Re: [TLS] I-D Action: draft-ietf-tls-hybrid-design-05.txt
John Mattsson <john.mattsson@ericsson.com> Fri, 06 January 2023 14:19 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB106C14CE50; Fri, 6 Jan 2023 06:19:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EAlrol3UlH0C; Fri, 6 Jan 2023 06:19:11 -0800 (PST)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2059.outbound.protection.outlook.com [40.107.21.59]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53384C14CEEC; Fri, 6 Jan 2023 06:19:10 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=US+rRKxVMj1irhBXurdZBekQLqeV7uPNM1ZA+oiH2hhnjNDCzmfX3uo1oNOANoWVO3tznlY8vEnDTObPLViv4AAb3/aIhnsesNFdxCN7MhbWWgjmULB/aCseE5kq9LW9k6mh0pBMXu6qDBU+ZRMUrDYMQEW6ABSIP0Ng10QaxVUOj1WGKg+5+kXqi4y5+z02tJj7TNZCppOxEoydX0Tg3eVrJNhLLZtlDxbWg4h8uOQ/lKGsgV58vF08/Y/NDS9/vJ7Jm24Le2q2lFTOuXXiKgb67tNmPUggtr0st3ifgLOnBCp7rV/uATiJUFChFh04ofpfzhe7rH6sLtyrgWG/0w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=JlQpodMuLy+1E1/3wFuQn3IQba7aBxZycuLW7srfZ5s=; b=iGivQJVraQwPbs4zCKo2UP6JlOPMA3XXPtGGu+f7q/40AAwUTMg9zolEJ/KQ1X0AOZhKX5Kdy3k2q22CBOBWBccqyELdAZ77Tw/zxT4YHG9W41HuKb/GOB+x5F4hZdssgu5owmwdkCfapF3uCW6zU0CJZ0lGXXf+hTQShlPlUlZNjJ0XA5Bhy2sdXmtorw5M1uWTx8Rnj2z7n9V/3SfjHxttMuRZ530ml5a8apjaF5yc6JfUmQfi0jFAIAToOJpmTPzvcXDiARQ4+t87m9mupONdImDkZn8M7O4ZyIZa91CcqKwWo0T7DFUvs4d7whE3z1OuUtgpoygBo2dnb2s4Iw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JlQpodMuLy+1E1/3wFuQn3IQba7aBxZycuLW7srfZ5s=; b=FYkJnROreugcA9BNOmTDPdBbY6Be4e0oPc2DaUEKCzUpvMCTSPxDD+3Pb3DFZv9HaExre/hdGo8tLRs/NEZ/46Kp9j1pbDzTKPfaDesxUyIy7QVTO//RfiauHkDVwhJbN3LTHixVzEcbeRV36NQCXiQBlTv0j8naoZu1aIEJ+so=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (2603:10a6:3:4b::8) by PA4PR07MB7357.eurprd07.prod.outlook.com (2603:10a6:102:cb::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5944.19; Fri, 6 Jan 2023 14:19:06 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::fc77:42d2:1bc6:ec49]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::fc77:42d2:1bc6:ec49%12]) with mapi id 15.20.5944.019; Fri, 6 Jan 2023 14:19:05 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "tls@ietf.org" <tls@ietf.org>, "i-d-announce@ietf.org" <i-d-announce@ietf.org>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] I-D Action: draft-ietf-tls-hybrid-design-05.txt
Thread-Index: AQHYuxylUuVpGMwhbk2gIeNdQMancq6SPLZQ
Date: Fri, 06 Jan 2023 14:19:05 +0000
Message-ID: <HE1PR0701MB305030D5A84CCABDF4E7D51189FB9@HE1PR0701MB3050.eurprd07.prod.outlook.com>
References: <166171840950.47470.17558854819128805632@ietfa.amsl.com>
In-Reply-To: <166171840950.47470.17558854819128805632@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: HE1PR0701MB3050:EE_|PA4PR07MB7357:EE_
x-ms-office365-filtering-correlation-id: eba482ab-1eb7-4413-7c41-08daeff0f7d1
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: c24CuX6hQHIuuCMdTZEEydmU34+/nyTlMAh1EYGfwH7VAjEYbMlJs9WJznNG6OZn74MexxCgF9bt+/DImha+SqHf+ZwoHOw9WTMr5O+EPMzx52bT1+ZHdEHz9JhXgszSj0xNn7teqCvFD6wZ0Na/nHMxV3FoMExr5qy/V8JBKhKKeLLlqQ/WYDYcwqZVoOvYHOLiHFJDRkmwIXUeyiNh+IchR3hFIivjRu/iVEJC4qO89pSOJdqZBaWNDR2/nz96BdFRHnDp1bTowudNf486i/2jjTZTgCf4nSVGIGPm99qUmgiKuCPEdNedMUyeVkapb/oNC7C3QPInZ6Z7n1lJRSvkm6miHJ2PtTqmZmPXur0WE5md7nn7fHB2E+rnwNAfrQLAVpicH+Y1p1Bj2H8A0umjflZ57BQvN+P8GRm4RxdJE/sr10F3cWJ97cElqBhbN89q6GjPahEZ2becmpQ3V5J0WFsxo23dDUvXLvQ3Hb4FeVkRs04/v983o0DMlj817KAPFfIoOytPuvyKF3zO/TVKJ1KbBMyxYfaDao9IOzjzd8l5FZ8bzpiidpMMYignOBZRhi7/Osp2jTdp2b1NGu5uI6AFdXd239/Zts63i9UluGb3wK5+uCTVCZNrWffl3F4k3FSOzF5BS5PtWztkYHjRay+fQ8ikeLptpLudzshCizkXcI6wKeTxnmhbaLEJYH1Geaz8wbi1yykdXMwgSBsJeV2NNJl/ZDtTRoNyP6gcNZ0rvB6b4LpHkNhmy3XZ9MrKxTA/d81BU3Mj3MUpfA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(4636009)(396003)(376002)(136003)(346002)(366004)(39860400002)(451199015)(5660300002)(2906002)(52536014)(44832011)(21615005)(8936002)(71200400001)(41300700001)(316002)(478600001)(4326008)(8676002)(66556008)(66476007)(110136005)(64756008)(450100002)(66446008)(91956017)(66946007)(76116006)(966005)(9686003)(33656002)(26005)(6506007)(55016003)(83380400001)(66574015)(7696005)(186003)(122000001)(53546011)(166002)(38100700002)(82960400001)(38070700005)(86362001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: MfxBrv5OWmNo+oNqmkmwq2FtPj9p3YWWMPKq/7RKSpdOFS0hnHRXTClpBWEwgWWJ15GVtVDG4bFBuG6s9Lp0Ke8SR2XDc2HQZzodu8fLMqN4+GTaVyLNHln91fsuZ4Mh6l2CgseiM9R8cGjMuM5/6TkWYPBWxKroXIvEX7fBp8jV/IUPapT1pXGyijBeZVChRYwOzlrCxHvz9Zy6Bo6MSoQmhYs2B71EjYBP6TXmGPGiEOIJq6a9xdnsbT3RdgkChtaDEkkjmANNvChnTIoM4dyOsg9lgHK29TgwkRHaeR+unS1yiWWoW/3l+4CXs7HKnbzv9AunOdDB/kOdYfz3L0HjQnJQzcfgFbyhYVkMYgzWHk/K7ALvILEvrOR9j76XLsqyYQDZfuILu9kzl0JXN0WkhmlnKIgVvj3+Z1u9+2bJcI6qiUzZlC056F+5j3+/F4yWSqp8O08pZy2D65gvmc2olTWiUwQrXWaL+gnBQ0FIZyJBAGzQ1cYBNjtm+d+AAT0pU1VRnukFaHmQHcaREVR7GZzatNMmB04uhxCs32vvKoP2ggY7C+vAI/VWD///I1aCht5NJjDNYPE9qoiqpBFJnfeLZgBVZiR46u5UnGm1a3oyka4rhAxKyItMx8ahCi+MfPdgQ8kmvaS2l8O/Vb33cwuY/sny/VsTCGeatNjQhRR+4T+VxAI2APgt45fgGy/Mz65Y9s06rW8RdOiJBuZWVXik7lC1dNaXsDs91k7s7+NqccRou2E6ITvrC0mhsBDmnFG0leC8XbGyWPJIYJ7mpnchgWTVVpZV8hbCdfXfpYgNTC6HDGBrq/rQ34OrnPemAi3oY48NlS/M8RcJ1PTCa6KR2/0CLvfb61mOV3C2X3ef8mHavQoTbbEczDuh32irGho5phz3AVCNNTygpSeewgsiow+DrDxaikF5iMHWCBcQHajP5b/NQepTAOHX8EjOAYqi8ZpzOeh5vJaEC7f3qmbyKAwcvWD0yMU9hKpeoYaI+rwzrxAilOLzej9t2qLDbHEDuZi1cm5ta4EwxA9Cob0lXf4kW5GG2N7efOYx5baTsckY9WAgF3GO854zWtijbs4N2JHDJmZbklEud/kc1rLD0dnpsaug5neThl0jiYIMFt65rurV3mFPcRmW5V8IgJA2xIbyN/ByTMEN4RX4vudXjVW5lrFy4Vjc0nQIxqvxbFUEQaj24DvUb92JhDf4DDRKMuupNsmUlXhJqyUP8QvltRXwjbYm0Sz3NzHm9YKuhDhN+BS2Bq36ZhZgZy9zB0Q0+6NH5L+V8Id9ranDb/OEfhSR2S62o98KXGVMhZWjA32podji7m77sZd5VMmXkgpFA/Vbkf/HO4g6VzaBYd2qN03bFI/H3BdXzYK5EaKmKIxZ3eKzJemM7xgfr/38h0oM/e8oc0v1B09j+VnNnxIQIu8LDkw/Iy42wvzAtpIIYX9pCyOBXM35xx2T8ZRbMCSmJKeOp0ZOnInG2dkAOwP5PgHv5EsKTcZC2BkThM2p5GezDyu2LPvevWmWxxo0KBicDI8dET3j/5k56Jb47Dn5FvwBzh/ucoCjAb1FtZt2BB8rwME6EuEGv1npNuDoNZnErbvf5U8KVGSf8D7rU7oDJr3c9CBgHYWnFYY=
Content-Type: multipart/alternative; boundary="_000_HE1PR0701MB305030D5A84CCABDF4E7D51189FB9HE1PR0701MB3050_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: eba482ab-1eb7-4413-7c41-08daeff0f7d1
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Jan 2023 14:19:05.4924 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: PP3tMUEv047GqJZ7pEbeftcg59OgByorlO78jNwUsy8b2iOVG8HbDcEaTboSBYi6pWShcP7vHW8CE0uldK9SdVR/hjrlHv9OSTennP27Ueo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PA4PR07MB7357
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/jSnfyUV-WZEqUDVqEcgIBeS98Hw>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-hybrid-design-05.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jan 2023 14:19:16 -0000
Review of draft-ietf-tls-hybrid-design-05 Good document, some comments: - "post-quantum cryptography" Have there been an IETF discussion on which term to use? The recently released CNSA 2.0 use the term quantum-resistant (QR) which is probably a better term as post-quantum cryptography will be deployed far before any CRQCs are built. I have not seen any NIST discussion, but I would not be surprised at all if they changed to “quantum-resistant” to align with CNSA 2.0. https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF - I suggest the following change the below definition so that it also covers secp256r1+x25519, secp256r1+secp384r1, and Kyber+NTRU etc. OLD: "means the use of two (or more) key exchange algorithms based on different cryptographic assumptions" NEW: "means the use of two (or more) key exchange algorithms" - "advent of a quantum computer" Quantum computers are already here. Probably better to talk about CRQCs instead of quantum computers in the whole document. - The four initial hybrids seems like the right choices. Might consider Kyber1024 as CNSA 2.0 has chosen that, but on the other hand compliance with CNSA 2.0 means using Kyber1024 without secp384r1. - This document uses the FIPS 202 varient (and not the "90s" varient); I suggest rewriting this so that it does not sound like kyber512 and kyber768 are FIPS. - “For kyber512 and kyber768, this document refers to the same named parameter sets defined in the Round 3”. Should we call this non-standardized versions kyber512 and kyber768? Maybe better to call them kyber512-round3 and kyber768-round3 and something like that. On the other hand NIST might change the name of the standardized versions so there might not be a collision. - Does using IND-CCA2 with reuse of key shares give better performance than using IND-CPA without reusing key shares? Is there any real-world measurements on that? My understanding is that the FO transform is not free. - The IANA registry needs to values for “DTLS-OK” and “Recommended”. - My understanding is that US government will forbid use of hybrid key exchange with the argument that is increases complexity and therefore the risk of vulnerabilities related to implementations bugs. Would be good to mention and discuss this even if you do not agree. Cheers, John From: TLS <tls-bounces@ietf.org> on behalf of internet-drafts@ietf.org <internet-drafts@ietf.org> Date: Sunday, 28 August 2022 at 22:27 To: i-d-announce@ietf.org <i-d-announce@ietf.org> Cc: tls@ietf.org <tls@ietf.org> Subject: [TLS] I-D Action: draft-ietf-tls-hybrid-design-05.txt A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Transport Layer Security WG of the IETF. Title : Hybrid key exchange in TLS 1.3 Authors : Douglas Stebila Scott Fluhrer Shay Gueron Filename : draft-ietf-tls-hybrid-design-05.txt Pages : 22 Date : 2022-08-28 Abstract: Hybrid key exchange refers to using multiple key exchange algorithms simultaneously and combining the result with the goal of providing security even if all but one of the component algorithms is broken. It is motivated by transition to post-quantum cryptography. This document provides a construction for hybrid key exchange in the Transport Layer Security (TLS) protocol version 1.3. Discussion of this work is encouraged to happen on the TLS IETF mailing list tls@ietf.org or on the GitHub repository which contains the draft: https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-c404f4af2592f2f4&q=1&e=76a29e70-29ac-4f94-87c4-6e6779634ddb&u=https%3A%2F%2Fgithub.com%2Fdstebila%2Fdraft-ietf-tls-hybrid-design. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-tls-hybrid-design-05.html A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-tls-hybrid-design-05 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
- [TLS] I-D Action: draft-ietf-tls-hybrid-design-05… internet-drafts
- Re: [TLS] I-D Action: draft-ietf-tls-hybrid-desig… John Mattsson