IETF Logo Mail Archive

[TLS] Re: draft-ietf-tls-key-share-prediction next steps

Eric Rescorla <ekr@rtfm.com> Sun, 15 September 2024 20:12 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 842FFC151989 for <tls@ietfa.amsl.com>; Sun, 15 Sep 2024 13:12:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ktxcYDEKjgeA for <tls@ietfa.amsl.com>; Sun, 15 Sep 2024 13:12:10 -0700 (PDT)
Received: from mail-yw1-x1135.google.com (mail-yw1-x1135.google.com [IPv6:2607:f8b0:4864:20::1135]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82368C151065 for <tls@ietf.org>; Sun, 15 Sep 2024 13:12:10 -0700 (PDT)
Received: by mail-yw1-x1135.google.com with SMTP id 00721157ae682-6ddceaaa9ddso1920717b3.1 for <tls@ietf.org>; Sun, 15 Sep 2024 13:12:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1726431129; x=1727035929; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=X5lMzuHqLWEgarJdAstZLLXddHVgod2bZuQ6S+rlFhY=; b=eYMW1nlhDZujJRuG4WMv1XSYMKAgwKglZIfICgoDIysyNB3njmqGfFw4/ttrIMdQD5 Z6srNm+3UxRT5P1jfeLKkHZzGSfqS6QJqnq2WbyQiscf/8GI2iYJYlsJzZ+WkzZreWmu jotNY1czO0uyD9bZ664S7DUftIsHmqz3fU6q+PgSZUhKetFHzTJJf9WwdkbvN4zAKz/S 6q78ZGliDoSChyzHqjcs8QapSEiw5m/Ic+MXBW9mMIVzP95VHSa6uDOXjjx81iCDihAX s44h4PNNwtr82Qihsags/Rs0NPTp3+cqbbYCpFCYn630yNzFFSk3pgkI219BTrOxMTaE R24A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726431129; x=1727035929; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=X5lMzuHqLWEgarJdAstZLLXddHVgod2bZuQ6S+rlFhY=; b=H8zIU6ZBxCKPPlYO9JB9ryfMIJjfYtligF5Jfu2WJeuXs7GjkaIsTMWgoCfGZqKB5T fry8Kbt2fa+rsqYkKgC2fi0a7saUCWc8K9N1Mpm0ksc6FkSThI8dmDFHVWCkZXEnvFMq ZN7YXZMrwEWU8R3o7jiQ0kfRH4kxLX+oF9fPn9cBGfIghXcdXy2MQ2GT5RSl+u2mqdgX GZhfQMjBLwtLuA8w7Zk4MZf34TiUJv/UMpFJ+JPuFkTknjkDV/6K9qL6zOjZ2/RLjutx +8tImFaBQICqlu4rbYnTfPVKp1/jekVFDiniUdJg1fm6pna5nqpzxrN8CbTYAcycbTxV oGZw==
X-Forwarded-Encrypted: i=1; AJvYcCXRbCgVflNimeCoqsMgCatAvT3bq+zznM0x/BSJ2uFejVSFL4wgVpAYh37m7+SuX8tYhOc=@ietf.org
X-Gm-Message-State: AOJu0YwxKeC0r0Kl1fg6KpfCmzZE/XkmE+3jqIEuaB4f3hPJERL6BjlM 4mzavQ+x52vsm255lHFPNchNXvWWoPC1Wr1VTt+lPi91CDz4fjXSyV9dtMTvXO825o64dp5S2/T Tlh5aq9/8Fp/usJUasSoo+y6dTlbNRhiXbyFI9g==
X-Google-Smtp-Source: AGHT+IEzmLVPm3kiXBfxPXyQrvgXVvRmVYIgcBdYWIU4SRekkwcw0WHlFMt2XXkxDA/pFal6m37PShUpeVegluUzWfY=
X-Received: by 2002:a05:690c:385:b0:6db:7a8c:6640 with SMTP id 00721157ae682-6dbb6add9f4mr116874557b3.5.1726431129501; Sun, 15 Sep 2024 13:12:09 -0700 (PDT)
MIME-Version: 1.0
References: <CAF8qwaAU+cRapAc3xnySXiq2nOTXAFvLQYdWNC6rXdFj8iA39w@mail.gmail.com> <GVXPR07MB967868D3F2297A31457FABD8899B2@GVXPR07MB9678.eurprd07.prod.outlook.com>
In-Reply-To: <GVXPR07MB967868D3F2297A31457FABD8899B2@GVXPR07MB9678.eurprd07.prod.outlook.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 15 Sep 2024 13:11:32 -0700
Message-ID: <CABcZeBNh72t0yvqMmFx7CeZ+gPY+9gW_w2zEW1CQWzw9dk8S_Q@mail.gmail.com>
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="00000000000034219f06222e1263"
Message-ID-Hash: UQ7Z2R244UGEC3K4P7CEWCPWARX2PTBL
X-Message-ID-Hash: UQ7Z2R244UGEC3K4P7CEWCPWARX2PTBL
X-MailFrom: ekr@rtfm.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "<tls@ietf.org>" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS] Re: draft-ietf-tls-key-share-prediction next steps
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/c6R0ScfUPjhOiOVPXDWc1h0n4ew>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

On Wed, Sep 11, 2024 at 12:41 AM John Mattsson <john.mattsson=
40ericsson.com@dmarc.ietf.org> wrote:

> "To avoid downgrade attacks, the client MUST continue to send its full
> preferences in the supported_groups extension."
>
>
>
> I don't think sending full preferences is a requirement in RFC 8446. As
> far as I can see there is no normative text in RFC 8446 forbidding the
> client to change the "supported_groups" extension based on unauthorized
> data such as the domain name, IP address, etc.
>
>
>
> I think RFC 8446 should be update to state:
>
>
>
> The client MUST NOT change the content of the "supported_groups" extension
> based on unauthenticated information.
>
>
>
> ------------
>
>
>
> "DNS responses are unauthenticated in many deployments."
>
>
>
> I think the draft should describe the two cases "authenticated DNS" and "unauthenticated
> DNS" separately. The security considerations are very different.
>
>
>
> ------------
>
>
>
> I think the security considerations are way too optimistic and need major
> work.
>
>
>
> "To avoid downgrade attacks, the client MUST continue to send its full
> preferences in the supported_groups extension."
>
> "it is safe for clients to admit attacker control over the set of named
> groups preferred in key_share, provided supported_groups always reflects
> the true client preference."
>
>
>
> This relies on servers ignoring performance and always chosing security.
> My understanding is that there is nothing in RFC 8446 saying that servers
> should behave like this. I think the only reasonable assumption in case of
> unauthenticated DNS is that the weakest group supported by the client will
> be used. This is problematic.
>
>
>
> If a server is not doing point validation on P-256 (which we know happens),
> an attacker can find the private key. As TLS key shares unfortunatly are not
> ephemeral (TLS 1.3 allows reuse), an attacker can downgrade a real
> connection from x25519 to P-256 (which is unfortunatly MTI) and then
> completely compromise the connection with the key share private key it
> got from earlier connections with the server.
>

Hmmm... Isn't the correct statement here that if the server;

1. Reuses keys
2. Does not do point validation

Then the attacker can compromise one key share and attack future
connections that use the affected key?

If the server does not reuse keys, then this attack doesn't work regardless
of TLS not prohibiting reuse

Ekr


>
> Cheers,
>
> John
>
>
>
> *From: *David Benjamin <davidben@chromium.org>
> *Date: *Tuesday, 10 September 2024 at 23:41
> *To: *<tls@ietf.org>
> *Subject: *[TLS] draft-ietf-tls-key-share-prediction next steps
>
> Hi all,
>
>
>
> Now that we're working through the Kyber to ML-KEM transition, TLS 1.3's
> awkwardness around key share prediction is becoming starkly visible. (It is
> difficult for clients to efficiently offer both Kyber and ML-KEM, but a
> hard transition loses PQ coverage for some clients. Kyber was a draft
> standard, just deployed by early adopters, so while not ideal, I think the
> hard transition is not the end of the world. ML-KEM is expected to be
> durable, so a coverage-interrupting transition to FancyNewKEM *would* be
> a problem.)
>
>
>
> We adopted draft-ietf-tls-key-share-prediction in June to address this.
> There hasn't been a whole lot to do on it since. I've cut a new draft,
> draft-ietf-tls-key-share-prediction-01, with some very minor changes that
> were queued up in GitHub. I'd like to sort out next steps and move forward.
>
>
>
> Beyond that, there are a couple of minor issues in the issue tracker. I
> don't believe either of these need to block getting a codepoint.
>
> https://github.com/tlswg/tls-key-share-prediction/issues/4 - unless
> folks think otherwise, I plan to just leave this alone and close this
>
> https://github.com/tlswg/tls-key-share-prediction/issues/7 - unless folks
> think otherwise, I plan to just leave this alone and not require the
> receiver to check
>
>
>
> Finally, there's the question of downgrade protection:
>
> https://github.com/tlswg/tls-key-share-prediction/issues/11
>
>
>
> For some background if folks have forgotten, the original key share
> prediction draft included a ton of complexity to accommodate existing
> server behavior that would preferentially pick groups out of key_share even
> if an otherwise more preferred group was in supported_groups. Depending on
> what the server was trying to do there, this could be perfectly fine (if
> the server believes the groups are comparable in security) or a downgrade
> risk (if the server actually believed they were in different security
> classes---PQ vs classical---but implemented a key_share-first selection
> algorithm anyway). Pre-adoption, my original draft took the position that
> it was ambiguous and we cannot safely assume the server knew what it was
> doing. It designed a scheme to clarify the semantics going forward and use
> codepoints to ratchet in whether the server implemented the new semantics.
>
>
> https://www.ietf.org/archive/id/draft-davidben-tls-key-share-prediction-00.html
>
>
>
> After WG discussion, I think we broadly concluded the semantics were
> actually already present in RFC 8446, and it was not worth the trouble to
> second-guess the servers here. That led to the much simpler draft, which
> simply discusses why this is OK in security considerations:
>
>
> https://www.ietf.org/archive/id/draft-ietf-tls-key-share-prediction-01.html#name-security-considerations
>
>
>
> As I wrote that text, I unsurprisingly agree with and am fine with this
> outcome. :-) But there was some chatter about it in the adoption thread
> (see GitHub link), so I filed the issue so we continued to discuss it. I
> think perhaps now is the time to discuss it, if we're going to. Do folks
> want to discuss it? Are there alternate proposals, or should we just stay
> the course? Unless we have an alternate proposal, I propose we just stay
> the course and go with [what I understand the conclusion to be from] the
> previous WG discussion.
>
>
>
> If there are no further significant changes that folks want to make, I
> would like to propose we get a codepoint for this and unblock
> implementation. The earlier this is ready, the more likely that we will be
> prepared by the time the next KEM transition happens.
>
>
>
> Thoughts?
>
>
>
> David
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org
>

v2.39.1 | Report a Bug | By Email | System Status