0fvCV1ZBJe4kFN+Gb7s5U0M/atv353jvSNMpkMMGhzsMOtpzdCljGypePwfPQvuHdVtkKQVuSJjyVbljGCjAnBsbwR4SRZIALyqY4SQP1Jp/s4AG1UuJsbVeKqY6rCSycbtmW0IFRpKw1CC/Kfn+EGvAn3Pp+v15VioZzViCPCjZ
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GVXPR07MB9678.eurprd07.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(376014)(1800799024)(8096899003)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: /tipirg9fzgTt5DZxWY07nQ8/njL607HXnaHY6Wxd3cahRuCy5YzddxEgz6HsktjuwylgtgOzNFIkiFGyHk44uJVxxva7r4xvQULsAv4Y/hrBRHfhP65Ju+otzr0u0ozIS1yckR3hWSyndJt5BPBhkCSSf2UAB5DiPvPpNwIlL5Vz1FWM8aY7YnwYKTsI1rj7sz6CuonVa+a6EATv16W+xrZDP2FW1dtQDjGxIP037YI4Uw++RCg/A0C2f8cWmk5iPuKDI6T+0qsNFIo2o10kxOxEbk3/eiWRTU9UFg6HXk5pBrmGlZ5M445A9gaV+oGBroktn9MVLfhJdZMGkxcaTiVqKFYaBNvWY7VE6aSzGIjTlsxADN8e7Fu3XvCtI5IW+vohLd0yX7kQUFW22PZ+ajr93p0Ykfx20J3F/ZL8QuMbdxeOtrogtXUowZEO3D0F6AqWf1kJ+CxgnCIS6BgjJ3foOupDKsBAA4kvHd+MnV/mNlb64topE7lMXCWEygA5FdLnNJidNAZ3RMjuGfK6dx2X+5IFD1KBptavz0SLKTsy4YStAhmR56iakv1gspef0uYtU0B7TsWqyrYeBQKjKrDzBB71jLgCtaEwQyglf0hyeeV0j/5CNsxfXTzFeizlojlR3XFqvXEG/XfAhygyXQBNBos6aHbFoJkqwtO06LGBH75Wx2II0T3iIoDaVhiseOnsa0PTRPalNxhEcgd9zeWDgVlNOnN2qgKdl432BX7uOXJbPlge3H1Q4kJGsrquXyto9n4S9U4TcCPpZoWP9NepnpZOCb6f5M21heudlO8da9jW5wr6skKA1Ftar4kBEsC/pMRBw9Na4Q/TYvs8UewO7KAoBwwbzsUaXiFNZSZRkkLZ43GMtYy8u9n/9lfeN5TITs9w+C4q+E8c2/CUXxqMt2cbTiWuXcyPGXX2eK+GcKc0OrlVd7kzl97E7eswZVZGjXsHLlfJCrSqiP0we8jVBesxoR2LKjQnDOU0gfGfx8EnEBf2cpwr9zXYoKpZW4//lWgMSUPfYQbOWsthx3viVvIKvcRhrRhETEdkP+3XaBUxoE85jZfu1Zsbzguz68dXPfvihNukK6tZD1lMs5R2VOkFcDA5GqRuNxDxkHkfzHZ2WZbJ+vvPXQVs7UznRfJVY5iNQAClZnZCLJF8rchRKwOaZcmePAL7DH1ABmM3yIVysB/lVuNMVsnKWJQL/Kdv9DP7MyR/burQoxigXFVQbugl876RuXH7nOCOSOQFbJSiQ7x58VMAAslPe/ikLeXwI53Xj63SZ/bvSyJxeU//GmsJrQyoMXrMVI95Zxvr9qW7L4CWnn0D8x8/127BtJYHwgehheFdUwd+iugiDoWLFsq0tjlbWLsapbUQM9M/LvrczEJ9VUQazU/jYbcFn2ZdoChX4Vkk2iSEYnPN6e16CYSJ5jupE/gfmIMNKERNuxFEmSo/4mZakaVsFtHxtVHld3nwQp/8eYkT4SIrJCgXCzGnaGGntG0bmAgWASDya3Saeb469LXG6QqfBLpLUaZJKMLa6LVvjeWp4oYJnVdI09sVZ7KhVBc5/TemGSgT4/SxGFjXssVPMbfidvXyQ9ZJxHQLxJhNgRe7zdMsibru/k3Eidr3BOjyZm9cT8=
Content-Type: multipart/alternative; boundary="_000_GVXPR07MB9678BBAFFD3F4D4933B4F79A89422GVXPR07MB9678eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9bd9bc4e-bc3e-4f00-9ff0-08dcf10bb078
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Oct 2024 13:32:48.7251 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 4kANUvJNptjFMZBc4nmOkQbY6TC8EUQXIBupvSwz7cayobdP9NVeuO2TNubyMLVhUzKeyDN7uZ0XpFbcII+98O4hAn+J1YPR63rKhzNg6oc=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB9705
Message-ID-Hash: 6WK2HCSBD347HFQRRTKCEVVBWTXCCPUU
X-Message-ID-Hash: 6WK2HCSBD347HFQRRTKCEVVBWTXCCPUU
X-MailFrom: john.mattsson@ericsson.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: IETF TLS <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Consensus call for RFC8773bis Formal Analysis Requirement
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/PsU6PFBXGlLvNmegLt8XpYfzcAk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Hi Russ,

The recommendation in [1], which I very much agree with, is to continuously perform ephemeral key exchange at frequent intervals and to chain connections together, forcing an adversary to break them in sequence.

Today, you can chain TLS 1.3 connections together by doing resumption, but resumption cannot be combined with certificate-based reauthentication, which is a must as soon as one of the certificates expire and is replaced.

To address this I strongly think draft-ietf-tls-8773bis should allow both external and resumption PSKs. I don't see any reason to restrict the type of PSK.

Thanks BTW for driving this kind of functionality for high-security use cases. I think this will be useful in 3GPP interfaces. If there is any GitHub repository for the draft, I am happy to suggest updates in a PR.

Cheers,
John

[1] Ekerå, "On factoring integers, and computing discrete logarithms and orders, quantumly"
http://kth.diva-portal.org/smash/get/diva2:1902626/FULLTEXT01.pdf

From: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
Date: Saturday, 19 October 2024 at 16:19
To: Eric Rescorla <ekr@rtfm.com>, Russ Housley <housley@vigilsec.com>
Cc: IETF TLS <tls@ietf.org>
Subject: [TLS] Re: Consensus call for RFC8773bis Formal Analysis Requirement
Hi,

I think this is a very straightforward way to introduce hybrid keying to TLS 1.3. I think this extension will increase the use of TLS 1.3 in national security systems, which I think is very welcome. This kind of hybrid keying / defense-in depth is exactly what is recommended in the excellent PhD thesis by Martin Ekerå [1], who is also chief cryptographer of the Swedish NCSA.

As long as the extension does not alter the certificate authentication or the ephemeral key exchange, I do not see any way it could lower the security, but I am not against formal analysis.

I am satisfied with the Privacy Considerations section and would like to see this draft published as proposed standard.

Some comments on draft-ietf-tls-8773bis-02:

- - -

"There are two motivations for using a certificate with an external PSK."

For national security systems, I think it is motivated to always use hybrid keying, combining symmetric keying with post-quantum secure asymmetric keying. The recommendation in [1] is to combine symmetric keying, post-quantum secure asymmetric keying, and classically secure asymmetric keying, as a defense-in depth. See Algorithm 1 and Figure A.1 of [1].

- - -

"but it will take many years for TLS 1.3 ciphersuites that use these algorithms to be developed and deployed"

X25519MLKEM768 already seem developed and deployed.

- - -

"Since the "tls_cert_with_extern_psk" extension is intended to be used only with initial handshakes, it MUST NOT be sent alongside the "early_data" extension."

I don't think the MUST NOT follows from that "tls_cert_with_extern_psk" is intended to be used only with initial handshakes. External PSKs can be used with "early_data" in the initial handshake according to RFC 8446.

Suggestion:

NEW:
"tls_cert_with_extern_psk" MUST NOT be sent alongside the "early_data" extension."

- - -

"However, TLS 1.3 does not permit an external PSK to be used in the same fashion as a resumption PSK, and this extension does not alter those restrictions"

I don't know what these restrictions on external PSK are and I could not find them in RFC 8446.

- - -

"For protection against the future invention of a CRQC, the symmetric key needs to be at least 128 bits

It needs to be at least 128 bits to protect against classic computers as well. The sentence is also duplicated in the following paragraph. Suggestion:

NEW "For protection against the future attacks, the symmetric key needs to be at least 128 bits"

- - -

"the advantage of Grover’s algorithm will be smaller."

I don't think Grover's will ever have any practical advantage. In addition to cost and parallelization, two additional factors mentioned in footnote 18 of [1] are:

"large-scale fault-tolerant quantum computers as currently envisaged are very slow compared to classical computers"

"The overheads incurred by the need to employ quantum error correction to achieve fault tolerance are furthermore substantial."

- - -

- "If the external PSK is known to any party other than the client and  the server, then the external PSK MUST NOT be the sole basis for
   authentication.

I think certificate-based server authentication SHALL be used even if the external PSK is known only be the client and the server.

- - -

"In addition, clients MAY also include psk_ke mode to support a subsequent NewSessionTicket."

I think this draft focusing on hybrid keying in high-security systems should forbid psk_ke.

- - -

Cheers,
John

[1] Ekerå, "On factoring integers, and computing discrete logarithms and orders, quantumly"
http://kth.diva-portal.org/smash/get/diva2:1902626/FULLTEXT01.pdf

v2.40.4 | Report a Bug | By Email | System Status