IETF Logo Mail Archive

Re: [TLS] -draft8447bis: rename Support Group Elliptic curve groups space

Wang Guilin <Wang.Guilin@huawei.com> Mon, 22 April 2024 00:34 UTC

Return-Path: <Wang.Guilin@huawei.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C020C14F60B for <tls@ietfa.amsl.com>; Sun, 21 Apr 2024 17:34:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.325
X-Spam-Level:
X-Spam-Status: No, score=-1.325 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, INVALID_MSGID=0.568, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id npNelAPY1cxv for <tls@ietfa.amsl.com>; Sun, 21 Apr 2024 17:34:14 -0700 (PDT)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16E2DC14F5FB for <tls@ietf.org>; Sun, 21 Apr 2024 17:34:14 -0700 (PDT)
Received: from mail.maildlp.com (unknown [172.18.186.231]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4VN5pk0LjNz6K7SP; Mon, 22 Apr 2024 08:34:06 +0800 (CST)
Received: from lhrpeml100001.china.huawei.com (unknown [7.191.160.183]) by mail.maildlp.com (Postfix) with ESMTPS id 13E04140519; Mon, 22 Apr 2024 08:34:11 +0800 (CST)
Received: from sinpeml500006.china.huawei.com (7.188.194.237) by lhrpeml100001.china.huawei.com (7.191.160.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Mon, 22 Apr 2024 01:34:10 +0100
Received: from sinpeml500005.china.huawei.com (7.188.193.102) by sinpeml500006.china.huawei.com (7.188.194.237) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Mon, 22 Apr 2024 08:34:08 +0800
Received: from sinpeml500005.china.huawei.com ([7.188.193.102]) by sinpeml500005.china.huawei.com ([7.188.193.102]) with mapi id 15.01.2507.035; Mon, 22 Apr 2024 08:34:08 +0800
From: Wang Guilin <Wang.Guilin@huawei.com>
To: Deirdre Connolly <durumcrustulum@gmail.com>, Russ Housley <housley@vigilsec.com>
CC: IETF TLS <tls@ietf.org>
Thread-Topic: [TLS] -draft8447bis: rename Support Group Elliptic curve groups space
Thread-Index: AQHagR+xb4xMvSx090CRQ2Az4xeycrFNHbcAgAGM6ICAJOy0Gg==
Date: Mon, 22 Apr 2024 00:34:08 +0000
Message-ID: 59C0BB8E-4834-4509-B11C-0C010239ADD0
References: <B5E1CFD9-32F5-482E-B305-2D739AD273BA@sn3rd.com> <0BC652C3-9BBF-4E18-97D1-4036EA16C9E4@vigilsec.com>, <CAFR824w7TrCugQqevmcGarmA2_yQuBz1rFLdg2yejpKL6PiS_w@mail.gmail.com>
In-Reply-To: <CAFR824w7TrCugQqevmcGarmA2_yQuBz1rFLdg2yejpKL6PiS_w@mail.gmail.com>
Accept-Language: en-US, zh-CN
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: multipart/alternative; boundary="_000_59C0BB8E48344509B11C0C010239ADD0_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/cxc6o1XcYiBv_zyh8TDKmiA_5J0>
Subject: Re: [TLS] -draft8447bis: rename Support Group Elliptic curve groups space
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Apr 2024 00:34:18 -0000

Dear Deirdre,

Could say a little more why both 'key exchange' and 'key establishment' have been excluded?

>The naming of the document excluded 'key exchange' and 'key establishment', and went with 'key agreement', but that is a weakly held name,

Thanks,

Guilin

________________________________

Wang Guilin
Mobile: +65-86920345
Email: Wang.Guilin@huawei.com

From:Deirdre Connolly <durumcrustulum@gmail.com<mailto:durumcrustulum@gmail.com>>
To:Russ Housley <housley@vigilsec.com<mailto:housley@vigilsec.com>>
Cc:IETF TLS <tls@ietf.org<mailto:tls@ietf.org>>
Date:2024-03-30 04:43:30
Subject:Re: [TLS] -draft8447bis: rename Support Group Elliptic curve groups space

> KEMs are not "key agreement" algorithms as suggested by this draft name.  In a key agreement algorithm, both parties contribute to the shared secret.  With a KEM, only one party generates the the shared secreat value.

This is not generally accurate with the KEM schemes under consideration for adoption by any standards bodies: in the -hybrid-design and -mlkem-key-agreement documents, the `Client` generates an ephemeral keypair, and the `Server` encapsulates to that keypair, but especially in ML-KEM which is under consideration in both documents, the KEM randomly sampled message `m` is sampled by the `Server` but the final `shared_secret` resulting from `Encaps` and `Decaps` is based on computing over the message `m`, the public key `PK` generated by the `Client`, as well as the randomized ciphertext `CT` generated by the `Server`. The encapsulated message `m` is not actually the `shared_secret` that is the input to the TLS 1.3  key schedule, even independent of the entire handshake transcript being included into the full key schedule as well.

The naming of the document excluded 'key exchange' and 'key establishment', and went with 'key agreement', but that is a weakly held name,

On Thu, Mar 28, 2024 at 5:08 PM Russ Housley <housley@vigilsec.com<mailto:housley@vigilsec.com>> wrote:
Sean:

I observe that ML-KEM is not a Elliptic curve group or a Finite Field Diffie-Hellman group.  I really think we want to include sepport for KEMs. but a separate range is needed.  I assume it will be carved out of the Elliptic curve group range.

KEMs are not "key agreement" algorithms as suggested by this draft name.  In a key agreement algorithm, both parties contribute to the shared secret.  With a KEM, only one party generates the the shared secreat value.

Russ

> On Mar 28, 2024, at 10:52 AM, Sean Turner <sean@sn3rd.com<mailto:sean@sn3rd.com>> wrote:
>
> <author hat>
>
> **WARNING: Potential bikeshed**
>
> -connolly-tls-mlkem-key-agreement has suggested that code points for the NIST PQ be registered in the TLS Supported Groups IANA registry [1].  Currently [2], the registry is carved up into three blocks as follows:
>
> Range: 0-255, 512-65535
> Registration Procedures: Specification Required
> Note: Elliptic curve groups
>
> Range 256-511
> Registration Procedures: Specification Required
> Note: Finite Field Diffie-Hellman groups
>
> Assuming that the proposal in -connolly-tls-mlkem-key-agreement is the path for PQ KEM algorithms (and maybe regardless of whether this is the path), we should really replace the “Elliptic curve groups” note in the 0-255, 512-65535 range row with something else.  I am open to suggestions, but would like to propose “unallocated”. I have submitted the following issue:
> https://github.com/tlswg/rfc8447bis/issues/54
> and this PR:
> https://github.com/tlswg/rfc8447bis/pull/55
> to address this.
>
> spt
>
> [1] https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
>
> [2] Originally, RFC 8442 defined the name of the registry as "EC Named Curve Registry” and then RFC 7919 re-named it “Supported Groups” and carved out the FFDH space.

_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls

v2.29.0 | Report a Bug | By Email | System Status