IETF Logo Mail Archive

[TLS] Re: Consensus call for RFC8773bis Formal Analysis Requirement

John Mattsson <john.mattsson@ericsson.com> Sat, 19 October 2024 14:18 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D198C15106F for <tls@ietfa.amsl.com>; Sat, 19 Oct 2024 07:18:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.254
X-Spam-Level:
X-Spam-Status: No, score=-2.254 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4pEJe-JVHRZA for <tls@ietfa.amsl.com>; Sat, 19 Oct 2024 07:18:05 -0700 (PDT)
Received: from EUR02-AM0-obe.outbound.protection.outlook.com (mail-am0eur02on2068.outbound.protection.outlook.com [40.107.247.68]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67CBCC151095 for <tls@ietf.org>; Sat, 19 Oct 2024 07:17:54 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=It9SXQi+hxWLrBCp9mByeEku3D+ojKOtG5Xdv/qeA0k8JyCAagD7+E+j/WKQimRzkKhaf3eI2X6jBOig8QqgmOnNhWK0xvPnj0VzJdhQqJW0ey0E7NUyaWcmyS/SO/XX735KeQe7ULycrj0UWpesS6nlnmQZ6C/Mz6Bn8247kCLUFXduKtHeFDrewEWsy6BUcEiyjT3f7r65O6/W2fKqy+wnrVq5dFhYeqA8S9s1PyHW44r6IzB1OrPbjKL6FY+ryy+Peirf8W0lBchRyx1gwVKmVayyVl9t07OJRoXhKL9O2Y367/ZYZ/BpALPpCnGG6Nro7aV32wXq+V2MhSYMwg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=k4HjFOFl40x+9+eG6x8MURVVib255D9GJQJx1MGAUm0=; b=K+Eb6YqfZkaZZmXIEtyrL58nugTf5nV3t9CaPc7ZtX+HrQkmIpk71/EMKryDCs13MfqavAxUEXKxamxwcjyo4WLRXTvCGh4Spc8ojmFpPoBaZbIQhqvlb7gBjp0CsI75IfuM+wlNC7nQdb1GBkkVlx5qA1qWXhlzPoc6MjJEF+ZFbsyiQeVbC6tyT+XtiAxQUIG7UhAgZM7jc8JQozK1MZoNTGGH8EXQoum3ZpHm8YbVn2C44X70d2gPHpK6/yevvHCKhGua/ViUe4rEq9DcfrXG5c/QmKYgkVben3pWADNRPRvRzqmNSM12H7q+HMj66Irhytkxga1Ur1UHr7uczw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=k4HjFOFl40x+9+eG6x8MURVVib255D9GJQJx1MGAUm0=; b=RMlKbG8Y+LWD8zTgNH58XvrCVxMyUUaNzAEG3Xnn3AxlU0WbyJBYybvGuRwuevcIiXrhjFkEvcyEP4ANhpEmLvXdz0TwpreduvZXgu1tGFvO27LxaD9en/BTdHfsLs2Yu7fLr5x9fnEPBxjcxtGMaiJIfwZaD48pYb4UTM0sqXClVCPg6IfFzAeqZ8vivgwcHo/0N4LqW7S4jBVapcE3arFFiKXoqvVmiGsRC2sXc001bsu7gMdTvw+FMO62btVTepiQzefDXHA+6ibHgdcNDfdX7QJESmbN4UeXpXfqu9W2KvGI+dxccz0n24k7Skq73djYCSC69qG+2qC9SANVVw==
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by PR3PR07MB6906.eurprd07.prod.outlook.com (2603:10a6:102:75::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8069.26; Sat, 19 Oct 2024 14:17:51 +0000
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8%5]) with mapi id 15.20.8069.024; Sat, 19 Oct 2024 14:17:49 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Eric Rescorla <ekr@rtfm.com>, Russ Housley <housley@vigilsec.com>
Thread-Topic: [TLS] Re: Consensus call for RFC8773bis Formal Analysis Requirement
Thread-Index: AQHbDfqYZA+X0KhxjkSGRW/yyDoHO7Jl+yeAgAkDJYCAH0YCKw==
Date: Sat, 19 Oct 2024 14:17:49 +0000
Message-ID: <GVXPR07MB9678C4A0F6FDA1C4E221206889412@GVXPR07MB9678.eurprd07.prod.outlook.com>
References: <CAOgPGoBxoEhVkzb=WYFvNEhN0sKLDLir0qPVSqx_a=Co7dkXgA@mail.gmail.com> <CAOgPGoCLnLHbO9mTbaqjERbpFtoGyJeVk=mjDvxkJYe8nySTvw@mail.gmail.com> <0BAA3B8C-BAC0-47E1-A202-2BC4B001C48B@vigilsec.com> <CABcZeBNOv0Ghkjk37_3TX0WKVJz0MTPQOPcgud1j8EZm_e3ATg@mail.gmail.com>
In-Reply-To: <CABcZeBNOv0Ghkjk37_3TX0WKVJz0MTPQOPcgud1j8EZm_e3ATg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|PR3PR07MB6906:EE_
x-ms-office365-filtering-correlation-id: 43fc7ad1-7d64-41c6-7f9f-08dcf048cff7
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|366016|376014|8096899003|38070700018;
x-microsoft-antispam-message-info: ZiwqEPNgnJ73RcXQlHOrbfr9QGrlC33BKcR/P5/wRRTXD+ae5CXuA0I29fRIReDB/A+6HxVSg2eMqTh+RXJmuUcL1LbWdGYXk77J9+DAkABmLACB5pWziYNeMUqFWWXXiEusG45pTC9WuwaGO8/gR4tvJGmwv2u4rWhfw4JaAhtRddsARQCj8Nw7HRsF7JF6AAkfmaujwbKUQYHxmaVF1RE2OKw4Qr7wlm1HtrxfGgaQmc2JsV2ZwgSwhhwauUh+8OeDCdfwiOZIONS7Fe/T2p0EKQ1EpZFv/5zUDLb9EBC7H051wj4UzeGaKvpTEFnctsLhRvORhcYtU8OVSAMvNzvPgDKLiYyepOUoqDpgPNqCSpVfXqIVg4EfSdNq4LZnf23yoRvAymgSVPD8sokOkapLeBYQIeMzJnhXnwfg1j3nQoNp+JnR77YCPu/lycFxtWeud+Xfuh+7YnfK8sKpYUnDxxlukc24B+SVSoOFEBGBjBNle7iKNiziv7FRR+h0HxUiTBDkNSH04YkvZxyWeqz1Mq1B32+JA8RvdzF4BIdoVOm35NuR+I07PNvk94GkQqeJObqFHssCcNFYAJ5yUdVxN6SPmI36vKbQ7UvGiToyVjxi0JQOjBRdtq3YxvFi/McmTqHNSt2A4QSDTqGoxTtoTDsYFtsw7B+WYFaXF1jrUV9ZTavj4RewPaQ49fMU+sLWOrTpC9bhtbSq/lId8ztrTBvOGhS5bdCXjBoOPMK9S6G4hXlddmzMBvabBO/TK9nCgIfzcfOSkYRDP31TPRLuhREl2Uu23w0BeiaysGsSnpLQIcNNT3Yj/Ah5pkNL1BSQxDYB75Dn4giFd0hwBZkqjZTcjIK/gyHGdteLcNViOMdnLegLLOX8QT+r9QOQZK4LiTTN3EpcB63Q6qOnuxWiHxyDcziUVy5kXJzwf2xeFYa1pRdG7281TSgCezAOx6CFo7gTqCbhka3RdfKdsvoW/uqrcFv7J5w0oQX0V5p4EtfSepVPqanBv+iSdA4onErJ/0Vj1LYXe/cp5c+6kaGH0Thuzbg3JtEBQVwDlBVjCUoaQZ/tAM1wY0mn343naDoymylF4iWCa11KVFFUu/vkYSh4Gv35w8U0GlHg0QFbz7rfQnUQ0RgPBYohEJm0Jhz/D38qL4ThA9+diN7xd6CxUIXRS2Bkr2z7Y6jydO4d/p5I1xUPgKyy9Ua8pG2CcA4FF2yCOEeGboas4pqA/c5rmFo4GH4YzZtpj8Piv89Pfc/BZbtzDzFpdI/j1UnRv7Gl6ClG6Xfu0yC8TmxZOGgrB4YgHof3ZWUG71tgl2K25LsFaa8a4JmksCbPPxso
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GVXPR07MB9678.eurprd07.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014)(8096899003)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Q27oA/D+1XmIQibX++kYJuysBBgJDFozCUhx0cVzJHg0C6EyLxt8JerjqA50xctZklbRvy0tWNNKt3PNVNQ10l9ZAs/LesEkh/vUYSdQPBCCMHujTm3p1KLmqmWd0Eqc0CrdjxVUn18OH3L76fyKL8q7bDOz10KXcrQCNuVeQoX0KdklurHGvoKnMgbf8e70w/U9Jq44Z10v1jM/bcm0/PiwvTaXr08vgXEJ32hjW50tmfbi85+BCe2gs5YdwgbBFKceaGqTQt1QNQMdJFSoCzVB1quvbkziOHCrdLvsoRoQbpxgbcNySQSUZAm9vPo8Yro7eQAT72roNy6oYlSxdVA9kQXgr4x8VC+t+KU9FS3onzoVNkcOuqtL6OuP3E9kLIAnlErBnQd5q+TKVF+t71fgyvq2ugb3dQNZC8vriV6rzbFxxsguP86K20Lq1kjjihB+0fBvbyxnS5pXmK+2tSNGOKzebwC8m5VI2YTbwAwFhRcJDff2DlC4mrKLJQYwr5FAHN1DGcy5xHMmOLun7rcAvQt50Dl6NTSu3mrC62RPqMU+T94+NS+EIZ9vwM5B5EDVZgZlbu5iH6M98V9oHOeOwNljhdwZ4vQBHIwVej9wA+fh3aTfv+iOwqp2CcdbSAYo26nl1ojlc6HOabvPgYKCMXXuKpuLOFafGcve+j/O8GU8Tp+LV0nLURUICjC0iE2/AQkEH9mIgo7mza5H8TpJautFp9VWLgpfXg5CYKnZKOVsRO3JlL74/tea3BQ+F6OlhsQ8Pr07ZG9sbCw5642W7nDCNKsEyziu9Y1biqIwZc1HW7WD5hWlTQarC8Gd5EdIA8q5qdNcy4iLk6CmUEPPPSOcFPg81mFWj1GfP3vJaNl7A8cY7WUoYUz0cD0bPKbeH7FIXOiheGoPCbHlNiNdKVRITAzFk4pBHGikIUnhDO2k1OMEk5EgQ7Fux+D8T6zEjKx9YDdraJIg6RngUAzk5V5K42Fi4cWhHlvp/zxO9o4QUhRoiiUXhig08R32gkRH+V23IDCzRgnyZjRB3PpHVIBNWSVDYaJLjAF/KDRVUnyfSanop4WOOzqkzDhYOkvomm24r6iMWZSBuN8qsDsasvN+4Do+6/g6Pt6iv9g3HHjOKpzg0jJ+fm1pqReE1A3xvqbDgexbps6Ri2Dz9C9qQ49NHCIKHyBCiYo134koIEgd1e8Qfvjc9ilkJMriKeA1FzG6SslrWexmuIvntGk4Kpn3Z8scaKVczD2qPKauz6IbAl4YkPqE0IAtjNl4YNiZRkWoaWKbOUZKvE5QHgxeAotZq6Gac55pYJ/6u+ceetbgEJHpjsGdvYbp52M0FMr5frRYjjH0gaYiM1QpdcNax1NGGTUdGG8bTQ0sI3kk+kopgQiL5i4LYmqCmdFYMOAb13IRL8A/dG4sXzOMoSo2zrjQitM/lVa9IzDzTzIGKK1CxBkCTkZXj90pzblN254G/orQcW5ztrbjYbyJCIN9eFpKhgeZBeIiSrSkkRbU3dv0AMeYeGsfd5UEk+DsrtOXfUfuGh4gg/jgX3ALrc00SVpr5YOnPepBT9nvUuweClSEQjSWvTKvFtnwzQ/GoT/82KlJQikGKNRnKNfumUnQTNNgnGIBPzahNkFl1xk=
Content-Type: multipart/alternative; boundary="_000_GVXPR07MB9678C4A0F6FDA1C4E221206889412GVXPR07MB9678eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 43fc7ad1-7d64-41c6-7f9f-08dcf048cff7
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Oct 2024 14:17:49.7012 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: RSqNtagSd6tXfWzQToISMgncm+km3VB/2dztOXzigaoEiG+YBQc6iQj0lw/zx7gU7ZGbWaSarRh4r3133iUm2zWAs3rDCMOXJwROzCyLr6I=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR3PR07MB6906
Message-ID-Hash: 5MF3D57CNO3QJGONLYT7LP4QYMQ3IHQX
X-Message-ID-Hash: 5MF3D57CNO3QJGONLYT7LP4QYMQ3IHQX
X-MailFrom: john.mattsson@ericsson.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: IETF TLS <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Consensus call for RFC8773bis Formal Analysis Requirement
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/jpla6G_AJrCpQi4MuBWGE6Y0Ifw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Hi,

I think this is a very straightforward way to introduce hybrid keying to TLS 1.3. I think this extension will increase the use of TLS 1.3 in national security systems, which I think is very welcome. This kind of hybrid keying / defense-in depth is exactly what is recommended in the excellent PhD thesis by Martin Ekerå [1], who is also chief cryptographer of the Swedish NCSA.

As long as the extension does not alter the certificate authentication or the ephemeral key exchange, I do not see any way it could lower the security, but I am not against formal analysis.

I am satisfied with the Privacy Considerations section and would like to see this draft published as proposed standard.

Some comments on draft-ietf-tls-8773bis-02:

- - -

"There are two motivations for using a certificate with an external PSK."

For national security systems, I think it is motivated to always use hybrid keying, combining symmetric keying with post-quantum secure asymmetric keying. The recommendation in [1] is to combine symmetric keying, post-quantum secure asymmetric keying, and classically secure asymmetric keying, as a defense-in depth. See Algorithm 1 and Figure A.1 of [1].

- - -

"but it will take many years for TLS 1.3 ciphersuites that use these algorithms to be developed and deployed"

X25519MLKEM768 already seem developed and deployed.

- - -

"Since the "tls_cert_with_extern_psk" extension is intended to be used only with initial handshakes, it MUST NOT be sent alongside the "early_data" extension."

I don't think the MUST NOT follows from that "tls_cert_with_extern_psk" is intended to be used only with initial handshakes. External PSKs can be used with "early_data" in the initial handshake according to RFC 8446.

Suggestion:

NEW:
"tls_cert_with_extern_psk" MUST NOT be sent alongside the "early_data" extension."

- - -

"However, TLS 1.3 does not permit an external PSK to be used in the same fashion as a resumption PSK, and this extension does not alter those restrictions"

I don't know what these restrictions on external PSK are and I could not find them in RFC 8446.

- - -

"For protection against the future invention of a CRQC, the symmetric key needs to be at least 128 bits

It needs to be at least 128 bits to protect against classic computers as well. The sentence is also duplicated in the following paragraph. Suggestion:

NEW "For protection against the future attacks, the symmetric key needs to be at least 128 bits"

- - -

"the advantage of Grover’s algorithm will be smaller."

I don't think Grover's will ever have any practical advantage. In addition to cost and parallelization, two additional factors mentioned in footnote 18 of [1] are:

"large-scale fault-tolerant quantum computers as currently envisaged are very slow compared to classical computers"

"The overheads incurred by the need to employ quantum error correction to achieve fault tolerance are furthermore substantial."

- - -

- "If the external PSK is known to any party other than the client and  the server, then the external PSK MUST NOT be the sole basis for
   authentication.

I think certificate-based server authentication SHALL be used even if the external PSK is known only be the client and the server.

- - -

"In addition, clients MAY also include psk_ke mode to support a subsequent NewSessionTicket."

I think this draft focusing on hybrid keying in high-security systems should forbid psk_ke.

- - -

Cheers,
John

[1] Ekerå, "On factoring integers, and computing discrete logarithms and orders, quantumly"
http://kth.diva-portal.org/smash/get/diva2:1902626/FULLTEXT01.pdf

v2.41.0 | Report a Bug | By Email | System Status