IETF Logo Mail Archive

Re: [TLS] Updated AuthKEM drafts

Peter C <Peter.C@ncsc.gov.uk> Mon, 06 November 2023 19:51 UTC

Return-Path: <Peter.C@ncsc.gov.uk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E138C18E529 for <tls@ietfa.amsl.com>; Mon, 6 Nov 2023 11:51:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.107
X-Spam-Level:
X-Spam-Status: No, score=-8.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.999, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ncsc.gov.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OtQopouxHWoJ for <tls@ietfa.amsl.com>; Mon, 6 Nov 2023 11:51:40 -0800 (PST)
Received: from GBR01-CWX-obe.outbound.protection.outlook.com (mail-cwxgbr01on2116.outbound.protection.outlook.com [40.107.121.116]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0306AC151522 for <tls@ietf.org>; Mon, 6 Nov 2023 11:51:39 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IoTDGvA6fyFjUAWBylmIXB1WafUuvCEFjNtgs47zg6VCSRky94/poaM8KPTdGL4emP7x7qWHpy04t//sYG2vx3bdUa878RNuC4VtCB9bd8lpRJ/EahdFJAZxhWf4O/U4hyON8ISsQ4ZND3TIpWg52OewOr290va+2WuoTovyF9MCTNNpy9oKayNvPrFD3nopYYkcHGU55BXDZqlP53gnOKQccG7UgXh9SVTXJkHALeQ9dqv3+dij35BBRpE24vSq/W0NT8uHb/5GxlOCGLcmvL488cjYBddgyuaAclqB6Whc1esmTVwWLYi5u//yGlfsgeqvR+bNgffY0IPJn6y2IA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=X0MuSZNwRJWW9VBKR9xUev/R9bsTyMgkCPVkp75envw=; b=J+5KPPFNCXnK3EL4VzPs0cqVgjCnOx0kEtwEZc3pBXsl4jyVImET1isctBvFQImr1w/3AEdbD4+ZB0noOIub451EXB3ifr46GOkKhs3ZVRgdYaHg8yPkIzpfkKAmExr+54DhjdnKk8+AIt48MS0GRRMIIRuN1DGWuSnHdC9XGsHlovtEPV/ZXYNiCo+qyD9uGOyumAkCKRGM/Y55oRp/mBIesApN5odC60HDpiqWGAd29C+px9Jh7OK0jfVqvvPH6qHpZ7ffMWbQM3DhP+OM0PhWEF5cftUDdDR0hCGmRCnhwlSv/0P26PEpzwlgR0/huzGrh3CfLIA8NoGGv1JQYA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ncsc.gov.uk; dmarc=pass action=none header.from=ncsc.gov.uk; dkim=pass header.d=ncsc.gov.uk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ncsc.gov.uk; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=X0MuSZNwRJWW9VBKR9xUev/R9bsTyMgkCPVkp75envw=; b=XdG4BBAJT0uadGpBHmOcrRO+q/fdyPT1tjE5VrjNB7/jBI8ufJhzS+1T9BgTR8iuKwrPma/Fqx6p6ZmS8QXJZhR5aGsRUxFzSIoC0tjQxTZ0N+UchJbHnlR8vyMed+oK5rZwbEF2ryE7cEWMesu/uGQyrOFMktUIXuwAVLPGPe2K7JXfo4kUX+a4awZW1wbPjFpNdc4kNZXu27MtcFIYHir8LRqj4PPmyPHioWXnYyAEMi1UWGGAR7IBvQhdQqqoEy8wY1pqQUTKd7KwrRp7ZLUHKhFUHzc4p49SGUzE7r/Qr0r13itlbZvBT7V3BfUR6E+RS2AZR12yp+RSTOa9lg==
Received: from LO2P123MB4927.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:1e3::6) by LO6P123MB6454.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:2a4::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6954.28; Mon, 6 Nov 2023 19:51:36 +0000
Received: from LO2P123MB4927.GBRP123.PROD.OUTLOOK.COM ([fe80::3ec8:9bb2:4c35:d6fb]) by LO2P123MB4927.GBRP123.PROD.OUTLOOK.COM ([fe80::3ec8:9bb2:4c35:d6fb%7]) with mapi id 15.20.6954.028; Mon, 6 Nov 2023 19:51:36 +0000
From: Peter C <Peter.C@ncsc.gov.uk>
To: Peter C <Peter.C=40ncsc.gov.uk@dmarc.ietf.org>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Updated AuthKEM drafts
Thread-Index: AQHZ0bg5f214qdTUBkqYWHP9VMltLbBt4QgggABPxwA=
Date: Mon, 06 Nov 2023 19:51:36 +0000
Message-ID: <LO2P123MB492707868AC8B9516222C4A7BCAAA@LO2P123MB4927.GBRP123.PROD.OUTLOOK.COM>
References: <CABzBS7mrv1M70+tBDL-a9iL4yssW5tB_mJ4R0XrecYBxzGGqTg@mail.gmail.com> <LO2P123MB49271226D047FB3361B8D77FBCAAA@LO2P123MB4927.GBRP123.PROD.OUTLOOK.COM>
In-Reply-To: <LO2P123MB49271226D047FB3361B8D77FBCAAA@LO2P123MB4927.GBRP123.PROD.OUTLOOK.COM>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ncsc.gov.uk;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: LO2P123MB4927:EE_|LO6P123MB6454:EE_
x-ms-office365-filtering-correlation-id: f91e4647-4f25-40ea-1162-08dbdf01c94c
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: G6iHdp09UjFvTTkM6IfVIricAikhm0g/E3Wiju1qkxIMHkwoVuBHtmmFBQdi6rTse9Xfu+krP9FI1Noxe41sN4iRcyDWh4wDvdhXFI7R462AKrYcb3q+9erWLSrDNWXl27nUxtCDMyRH7N2ZSv6Vi88D8+0X/UWE6OAr4KUy+6SiCq/wYBfPwX+DJlEZQMo14FHDRxBA7nEb+ZG9GdPak9+xMYzG7YlEXEUE4MPLaQVcJmCbwR4zZbYFUbrb4RPEY7yYRIhKwdc7bn+XGG54kkyLwJSZwQZinwF6kTGO/LGjeWPdCmouIIVsNFG0npxF86hOUHPj49U586qmqhjEqeyRnaTsznA1VI4+89oDOGvV7sBU+TmpwFNC+iAwazRBzWAzkMaExCcfSkksqWJevfH7lcVNO6viZAPfIRnicO1VguH3ChKiJpSe5Xry/8/zN127TV6U0Uc0pJqtGl2z/RBfZW3s5PfSX6/OBGwoZcRBHwUjuffDiHqRyjum/6euCjJ70asd1R5N1QzlT5wgxh79Dv7pr1gZsPiHCkciHiV26tLuFVbDE3qC6eXJr1+xeJzoZAUGKfssoBDlH2QKtxH+bQf66KcKV7CdR+ujxLQ=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:LO2P123MB4927.GBRP123.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(376002)(346002)(396003)(39840400004)(366004)(136003)(230922051799003)(1800799009)(64100799003)(186009)(451199024)(66899024)(122000001)(2940100002)(9686003)(82960400001)(26005)(38070700009)(478600001)(52536014)(966005)(8936002)(8676002)(5660300002)(86362001)(41300700001)(2906002)(66556008)(33656002)(15650500001)(66946007)(66476007)(64756008)(66446008)(76116006)(316002)(110136005)(6506007)(53546011)(7696005)(71200400001)(38100700002)(55016003)(166002)(83380400001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 8Q4H6mE+5vveYpmNn7uq75MS6gxTyrRlvjRN03kUup6vmIlzUuH7Z464b16R6eMHyQH9c8xDBYTvBuPfbDng1F2EDid9ipiv4Uz5BaavmHSCDe7wf8OAzKUN0+O7MyKm29VCOrwMSrzoWkieMg4DqUuEzLGfaKgtnuKbgHdMRhoGs02xrlqDOtM/o7TVQErWrfkHUALt7sgPtej3HBjMQHyhnFwEr9e9mFSayiOa+CZ4bWTq32fitmvlrxw92V5glM+Vva5FtYu9xuqkt+175x6dJGTvWbk5F2FGidR4QZVBIdo1YIGwv5egggVYf5L9k4nRPzFR7qxPhohRn510Owu5tZ9MVC/uNRH2xvzIaRqw2BHR+3gygzn2IEgGoD1duZHgQ9hOtaQ4xWSbndFQJ8v3LJB4LKlSGhEF/HErRko0FKXt1uZKzAL8+n+Kcs491bPH6I0dJs3la3qC0zcFUgCdapxnILI6zZ49WuuBUsboclQLV7d7e6Ce6YfrGxESnJSKSOPWUNBgJtMiC0LJkaWStmK+5fgK0iRG/Fdd3jC5OjsHlHxS27BY8LGl3+RZoAMzpK/INrLRDLyLoaFDUw5x3bakJS6mPW3aeMLUr7JmBFhD94binRcJAxxIHrzel1/YczZCYT6rJyAbk4E1tsrzv3br3ucoEUF8/E2syz84+9q9jMIlDWCQ8YRKT6eFnLIfsyjBK2TReOKl/42uQaYkafXwgPoxT6GZAEGhP9HOqmVh4dIrGq9fWCxRopYa/RMSyU0iTTJYUYCpiY8UV1Zyka18haqPtSVg+TnqwuXVeZ4Wr7mREflBua8olkkM0WfEN5lUQDyyQduHHDKTOhHHJp1q90EbzhXWerZXQ+gbdob4TfhceNNcXz9Hdf+DuGgLkST6XRk9AjouQCYJX3h4BmZ0ZSSVg6XrJ0DLpPEdDGVgIDzlE/JEopWMHzCr3Uu9ZHUhp9tGThTQ+P/FYNhLCYWn2UD4e5Pvabe3krQ43E08qmTBGmKIs9NnLH8QhFShaup4ABoPAIVjsV252o41mAIFcWyFLANKHBzcw2hi1glZz2J0TUFulzgxHmLNFv7iR/eVexd6TbOL4XxqrJrbcykNw64DlbYkUdLH5VEyFKgJEUMZDuQVZ1savEURNNcv/NbKcy4Hx18izUlGD2P99zKmTIszYI94O9IHoUYbSX3J5MdefEfNKpnlGuHUTMC0+oVsNf0uTcc3aTkkxmkvkRObd6LcuWR537wa+KpFOK3jRaUSdPsUuyusZvw/zh69ufA6G78ydeNBKVAaQS2kmQm7380s3nTCL790bvRQb+P3LSoUdvh4k9MPNm1812CRKr6dQ+cxCVjzGnVPWM1MIsr7lWAazAhFMm+t26Dy9ZJOF+ex5vIg40MYT7HaqKNOsjG1NrG/fGZFD0V+XwXURJWwR2DfmI+838magMFSpIYgpAIQMVNmuxGLGrniE7NV/Qr5QrVxXsVFFV6AuZdSOaaqV5rBwy2x287EZSxeNqEpLNGPnBcYH2Y5R1bDXVyxetlQhLOFZgIuevzc/1RpB8d74NghNdzIs5uyfiszb2mydWctQM6WmFxnhAft
Content-Type: multipart/alternative; boundary="_000_LO2P123MB492707868AC8B9516222C4A7BCAAALO2P123MB4927GBRP_"
MIME-Version: 1.0
X-OriginatorOrg: ncsc.gov.uk
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LO2P123MB4927.GBRP123.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: f91e4647-4f25-40ea-1162-08dbdf01c94c
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Nov 2023 19:51:36.7815 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 14aa5744-ece1-474e-a2d7-34f46dda64a1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: lxUu1ycN+qtrESM9eeZBFwekH7rPlHV42z0X9Gj/7x50huMhxO0sQmmeccqWYdRNrkwMK8P1trj7sJsBKJICzw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LO6P123MB6454
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/egaol2GWa83Fdg7GiIHpbNK1yWM>
Subject: Re: [TLS] Updated AuthKEM drafts
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Nov 2023 19:51:45 -0000

Sorry, the hybrid TLS draft I referenced should have been draft-tls-westerbaan-xyber768d00.  I do realise they are different drafts with slightly different KEMs, I just can't copy and paste properly!

Peter

From: TLS <tls-bounces@ietf.org> On Behalf Of Peter C
Sent: Monday, November 6, 2023 4:08 PM
To: tls@ietf.org
Subject: Re: [TLS] Updated AuthKEM drafts

Thom,

If I'm understanding things correctly, the proof of multi-stage security for AuthKEM requires that the KEM used for authentication is IND-CCA2 secure.

Unfortunately, kem_x25519kyber768 from draft-westerbaan-cfrg-hpke-xyber768d00 is not IND-CCA2 secure.  It simply concatenates the shared secrets so is straightforward to distinguish given a decapsulation oracle - modify the first component ciphertext and check whether the second half of the concatenated shared secret stays the same.  It's possible that the TLS key schedule means it might still be fine to use, maybe - this is the argument in draft-westerbaan-cfrg-hpke-xyber768d00 for the ephemeral KEM - but I don't think this is covered by the existing KEMTLS security analysis and it's not clear to me what happens if one of the component algorithms is broken.

An alternative would be to use a hybrid KEM construction along the lines of draft-ounsworth-cfrg-kem-combiners where you are guaranteed to get IND-CCA2 security.  I realise this moves away from directly reusing the ephemeral KEM for authentication, but they have slightly different security requirements and it's somewhat analogous to using dhkem_x25519_sha256 for authentication instead of x25519 by itself.

Best,

Peter

From: TLS <tls-bounces@ietf.org> On Behalf Of Thom Wiggers
Sent: Friday, August 18, 2023 10:41 AM
To: <tls@ietf.org> <tls@ietf.org>
Subject: [TLS] Updated AuthKEM drafts

Hi all,

I have just updated the AuthKEM draft and published a new one. TL;DR:

AuthKEM is a proposal that replaces signature-based handshake authentication in TLS by an additional KEM key exchange (putting KEM public keys in endpoint certificates).

In this update we:
* Split off the AuthKEM cached/pre-shared KEM public key PSK-style mechanism into a separate draft
* Added a new section that explains the sizes of different TLS and AuthKEM handshakes
* Also explain how AuthKEM makes it cheaper to use Falcon for offline signatures
* Expanded on related work and how this mechanism relates to compression proposals

In our view, AuthKEM can be especially helpful for embedded and IoT devices, as using KEMs instead of signatures can be much cheaper in terms of bandwidth, computation, and (when mutually authenticating) code size. For example, in [Samandari23], a KEM-authentication approach was investigated for MQTT and resulted in much faster messaging. But also for the WebPKI, AuthKEM can reduce handshake sizes further when combined with e.g. Merkle Tree Certs or Abridged Certificate Compression.

The KEM-based PSK-style mechanism can in my mind be a robust contribution to the discussion on the update for RFC7924 versus session tickets: storing KEM public keys can be much easier than symmetric session tickets or other symmetric secrets in terms of key management, but also in terms of not having to protect the secrets.

The source repository for both drafts lives at https://github.com/kemtls/draft-celi-wiggers-tls-authkem. I am already aware that I forgot to update the abstract for authkem-psk, so that is one of the new issues tracked there.

There are lots of things still open for discussion, and these are marked in the draft. I am also sure the presentation or any details can be much improved, and welcome any and all contributions to either.

Cheers,

Also on behalf of my co-authors,

Thom
PQShield

[Samandari23] https://www.mdpi.com/2624-800X/3/3/21/html

v2.23.0 | Report a Bug | By Email