IETF Logo Mail Archive

[TLS] Re: Feedback on draft-bmw-tls-pake13-01.txt

Eric Rescorla <ekr@rtfm.com> Tue, 25 March 2025 00:23 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id A89A111D3FCD for <tls@mail2.ietf.org>; Mon, 24 Mar 2025 17:23:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id msuUPVHGjv7a for <tls@mail2.ietf.org>; Mon, 24 Mar 2025 17:23:30 -0700 (PDT)
Received: from mail-yw1-x1132.google.com (mail-yw1-x1132.google.com [IPv6:2607:f8b0:4864:20::1132]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 10AFC11D3FC6 for <tls@ietf.org>; Mon, 24 Mar 2025 17:23:30 -0700 (PDT)
Received: by mail-yw1-x1132.google.com with SMTP id 00721157ae682-6ff37565154so45975037b3.3 for <tls@ietf.org>; Mon, 24 Mar 2025 17:23:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1742862209; x=1743467009; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=gyjg177jqim6LBGr33K8rxYX4HOJ85X9yCC9DiT6bP8=; b=uj2Rm3RtFnuGKWxve9yalfq/nhDSMALVtM96RCYaYKVX2DwH/qCsJUdsK3Sr2N9YU7 NW5SsOI0lpOKYPoJ19nH8+LRVRfwptFqjBxhuBN5ZP3FaQsvj8fZhcH6M0xsJ+qvOXOz SWMOyUq03BYCYEgFt6wDoGPZ+bXdWxtWc/CvJJdYT9bajHdgIRDBp4Rr7QZ4uS/8dTWX ttFcWuO8TctqtTbPOFCJmIrGLp1nlyQJzXqrt19U86gXGmMZmM/UVmL5Ak24lrYCd/oe XLNKB7RT5yNMu1neWHbHteF6NbS0h2CZP1NabizcE5k9oc8H0yFl26r2WXp0MPrusOgg 291Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1742862209; x=1743467009; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=gyjg177jqim6LBGr33K8rxYX4HOJ85X9yCC9DiT6bP8=; b=J7pFKqAw9uBRYrHEPqnAJgfMZX4k6+prmWJ910ZP7L8ut2eOvbarjm4FA6Dw2+qPyg PbQMSStcmXRw5bDy9kocgc+sbpf2X63ywv5CLVSFcEtFlIQL24RT+WiFSnKoLriYDN2y ClJK6/xOmF+c4RKkUr8makN/vk4/8vdzaZxThGN2rG6LiQobbFEHe0+uqEY24bQslx6L cdE9ksJUz2RN5/kvHm2bde4JjtmgVQle6Fr0jiXIawmJSYAnJ5fC9jjhkq8kvu86fPFN CsKHw3yord97wAhUFXgpGhO52cTAmWJIzLmP0l09AlapY2/yg1+R7xgCyAMWCn3zGxwO Y78Q==
X-Forwarded-Encrypted: i=1; AJvYcCUprf19cyzfpFdL4lxPzqOLQ1VFEi+5noHy07FFHtUG3UebIJoVJkgC1It+yFjAZru3zYQ=@ietf.org
X-Gm-Message-State: AOJu0YyOe7SsPvRMhb6hzVyLF+DnE6MNDFyHGcjzybFShxzayufghgwe V2tZjP+gJOZhIT8AW5w0aHrGskGhlrGRbUoQNZqUCAOg5xGwrlzJy63CyV2ecWN+eHWzNhy+zkn H+Xl9ojhUu/nJQk6MQh7g50/VTNVtc/aawP4eGARXn3Bvj3oZ
X-Gm-Gg: ASbGncujOkAvQcegAB3ZGB+0Ta2Qe8JlUMidoe2J6h6X9oNpb4Vs3mbxhj2nLHcKiTw IrK5cnoTh7fpY8Y055Qz2VCyt/PRG5in8ihe+lMw2XpB4LbPX0ilev4z49J24mD6z6hggE4rKe5 zenHnJ9fF1se2Fa/qQdjPeJSVlguOWDsZdqxk=
X-Google-Smtp-Source: AGHT+IHS6Q5kt/Pc650/1Hf6NOy1DzOWjhoq9DM3h1DYvSZC4UX+oFla+4cr1qU1R46uPvHhmK84ddMmK0JLr8qlvrk=
X-Received: by 2002:a05:690c:7349:b0:6fb:b524:48bc with SMTP id 00721157ae682-700bad5da5cmr211896887b3.35.1742862209405; Mon, 24 Mar 2025 17:23:29 -0700 (PDT)
MIME-Version: 1.0
References: <05B28816-9AA9-4035-B451-8ACFFBE2D4DE@apple.com> <CAG2Zi20JgNC0Y+B2ANqdf5O-uFXOkYXeqc8S7u7=4fWGDRiirw@mail.gmail.com> <CABcZeBPvmw5O8Xhx7iCqH7a9mgZ-T8qCkeAs3Ts16CgB15WZaA@mail.gmail.com> <CAG2Zi20OGx2zAdH0uqiOy9P6YTQ2t3CCndr-GEfCeNrGK_pBnw@mail.gmail.com> <CABcZeBM4v3TPgKzkUybbjcn8VPJhqdCASW3GyLPxtmd6kOeigA@mail.gmail.com> <9324aa4f-c742-411a-90c3-712b65f5a3a0@betaapp.fastmail.com>
In-Reply-To: <9324aa4f-c742-411a-90c3-712b65f5a3a0@betaapp.fastmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 24 Mar 2025 17:22:53 -0700
X-Gm-Features: AQ5f1Joxf7HI1UlASjnn-NAj5RNyzgqHd7PKOntZIIobVNJQsn2WbGoNLcEK-yk
Message-ID: <CABcZeBMGwA8ULdrZHn7RM-_ikqdgiwtk0zzMQhZYDQiha_cK0w@mail.gmail.com>
To: Martin Thomson <mt@lowentropy.net>
Content-Type: multipart/alternative; boundary="000000000000e273b006311fba26"
Message-ID-Hash: DGV66QVLJTDFE4DPMVZRMSGJLKKPDIDI
X-Message-ID-Hash: DGV66QVLJTDFE4DPMVZRMSGJLKKPDIDI
X-MailFrom: ekr@rtfm.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Laura Bauman <l_bauman@apple.com>, tls@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Feedback on draft-bmw-tls-pake13-01.txt
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/UVkd1_63uEzsoXTXKLtupeunsrw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

On Mon, Mar 24, 2025 at 5:17 PM Martin Thomson <mt@lowentropy.net> wrote:

> On Tue, Mar 25, 2025, at 02:37, Eric Rescorla wrote:
> > 1. Getting PQ resistance for free even with non-PQ PAKEs.
> > 2. Reducing the combinatoric explosion of "groups"
>
> I don't know that you are really getting PQ resistance if your PAKE
> remains vulnerable.  You might maintain confidentiality for that single
> connection, but if there is a possibility of impersonation (are you relying
> on the PAKE for authentication of the server?) then you lose.
>

This is what we are doing right now by rolling out PQ for key establishment
but not for authentication:
we provide security against harvest now decrypt later attacks, but not
against impersonation if there
is a CRQC.


Avoiding the combinatoric problem seems like a pretty high complexity tax.
> Sure, we are already in the position where we have N (number of ECC groups)
> x M (number of PQ groups) groups.  Adding a PAKE makes that N x M x P
> (number of PAKEs).  However, these are all small numbers.  Building a
> parallel extension is relatively straightforward if you model it like key
> exchange and use the obvious combiner.  But then, why did we not do that
> with PQ as well?
>

I agree it's a judgement call, but IMO PQ key establishment via KEMs is
more like DH
key establishment than PAKEs are. For instance, neither needs to connect
with some
password database.

For this reason and others,it's not clear to me that in fact it will be
simpler to have
combined PAKE + ECC + PQ groups than to have the PAKE be separate.

-Ekr

v2.31.3 | Report a Bug | By Email | System Status