IETF Logo Mail Archive

[TLS]Re: Consensus call for RFC8773bis Formal Analysis Requirement

Eric Rescorla <ekr@rtfm.com> Sat, 24 August 2024 17:27 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D63CC14F697 for <tls@ietfa.amsl.com>; Sat, 24 Aug 2024 10:27:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.903
X-Spam-Level:
X-Spam-Status: No, score=-6.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R1NU6FrCgyGY for <tls@ietfa.amsl.com>; Sat, 24 Aug 2024 10:27:33 -0700 (PDT)
Received: from mail-yb1-xb2b.google.com (mail-yb1-xb2b.google.com [IPv6:2607:f8b0:4864:20::b2b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C396BC14F60D for <tls@ietf.org>; Sat, 24 Aug 2024 10:27:33 -0700 (PDT)
Received: by mail-yb1-xb2b.google.com with SMTP id 3f1490d57ef6-e1633202008so2993678276.2 for <tls@ietf.org>; Sat, 24 Aug 2024 10:27:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1724520453; x=1725125253; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=MXvzyl3GnmpaHzKxsEOP8dz3QPLsGJmkSMB+5bWT548=; b=sUT5avJteUQWx2cexkgIyzZzqFLu5KclBz3PPy8EsBfV7hS8xyO5Lch1BzQ281cGJR HNXYW1Zeyute1S+bSJ7QjiqyJ78q4HV7uPH9VePetNk1gTHqENFGIbWGiuCSC6UU07lV IbBBp26NQf3bo9kWxkLl+MEUDVFwZ0JT0mPPl9OArSaSnjGo5rnY1YCLK+uSiYltoG/c 5uXq3CKe/JIZklA6IW1Om2KMroKi3eGCbjAleKybYUXnUNilU70kLx6bnLKn2Ruzq77F RvzxHDQ+5jDnqC6vqLRZc/N4m4rGHcEc7Lt6ULSdme75TFDAVZ+dcghm9q+w6qw1zkXr mV+A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724520453; x=1725125253; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=MXvzyl3GnmpaHzKxsEOP8dz3QPLsGJmkSMB+5bWT548=; b=RIS/indj47l0+EpJ33q2ePEIvxmIGrkJjOLSoYL7Wt2VLabbP/Rg0b4GIrqDcb6mY/ uS3HNCw8zMtek5EJJ+O8ucHaDFWxag1tuF60AQG90ynlHKWeEzGm4SD3FLe5cKDVrq+f kpuD4rBisyyodN9v+TNxtMHeNiS3agyKAj2h4l1a1hh2YszmIl7P9MbbbrLPn8HqRX6u RKInkcroyJAcp+Dxcz+mR+1H6vXS0EblgsTxXY9Awlo68wrCHNM5cB9fxZ47nztRmKj7 Z0DhaG6vcP3AFwz5jGYDwxx2lJD2FpLf4iFr1xyJ1x/bDfUV9Q/Xr/WFQRBY/dgWQqXy Fkcg==
X-Gm-Message-State: AOJu0Yzle8kX3yVscwxCmEq2z2cPEtQ6Sx9UfRmi7OjYwIPiyhyM/b7A +V2nYa1F1kZTrcoJh11SOeM3TVSkkhqJhjC7MqVJ+fd7ls9l2Hnm7hr7DiK3CsWh6JrAlAZuGtw 3w4RxZCOM+K4KfxDERo3K19hUlRoOCCTkMsZmCKadB+VTKseG
X-Google-Smtp-Source: AGHT+IHH0u0XiUxtp5DO86yphJ78P7mT5i6X0nZy+ahESeM3dQ/Uo+4WmtdxliYARwLGU5jBu7Mum1n41yU29CIdFTY=
X-Received: by 2002:a05:6902:e04:b0:e0e:af58:f00a with SMTP id 3f1490d57ef6-e17a83cfceemr5815723276.21.1724520452901; Sat, 24 Aug 2024 10:27:32 -0700 (PDT)
MIME-Version: 1.0
References: <CAOgPGoBxoEhVkzb=WYFvNEhN0sKLDLir0qPVSqx_a=Co7dkXgA@mail.gmail.com>
In-Reply-To: <CAOgPGoBxoEhVkzb=WYFvNEhN0sKLDLir0qPVSqx_a=Co7dkXgA@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 24 Aug 2024 10:26:56 -0700
Message-ID: <CABcZeBO4Y-XSC_tVfFpQH4dxq8uWtv1dgO30Qb1ozaEi7j_cMA@mail.gmail.com>
To: Joseph Salowey <joe@salowey.net>
Content-Type: multipart/alternative; boundary="00000000000000e51c06207135e9"
Message-ID-Hash: D2YQ6SMODWFX56RA3NV7ZWLMI6BXNUJM
X-Message-ID-Hash: D2YQ6SMODWFX56RA3NV7ZWLMI6BXNUJM
X-MailFrom: ekr@rtfm.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "<tls@ietf.org>" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS]Re: Consensus call for RFC8773bis Formal Analysis Requirement
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/XKE0blBZEFIXzZuQ38q4EHHJiYg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Unsurprisingly, I am in favor of requiring formal alnalysis (option 1), as
I think all nontrivial extensions to TLS should have some formal analysis.

I would note that the main rationale for this specification is as
future-proofing for PQ. With the publication of ML-KEM by NIST, PSKs become
less attractive for this purpose, which I think makes the case for PS
weaker and thus the case for proceeding with PS without analysis also
weaker.

I would modify the question slightly as below:

On Fri, Aug 23, 2024 at 10:32 AM Joseph Salowey <joe@salowey.net> wrote:

> In regard to moving RFC 8773 to standards track the formal analysis triage
> group has provided input on the need for formal analysis which was posted
> to the list [1].  The authors have published a revision of the draft [2] to
> address some of this feedback, however the general sentiment of the triage
> panel was that there should be some additional symbolic analysis done to
> verify the security properties of the draft and to verify there is no
> negative impact on TLS 1.3 security properties.
>
> The formal analysis is to verify the following properties of the proposal
> in the draft:
>
> - The properties of the handshake defined in Appendix E.1 of RFC8446 [3]
> remain intact if either the external PSK is not compromised or (EC)DH is
> unbroken.
> - The public key certificate authentication works as in TLS 1.3, and this
> extension adds the condition that the party has possession of the external
> PSK. The details of external PSK distribution are outside the scope of this
> extension.
>

I think the right analysis is one in which the attacker knows the PSK. For
instance, say we have a company where everyone shares a PSK (as some kind
of post-quantum protection) and you want to make sure employee A cannot
impersonate employee B.

-Ekr


> This is a consensus call for the working group to determine how to proceed
> between these two options:
>
> 1. Require formal analysis in the symbolic model to verify that the
> proposal in the document does not negatively impact the security properties
> of base TLS 1.3 and that the additional security properties cited above are
> met
> 2. Proceed with publishing the document without additional formal
> verification
>
> Please respond to the list with a brief reason why you think the document
> requires formal analysis or not. This call will end on September 16, 2024.
>
> Thanks
>
> Joe, Deirdre, and Sean
>
> [1] https://mailarchive.ietf.org/arch/msg/tls/vK2N0vr83W6YlBQMIaVr9TeHzu4/
> [2]
> https://author-tools.ietf.org/iddiff?url1=draft-ietf-tls-8773bis-00&url2=draft-ietf-tls-8773bis-02&difftype=--html
> [3] https://www.rfc-editor.org/rfc/rfc8446.html#appendix-E.1
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org
>

v2.40.3 | Report a Bug | By Email | System Status