IETF Logo Mail Archive

Re: [TLS] -draft8447bis: rename Support Group Elliptic curve groups space

Deirdre Connolly <durumcrustulum@gmail.com> Fri, 29 March 2024 20:42 UTC

Return-Path: <neried7@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27AD0C14F6A9 for <tls@ietfa.amsl.com>; Fri, 29 Mar 2024 13:42:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.845
X-Spam-Level:
X-Spam-Status: No, score=-1.845 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7NR-wCSm3Iau for <tls@ietfa.amsl.com>; Fri, 29 Mar 2024 13:42:37 -0700 (PDT)
Received: from mail-ed1-x52f.google.com (mail-ed1-x52f.google.com [IPv6:2a00:1450:4864:20::52f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86A40C14F61C for <tls@ietf.org>; Fri, 29 Mar 2024 13:42:15 -0700 (PDT)
Received: by mail-ed1-x52f.google.com with SMTP id 4fb4d7f45d1cf-56c147205b9so4142554a12.0 for <tls@ietf.org>; Fri, 29 Mar 2024 13:42:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711744933; x=1712349733; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=bGATV4bN8iGF5JimNnBVEvBHUYBqG5+/DdBRKqklAko=; b=XsrhJVwgx8iAEXlxmBBX4e+2RU+qYfzvmAfzYmbC3ruqfZMVuGBBEOk1a/IBF9caRJ ETnXA6t7gNqIurt/Wx261nZ7mPfeeFCsM3pI8CyfpYUhEnsZ9dL3BETUUNF5uZILNem8 TUts1pJimLdRYMGrexII8NXN/S+jol5Jo1yYTqVsi47rfLfc+r59oMDDO6dyMpkSwyes xMcQEoLfZ3av2cDprSQsR7AFB8zSN7UFAL1DRrhVK2yyx4+9vGHTocVJHX8uchRSNj8/ nlnORcsvoI8HyJYlpTJ6egYxDuzEFnGsIN9SE+OZjWX0oDg6KNvx3t9v/J/WCcBiaElI TGPg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711744933; x=1712349733; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=bGATV4bN8iGF5JimNnBVEvBHUYBqG5+/DdBRKqklAko=; b=DC0pO2pFDdw4NAKuDKV2L1+pG2U5pjQSLh2SV1TgSFdM5xSR4RZUU3LcP8LiZ1+Yv3 FiAW47LgRDrAzTXFLLyDgjMMADknFR2KO6/4l5NeRJODR7wKVl6YaBQWtqE1byp1Qpr6 W+lzj7HOMtdyM9BF35gUqgojPZ4JXRFrp59YcjiK7r1qsotO4FFdhFZGf5ubToeAu5n8 qXYlMOBX+WnODI9r5Km4nsED2gJbr4VXRtsdz0ER5kf5/pPBgpCd7rqftv9ljECqOWAm 8LbWC7a/Q2j7itFouDakn4dHCY9Z8hVTfhjvUk86azADtvVEqRssYFHR3QOT6z/muW0D 02XQ==
X-Forwarded-Encrypted: i=1; AJvYcCWjwSz9m9GZtywYf7FBeXEo1NNQKfsSuTpCZe44IVc7HCqrWk0Ng0LpR7Ieyqt20Ofb/IR/mQI2gDWMumk=
X-Gm-Message-State: AOJu0Yzc7yTywbAlFoKGrII8wle4JW3yaWiaH/lqAnqWZ90CHGPuo4f7 vVaIQP+AZY/1CVU9jvMyico7L6RZMGv7usc5bXeiUKUqjtKf2gkPNbFTaYrpKtirrroaeeYHbU0 KAtK4W1uiAJIVjLy8DENdJ/eE8us=
X-Google-Smtp-Source: AGHT+IFa0sMWeRbofncxfOan9XTQ4+gEqz5RSfA3xsK0ZPqOIWwiBXZMZww/bImoT6W+4QyIOHTFLYQSUeKzJMtzitE=
X-Received: by 2002:a50:d694:0:b0:56c:292f:84da with SMTP id r20-20020a50d694000000b0056c292f84damr5900452edi.17.1711744932700; Fri, 29 Mar 2024 13:42:12 -0700 (PDT)
MIME-Version: 1.0
References: <B5E1CFD9-32F5-482E-B305-2D739AD273BA@sn3rd.com> <0BC652C3-9BBF-4E18-97D1-4036EA16C9E4@vigilsec.com>
In-Reply-To: <0BC652C3-9BBF-4E18-97D1-4036EA16C9E4@vigilsec.com>
From: Deirdre Connolly <durumcrustulum@gmail.com>
Date: Fri, 29 Mar 2024 16:41:35 -0400
Message-ID: <CAFR824w7TrCugQqevmcGarmA2_yQuBz1rFLdg2yejpKL6PiS_w@mail.gmail.com>
To: Russ Housley <housley@vigilsec.com>
Cc: Sean Turner <sean@sn3rd.com>, IETF TLS <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a8ebbb0614d2acae"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/TLzEmQtO2p4KkIfpMPU4JSu3zuE>
Subject: Re: [TLS] -draft8447bis: rename Support Group Elliptic curve groups space
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Mar 2024 20:42:41 -0000

> KEMs are not "key agreement" algorithms as suggested by this draft name.
In a key agreement algorithm, both parties contribute to the shared
secret.  With a KEM, only one party generates the the shared secreat value.

This is not generally accurate with the KEM schemes under consideration for
adoption by any standards bodies: in the -hybrid-design and
-mlkem-key-agreement documents, the `Client` generates an ephemeral
keypair, and the `Server` encapsulates to that keypair, but especially in
ML-KEM which is under consideration in both documents, the KEM randomly
sampled message `m` is sampled by the `Server` but the final
`shared_secret` resulting from `Encaps` and `Decaps` is based on computing
over the message `m`, the public key `PK` generated by the `Client`, as
well as the randomized ciphertext `CT` generated by the `Server`. The
encapsulated message `m` is not actually the `shared_secret` that is the
input to the TLS 1.3  key schedule, even independent of the entire
handshake transcript being included into the full key schedule as well.

The naming of the document excluded 'key exchange' and 'key establishment',
and went with 'key agreement', but that is a weakly held name,

On Thu, Mar 28, 2024 at 5:08 PM Russ Housley <housley@vigilsec.com> wrote:

> Sean:
>
> I observe that ML-KEM is not a Elliptic curve group or a Finite Field
> Diffie-Hellman group.  I really think we want to include sepport for KEMs.
> but a separate range is needed.  I assume it will be carved out of the
> Elliptic curve group range.
>
> KEMs are not "key agreement" algorithms as suggested by this draft name.
> In a key agreement algorithm, both parties contribute to the shared
> secret.  With a KEM, only one party generates the the shared secreat value.
>
> Russ
>
> > On Mar 28, 2024, at 10:52 AM, Sean Turner <sean@sn3rd.com> wrote:
> >
> > <author hat>
> >
> > **WARNING: Potential bikeshed**
> >
> > -connolly-tls-mlkem-key-agreement has suggested that code points for the
> NIST PQ be registered in the TLS Supported Groups IANA registry [1].
> Currently [2], the registry is carved up into three blocks as follows:
> >
> > Range: 0-255, 512-65535
> > Registration Procedures: Specification Required
> > Note: Elliptic curve groups
> >
> > Range 256-511
> > Registration Procedures: Specification Required
> > Note: Finite Field Diffie-Hellman groups
> >
> > Assuming that the proposal in -connolly-tls-mlkem-key-agreement is the
> path for PQ KEM algorithms (and maybe regardless of whether this is the
> path), we should really replace the “Elliptic curve groups” note in the
> 0-255, 512-65535 range row with something else.  I am open to suggestions,
> but would like to propose “unallocated”. I have submitted the following
> issue:
> > https://github.com/tlswg/rfc8447bis/issues/54
> > and this PR:
> > https://github.com/tlswg/rfc8447bis/pull/55
> > to address this.
> >
> > spt
> >
> > [1]
> https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
> >
> > [2] Originally, RFC 8442 defined the name of the registry as "EC Named
> Curve Registry” and then RFC 7919 re-named it “Supported Groups” and carved
> out the FFDH space.
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email