IETF Logo Mail Archive

Re: [TLS] WGLC for draft-ietf-tls-hybrid-design

Sofía Celi <cherenkov@riseup.net> Mon, 22 August 2022 17:23 UTC

Return-Path: <cherenkov@riseup.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A9A4C14F5E1 for <tls@ietfa.amsl.com>; Mon, 22 Aug 2022 10:23:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=riseup.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jem-I6Tsi05Z for <tls@ietfa.amsl.com>; Mon, 22 Aug 2022 10:23:47 -0700 (PDT)
Received: from mx1.riseup.net (mx1.riseup.net [198.252.153.129]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69C31C14F740 for <tls@ietf.org>; Mon, 22 Aug 2022 10:23:47 -0700 (PDT)
Received: from fews1.riseup.net (fews1-pn.riseup.net [10.0.1.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mail.riseup.net", Issuer "R3" (not verified)) by mx1.riseup.net (Postfix) with ESMTPS id 4MBK2p58WmzDq7M for <tls@ietf.org>; Mon, 22 Aug 2022 17:23:46 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1661189026; bh=nBKaEn6f3glfVQeUHitRgjMJnmKVe0UMrKULSrHdShk=; h=Date:To:References:From:Subject:In-Reply-To:From; b=FW5VQyEbZbDKw4EU98uLl0jpaddZEppvOhDBsYaEdYA8d/+epZ1bslxuwUzD3syGK CmFo4+J4iPxRNs+CiAGFeEzlO6zZ1YDqnLERrjP+gQ0ahxKIJriSS3s8ebuTia10CV P0ot9G28jJ8RV0n1JY47jhsExz/r/oaMiY/IrCBY=
X-Riseup-User-ID: 5FAB6A2215E96D77509868EB9FBB25B9BD9D6260939F281F3D4B30AE5D953D5D
Received: from [127.0.0.1] (localhost [127.0.0.1]) by fews1.riseup.net (Postfix) with ESMTPSA id 4MBK2p25bbz5vTr for <tls@ietf.org>; Mon, 22 Aug 2022 17:23:46 +0000 (UTC)
Message-ID: <699f183c-be59-68ed-5a8f-cb45e7f74af0@riseup.net>
Date: Mon, 22 Aug 2022 18:23:44 +0100
MIME-Version: 1.0
To: tls@ietf.org
References: <27E9945C-6A0A-46DD-89F0-22BE59188216@heapingbits.net> <e43fc649-3fc6-333b-c44d-55de0627c710@cs.tcd.ie> <Ymz7yncQAnzmp/eL@LK-Perkele-VII2.locald> <38de10e6-ab3c-6ea1-44b7-57057c97e7aa@cs.tcd.ie> <CH0PR11MB5444D7D4F32F195FFB189C10C1679@CH0PR11MB5444.namprd11.prod.outlook.com> <320bb3ca-890b-45c9-b55f-f0d65bdce7be@beta.fastmail.com> <CAMjbhoXMb93+hy3jjHS=BnMekyoksSejEjJwpPHN967RAH_acA@mail.gmail.com> <9f513169-7b45-2be0-13fd-b8aa2d2a2280@amongbytes.com>
From: Sofía Celi <cherenkov@riseup.net>
In-Reply-To: <9f513169-7b45-2be0-13fd-b8aa2d2a2280@amongbytes.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/V1fffiGUmTJZRmdgZMzwyWCXtBQ>
Subject: Re: [TLS] WGLC for draft-ietf-tls-hybrid-design
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Aug 2022 17:23:51 -0000

Dear, all,

> On 22/08/2022 14:24, Bas Westerbaan wrote:
>> Here they're speaking about adding non-FIPS PQ to a non-PQ FIPS 
>> kex,[2] but the other way around is also ok — what am I missing?
> 
> Let's assume Kyber is FIPS-approved. Indeed, you'll be able to have
> a FIPS library with Z generated by Kyber and T generated by X25519
> (but not other way around).
> As X25519 is not FIPS-approved, the lab won't be able to test it,
> hence you can't declare any security on that scheme. This will be
> reflected in the security policy (as a "non-approved algorithm, with
> no security claimed"). In theory, X25519 may produce wrong results
> and your product still gets FIPS certificate as the algorithm is
> security irrelevant. It is similar situation as we have today, but
> with Z generated by P-256 and T by Kyber.
> 
> What, I think, is more valuable for those who need FIPS, is to be
> able to have hybrid construction in which both algorithms are properly
> tested and certified by the FIPS lab.
> 
> Also, in that case, Z can be generated by either PQ or non-PQ as
> both are FIPS-approved.

I support this. I definetly support adding P256+Kyber512 (or any of the 
NIST curves + Kyber). For actual FedRAMP purposes, the most valuable 
thing, as Kris says, is to have them both being FIPS approved (and using 
a FIPS-certified implementation or sumitting it all for FIPS 
certification). Even if Kyber becaomes FIPS-approved, one will have to 
used a FIPS-certified implementation of it in other to be able to claim 
the FIPS-approved hybrid approach (and even then it depends how/where it 
is used). As far as I know, only the NIST curves are both FIPS approved 
and some of their implementations have a certification.

Thank you,

-- 
Sofía Celi
@claucece
Cryptographic research and implementation at many places, specially Brave.
Chair of hprc at IRTF and anti-fraud at W3C.
Reach me out at: cherenkov@riseup.net
Website: https://sofiaceli.com/
3D0B D6E9 4D51 FBC2 CEF7  F004 C835 5EB9 42BF A1D6

v2.23.0 | Report a Bug | By Email