IETF Logo Mail Archive

Re: [TLS] WGLC for draft-ietf-tls-hybrid-design

Bas Westerbaan <bas@cloudflare.com> Tue, 30 August 2022 12:12 UTC

Return-Path: <bas@cloudflare.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94A23C14CF1F for <tls@ietfa.amsl.com>; Tue, 30 Aug 2022 05:12:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YwR0kA8KnA5C for <tls@ietfa.amsl.com>; Tue, 30 Aug 2022 05:12:09 -0700 (PDT)
Received: from mail-wm1-x336.google.com (mail-wm1-x336.google.com [IPv6:2a00:1450:4864:20::336]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C13CC14CEFC for <tls@ietf.org>; Tue, 30 Aug 2022 05:12:09 -0700 (PDT)
Received: by mail-wm1-x336.google.com with SMTP id i188-20020a1c3bc5000000b003a7b6ae4eb2so4846219wma.4 for <tls@ietf.org>; Tue, 30 Aug 2022 05:12:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc; bh=MrkPtggzpjiBiY7d6dH71UZfaDuyRYzsdykmg2So96o=; b=HziJYGFKEi13f7VAdXS4Yr1oXae+MSMv0L1lR4HLDSuprfcBHBArQUYPHEhqKTTiwH cCJFDuMfuGI2/TbZMfzZOGLRM42es6fVxoWgfBSdd43yAYIHZiC/muDwbsO7Fdw0P9YG J8SF9rQcEKJrK6lHXFisq8ialdcx0UDWsob8E=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc; bh=MrkPtggzpjiBiY7d6dH71UZfaDuyRYzsdykmg2So96o=; b=LWaJn9a/CS/kP3Kj5ff6KIqnMzeuh4qZFodqBl09FnIvbDcotDWoMpMTl646jTfw3G f0Ke+Qa4Rdm7LZOIqSxShi2Pp3d/282CipgiafFYb5pvpgb4EEWpCchy9ne6jmi/Xjsy 6NyzsNSbqJv7gCZA71z2MQb+XUlx9Qsc5YMOupDSR1g6ii8+OpX0EOhd7d63FOmW81wa iBfcxKIExjHbEzOPhQmqLNREdY4aRnnMcYUAy1olJy+AivpdZHenXFjePE7HQRTCBj2u hE4LFVlspSWaul3iG9+wjV5MlOCgKmlBDO7RQxCza5NU4hkBRSU43K0iMOMUhurUg7nc ocqQ==
X-Gm-Message-State: ACgBeo3Y0gOzQPv9JwQtBU1gqsshy7ESMg/gijw1tlncmPp1rmiuey1b oi20uH71i3HToVSYGMkDhlV2HOyYat5nAhwbpQaJ1JVwT8w=
X-Google-Smtp-Source: AA6agR6QehYhk6EWG6eu4VG/zplTEJWGYkiY3Er/rKMp4nNJmi9VIObTl5EwMsRwVdEvP/bCTpoxLKpRrdlr2OMJmkk=
X-Received: by 2002:a1c:4c0d:0:b0:3a5:98fa:3a4a with SMTP id z13-20020a1c4c0d000000b003a598fa3a4amr9615789wmf.92.1661861527881; Tue, 30 Aug 2022 05:12:07 -0700 (PDT)
MIME-Version: 1.0
References: <27E9945C-6A0A-46DD-89F0-22BE59188216@heapingbits.net> <e43fc649-3fc6-333b-c44d-55de0627c710@cs.tcd.ie> <Ymz7yncQAnzmp/eL@LK-Perkele-VII2.locald> <38de10e6-ab3c-6ea1-44b7-57057c97e7aa@cs.tcd.ie> <CH0PR11MB5444D7D4F32F195FFB189C10C1679@CH0PR11MB5444.namprd11.prod.outlook.com> <320bb3ca-890b-45c9-b55f-f0d65bdce7be@beta.fastmail.com> <CAMjbhoXMb93+hy3jjHS=BnMekyoksSejEjJwpPHN967RAH_acA@mail.gmail.com> <9f513169-7b45-2be0-13fd-b8aa2d2a2280@amongbytes.com> <31cf9ef9-14df-40d1-aa61-1ff366b1f40b@beta.fastmail.com> <d33f6c42-0f9d-add0-7e98-57e0ceeaa55f@amongbytes.com>
In-Reply-To: <d33f6c42-0f9d-add0-7e98-57e0ceeaa55f@amongbytes.com>
From: Bas Westerbaan <bas@cloudflare.com>
Date: Tue, 30 Aug 2022 14:11:57 +0200
Message-ID: <CAMjbhoVodu1shSXs86VkztTt5et2uQsmYCubx3DP+yf8K=N1eQ@mail.gmail.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000096f2205e7744a3d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/pmJMSyf1-PGlLwcgF_jtEYKxQ-g>
Subject: Re: [TLS] WGLC for draft-ietf-tls-hybrid-design
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Aug 2022 12:12:14 -0000

For TLS on the Web it would be ideal if we can find a single[1] hybrid
which we can all be happy with because that will make keyshare negotiation
easier.

To wit, BoringSSL, when SSL_OP_CIPHER_SERVER_PREFERENCE is set, will pick
the group based on the supported_groups that the client sends.

Thus, in this case if the server prefers X25519 over P-256, and a client
sends a P-256 keyshare but also advertises support for X25519, the server
will send an HRR to get an X25519 agreement.

In practice this is not a problem, because X25519 has become the de facto
standard. Before that was the case, many clients sent both a P-256 and
X25519 keyshare.

The PQ hybrid situation is more painful. Suppose we end up with two
essentially equivalent hybrids, say P-256+Kyber768 and X25519+Kyber768, and
different servers have a different preference. Then clients are forced to
either send both keyshares or suffer an HRR.

Of course, we can change the server logic, but it isn't simple.

An OpenSSL server, for instance, with SSL_OP_CIPHER_SERVER_PREFERENCE set,
will accept a keyshare it supports even if the client announces support for
another group that the server prefers.

This has a disadvantage[2]: if a client sends a X25519 keyshare but
announces support for a PQ keyshare, we would want the server to HRR to
establish a PQ connection (as BoringSSL will do if the PQ groups are
preferred.)

Best,

 Bas

[1] That shouldn't prevent us from assigning code points for many hybrids.
[2] Thanks to David Benjamin for pointing that out to me.


On Tue, Aug 23, 2022 at 10:30 AM Kris Kwiatkowski <kris@amongbytes.com>
wrote:

>
> On 23/08/2022 01:39, Martin Thomson wrote:
>
> On Tue, Aug 23, 2022, at 00:11, Kris Kwiatkowski wrote:
>
> As X25519 is not FIPS-approved, the lab won't be able to test it,
>
> OK, hypothetical question, but maybe an important one.
>
> Why would a certification lab care?  We compose secrets with non-secrets all the time, so even if X25519 were replaced with a public value, as long as Kyber is approved, can they not proceed to certify on the basis of the strength of the Kyber algorithm and its implementation?
>
> FIPS lab won't care, as I've mentioned Kyber+x25519 can be certified when Kyber is FIPS-approved. The customers may
> care. As FIPS developer, I would like to be able to provide hybrid construction in which both algorithms are FIPS
> approved, so that in case Kyber gets broken, the key exchange is still is safe (as per FIPS standards), rather then
> Kyber gets broken and now you are not FIPS compliant.
> Makes sense?
>
> Or, more realistically, maybe the composition method can be approved, just as composing a secret with "chickenchickenchicken" can be rendered safe.  That way, composing with an arbitrary primitive might be considered safe if the composition method is approved.
>
> Composition method is an approved technique, see SP800-56Cr2 (point 2).
>
> _______________________________________________
> TLS mailing listTLS@ietf.orghttps://www.ietf.org/mailman/listinfo/tls
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email