[TLS] Re: [TLS]Re: [EXTERNAL] Consensus Call: -rfc8446bis PRs #1360

"D. J. Bernstein" <djb@cr.yp.to> Sun, 08 September 2024 11:22 UTC

Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38450C14CEFF for <tls@ietfa.amsl.com>; Sun, 8 Sep 2024 04:22:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.906
X-Spam-Level:
X-Spam-Status: No, score=-6.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MSMrQAOsEY5A for <tls@ietfa.amsl.com>; Sun, 8 Sep 2024 04:22:34 -0700 (PDT)
Received: from salsa.cs.uic.edu (salsa.cs.uic.edu [131.193.32.108]) by ietfa.amsl.com (Postfix) with SMTP id C949AC14F602 for <tls@ietf.org>; Sun, 8 Sep 2024 04:22:34 -0700 (PDT)
Received: (qmail 15582 invoked by uid 1010); 8 Sep 2024 11:22:33 -0000
Received: from unknown (unknown) by unknown with QMTP; 8 Sep 2024 11:22:33 -0000
Received: (qmail 306199 invoked by uid 1000); 8 Sep 2024 11:17:16 -0000
Date: Sun, 08 Sep 2024 11:17:16 -0000
Message-ID: <20240908111716.306197.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: tls@ietf.org
Mail-Followup-To: tls@ietf.org
In-Reply-To: <CABcZeBObcf-Rh1g+O+iCv34WG_rnDyc60URpP8_mAkHR_4N++g@mail.gmail.com>
Message-ID-Hash: AS63EHK2CJVW66YKTSIJEDVFS2ATHJI5
X-Message-ID-Hash: AS63EHK2CJVW66YKTSIJEDVFS2ATHJI5
X-MailFrom: djb-dsn2-1406711340.7506@cr.yp.to
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS] Re: [TLS]Re: [EXTERNAL] Consensus Call: -rfc8446bis PRs #1360
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/TrNwM0n4bfeBMFqAkK5afeF2rns>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Eric Rescorla writes:
> I do not think we need to make Curve25519 MTI. The purpose of MTIs is to
> provide a minimum baseline for interoperability, and we have that already
> with the existing MTI. That's entirely compatible with most people
> preferring X25519 because they believe it's better than the MTI.

As the list in Appendix A of https://cr.yp.to/papers.html#safecurves
shows, the NSA/NIST standards for the core tasks of ECDH and signatures
keep triggering security failures, for reasons that two of us correctly
predicted many years ago. One can't expect new implementors to figure
out these security issues if they aren't warned.

As for "believe", in some cases we have direct security comparisons: the
"Minerva" attacks and the recent breaks of "5G Subscription Concealed
Identifiers" worked against implementations of the NSA/NIST standards
while failing against implementations of X25519/Ed25519 in the same
software. More broadly, these NSA/NIST security failures keep happening,
even in major ECC implementations: see, e.g., Firefox's announcement
"CVE-2023-6135: NSS susceptible to 'Minerva' attack".

In general, we should be evaluating MTI choices for their real-world
security impact, not just whether they're sufficient to guarantee
interoperability. What would be best for security is to transition away
from the NSA/NIST approach---as most TLS connections have already done
for encryption. The first step in ensuring interoperability for such a
transition is to add another MTI.

---D. J. Bernstein

P.S. People who need FIPS certification should be asking NIST to follow
through on allowing X25519. NIST said in

   https://web.archive.org/web/20200810165057/https://csrc.nist.gov/projects/cryptographic-module-validation-program/notices

that it would add Curve25519 and Curve448, that X25519 and X448 "will be
considered for inclusion in a subsequent revision to SP 800-56A", and
that "CMVP does not intend to enforce compliance with SP 800-56A until
these revisions are complete". NIST did finally manage to add Ed25519
last year, so progress is possible. In any event, IETF shouldn't be
allowing NIST to control IETF's cryptographic choices.