IETF Logo Mail Archive

Re: [TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Sun, 02 April 2023 12:41 UTC

Return-Path: <prvs=44563a07cf=uri@ll.mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A165BC14CE31 for <tls@ietfa.amsl.com>; Sun, 2 Apr 2023 05:41:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.195
X-Spam-Level:
X-Spam-Status: No, score=-4.195 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0D-14d0jR0Wi for <tls@ietfa.amsl.com>; Sun, 2 Apr 2023 05:41:38 -0700 (PDT)
Received: from MX3.LL.MIT.EDU (mx3.ll.mit.edu [129.55.12.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89C6CC14F749 for <tls@ietf.org>; Sun, 2 Apr 2023 05:41:38 -0700 (PDT)
Received: from LLEX2019-2.mitll.ad.local (llex2019-2.llan.ll.mit.edu [172.25.4.124]) by MX3.LL.MIT.EDU (8.17.1.19/8.17.1.19) with ESMTPS id 332CfZOF242607 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Sun, 2 Apr 2023 08:41:35 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=ANFQUkYXAqLexOTMamW9Yy860JFiLgDz6NXFYW6d86iU8Gx8H4Q5lpXMlJryinlT4Nou5zKydxeGrpSFQ46G5kFmYpqOhUyhGrsTIAh7wZObrnqC5xKVZrEIDaYl88qUsllPnjBdRAdcc+bgTwZTl5aaxXqqgcDJyRgDnmJv0QhEwG11mMSHUT1r1gyeXZni6RJfVlnMJ9sjzFkEdN9fmFBeUJAtxQU6T4dWQHj4/p70F7OpDu9RBWFcr0bxsFOJXB876wdaUkUasxEIEX9i16eg89HTR3iyycKczOc7ujZMi7yWkqgVTu5ic9jeCeunDtDSK7E7p3BPFp58EsB6VA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=fRiNLUDzlrX912TZ33KKHj700o9LbRTtMpHVcYzgc8w=; b=1GTIMrxlO+F5626ah1KvUAxfFXSQQwUMgWST5jOV3iVeEv8+ZwFaOL010J64Ubk66ek1Zr0jwBY848x5ajsYTw9M9VeTHFZd0t3GzCU59X9o8+TC7v8D7Y6h+mQZ76fQmIyQGzTRY8pfYQjvUKGUgICAl3Wucdw8UvWCQypd+lWfkcYMp1u+4bX39f0/Pxn9LXuUNfqvhwE4ZRE7QrfW7LjEK/ny0TPQY1sfUfVa0nkhwUStRXQGhvDms5QmI46H1+Bns4VqFpcgzPyDqXVNRr+BhCZxkmSgpzf4mOk6eLIqSjLTpFmbXeZUopV+vdTPLYtSdf0NNozdI0blCJxobQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design
Thread-Index: AQHZYeDBSoMA1EiGfEGGwyKmBvcb0q8S2OWAgAK8JICAAAIoAIAAI80AgACBIQCAAR0WAIAAgJyAgAAjSQA=
Date: Sun, 02 Apr 2023 12:41:33 +0000
Message-ID: <AC331CA8-3143-43A8-9B74-E5A7236EC845@ll.mit.edu>
References: <ZClaWRgZXIj0NLfN@LK-Perkele-VII2.locald>
In-Reply-To: <ZClaWRgZXIj0NLfN@LK-Perkele-VII2.locald>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN0P110MB1419:EE_|BN0P110MB1096:EE_
x-ms-office365-filtering-correlation-id: ba9511bc-4810-4cf0-8061-08db3377976b
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: buoD+YPtcwFAWkheWJOXZ164QKGKpvZteKlC5iFp5m+98QoDNDPIim++CTOJ5wTOI9UHkddIR4KfeCHv9Ddomz24kXZfC/x0PulCzAxQzpIqQ3RXtcARn0biFtK8pByI/ItsGGYY1QK/1lmuDrP9EtV8fpJbYYEWgW8VYp6rIDP1WTtzTjqWtlOhAibEnQJOQxhBaX2XNC5W9RF3gufm1XyHqrkAD7ZWC9IJd4fji4AsCYMaumSPLZAwu8pL6U0caqX0t+zlAnYZ/uKrF7Ii6MNS1lUnllnXprobNpiivyX6HdSe2eeu1Ylq5jqfm34JZtyEgPM43k71xcOBwfPzQwmSvSJBERBSHma8+ZnWYUaDEKyCOsjrHVfya3JCzWqCCKCmXBS2MRbIo/ntkgiUttaWBl7ddlY4pieXaVq8BTxOUSpovsfLlPXscT57H/OEK5Cd2hTAyKScmm/divxSE7yEseCqG3gvT/WXKixdFl5q8IctzHPKoMhSf4Vj7HzefZy7yOrHMNOaFXbXAfx/9Dq5N8mSdriW/L3dlfgEiz00/hpRHEtGPTjauHEAbe1JUA+dgzN29GThfqTA7fu0X7UMMAs/S6exxfDAx7rWhpfbOI5LL1rDY1NGuPtQVLfTSQKLxUT93WBO3NaYwaysTA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230028)(136003)(366004)(396003)(39830400003)(451199021)(75432002)(6506007)(6512007)(186003)(53546011)(966005)(83380400001)(2616005)(8936002)(8676002)(5660300002)(41300700001)(4326008)(76116006)(64756008)(66446008)(66476007)(66556008)(66946007)(6916009)(2906002)(6486002)(71200400001)(508600001)(99936003)(38070700005)(33656002)(41320700001)(86362001)(122000001)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: wRvKCrJqgMaC2w3PKeEqgu5vCIocOrJ7S47o5jVdxF/5YRhJNsRoLuOEQdDvFkZV2CX0oykBZW7pf4tmvnKeLHI1+k0kvJamiE1Xi+SdkUdsC6vq/7f5y07QmFydjDOUvQNAZ4fshOblN0Gg5ywDj3MD+W3GG8An4FqtX+nOI5kq5S3fz+ZQ21up4nBU9hgL6V5d0mke4jE1sgvccxCjdpiTsk7IkGrjE9Ufp5TnW2k/9JxGKCoLadU7lzJ4bGr7Dww9cLWUIpRIVfFWXkKriIaegb0UYDW838wE4mSetkErEeytdSpO24ztoQI9orWGve6hgoFZNRCTH32hcrAOLiHZJUusb2KNX3yWwchfiYMuSQu3wqGsY3pNklGI1vET9QXBa/QkQ2gx/semcjsFngdipvX6s1jpyDyWepIJuG983Nic4jO4EIJjMWAUvwCtdT82FvkjDLXMI+cRUeT2u4fTIedYiCLgfyEddfjGKClS8hCGG5YuyPywaswoqHCnd0b6ElWt9vUEwtxwtXI21krMcJQzEnf1U9GSafuPowyOL2JV+X5UTtW04An95V0TF9iiB26rypKn8uzfMibsI0n312TaQmCaAsPI91wPubfsVBUT2eK3Bp7nMu2CpOXY1Wt7jVdeyjbxuyl5WTASULP6D5/e/W2gKrM00RKxkUY7Ajgc0srXUlRI3A+xsTUFdpMcH5t7NLXv1b217moiqq0Sx+37XwdM2ZVKGE9BbkrXdboTk/I7VXyvgBG+s44g5wE2kuAFtV2BmLt4NWyyCnIgXb93qH761TDtUrGMEfdOfuiZrSIOshNDJP3MaxY+vGVMKky7yfbYqFNXgCBqrSpYLQDCAx9OSSUAKBOZO6ZXpaltDbjYuRAn2JyYZMW6AQBBAVjLcpprDlSJIiZk50ekd9fjCS7ytvjRGMltS/oUuItSROHfogEs3RixZPlmF7JUUKz6++qj9zcWeiwpm01xapIBZd8bz/miION7CjHcO6ejMClYIOI0dmYi1b8BEMA+ost1YCntNiv9C7cPWQF7aA6Pa7TeZgPKGZKqMOAZDWha7CbIJxOJaZCWghw/aAWArQGC1OYOO9gw+y9XD5lD2BElslrZwK+cREm6NVQSmriElZ9qtEBeeDOZCUd6N7/zJLZMMougtIbuWh98Y9Oa9xuQjstxy1yhlRXeNWIIT5qVFXwEZdFIRSBC80nu/Zbg48Aw+9Wh1P8eZw5IFToct55zKmJUheaYsdj6FKiR+CwuuDjVSfmIwCw5L4lj14JEB8tXypLi4nbCZw40ji0cHwmOkKpfLvB3Ts/FV+FwNp9OsWJIBHd1GJmw0lHzcr0umwEVjHIg1CMENge5OtdmfKclqHrk5CIgKucxz1s=
Content-Type: multipart/signed; boundary="Apple-Mail-12792033-258E-43E7-936E-C027B3062A12"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: ba9511bc-4810-4cf0-8061-08db3377976b
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Apr 2023 12:41:33.7494 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0P110MB1096
X-Proofpoint-ORIG-GUID: -Vhs5-Za0wfdTytd4EOJJQ2nN2NMojHX
X-Proofpoint-GUID: -Vhs5-Za0wfdTytd4EOJJQ2nN2NMojHX
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-03-31_07,2023-03-31_01,2023-02-09_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 mlxscore=0 adultscore=0 phishscore=0 mlxlogscore=999 bulkscore=0 suspectscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2303200000 definitions=main-2304020108
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/aQbRhbhzUtYTMR2hJnh7bzc5OhI>
Subject: Re: [TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Apr 2023 12:41:42 -0000

That is correct - CNSA-2.0 prescribes the “NIST Kyber”, whatever changes this may include to the Kyber-1024, aka Kyber at NIST Sec Level V. 

One can speculate about what changes would be proposed during the public comments period, and which of them would be accepted. Regardless, until then we won’t know the *exact* details of the algorithm. 

However, if people consider experimenting with Kyber deployment now, and want to define appropriate MTI now (and want to use Hybrid, aka combined, key exchange) - then it’s as pointless now as it will be in the future to define P384+Kyber768, because either there won’t be such a Hybrid at all (NSA stated that they won’t require Hybrid in products that need their certification) or there will be P384+Kyber1024, whatever the latter will look like then. 

Regards,
Uri

> On Apr 2, 2023, at 06:43, Ilari Liusvaara <ilariliusvaara@welho.com> wrote:
> 
> On Sun, Apr 02, 2023 at 02:54:57AM +0000, Blumenthal, Uri - 0553 - MITLL wrote:
>> CNSA-1.0 allows ECC only over P-384, unlike it’s predecessor Suite B
>> that also permitted P-256. P-521 is not included either. See
>> https://media.defense.gov/2021/Sep/27/2002862527/-1/-1/0/CNSS%20WORKSHEET.PDF
>> (page 1).
>> 
>> CNSA-2.0 allows only Kyber-1024. Not -768. See https://media.defense.gov/2021/Sep/27/2002862527/-1/-1/0/CNSS%20WORKSHEET.PDF
>> (page 4).
>> 
>> So, if somebody would insist on a CNSA-compliant hybrid - there is
>> only one candidate from each group to consider for the MTI. 
>> 
>> It also means that MTI für P-384 with Kyber-768 is likely to be quite
>> useless, as those not bound by CNSA would probably make other choices
>> (not P-384)  anyway, and those required to comply with CNSA will have
>> to settle for what I described. 
>> 
>> Did I make it clear enough? Or do you see a hole in my logic?
> 
> I think what "CRYSTALS: Kyber" means in CNSA-2.0 is the final
> specification. Which obviously is not available yet, so it is impossible
> to currently make any key exchange or asymmetric encryption compliant
> with CNSA-2.0.
> 
> As to what sense does publishing CNSA-2.0 before the algorithms are
> known make? Note that it does have algorithms for firmware signing
> fully specified, and urges those to be deployed as soon as possible.
> And I suppose there might be sense timing-wise on publishing a spec
> referencing a future spec that will likely undergo nontrivial draft
> period.
> 
> 
> 
> -Ilari
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email