IETF Logo Mail Archive

Re: [TLS] A suggestion for handling large key shares

David Benjamin <davidben@chromium.org> Tue, 19 March 2024 05:26 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36B51C14F6AA for <tls@ietfa.amsl.com>; Mon, 18 Mar 2024 22:26:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.258
X-Spam-Level:
X-Spam-Status: No, score=-9.258 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6SLoz51BjNDK for <tls@ietfa.amsl.com>; Mon, 18 Mar 2024 22:26:47 -0700 (PDT)
Received: from mail-yw1-x112c.google.com (mail-yw1-x112c.google.com [IPv6:2607:f8b0:4864:20::112c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D99BC14F68A for <tls@ietf.org>; Mon, 18 Mar 2024 22:26:47 -0700 (PDT)
Received: by mail-yw1-x112c.google.com with SMTP id 00721157ae682-60cbcd04de9so48678127b3.2 for <tls@ietf.org>; Mon, 18 Mar 2024 22:26:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1710826006; x=1711430806; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=LsByFgx3TVo5aoT/7DkpyZxuSam+ElQa/+9WtoGQB4Y=; b=lU0i/GKklDkHOk9AAd2eS7XAm4iEJlDWBrX6Te9mP9g9/Ml/JGim3RwedV56Ro7If5 ov33oggEvQ9+9/BN7HQfD0W3I7X8CkShVkIdoJA3jRJFTjXZfJbnNwWAlfP9ohVqymdu ITT8M/cWW067Hb5QMFB4HM6eoU7YK4TMdGE7U=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710826006; x=1711430806; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=LsByFgx3TVo5aoT/7DkpyZxuSam+ElQa/+9WtoGQB4Y=; b=RS8zy+CixlT3tMMnzHSKto3pj5jK3WSVOOHS82M+aRDZNshx3XPxVZCxII3ZS/CLS9 aD3a6wJf++vAVX33WhlQQlUEA77mh74QNyWXCJRmMcTVqz+rAxacl3+7UXe9DUMd340F IQE4w77WMW+/zKDg/4Ul9+W9b8U2eot+5QCOhzPfRWk0RFeNQxatcHbSZX8HTFuu0CSb jzHZsWY9weHs/wmKMUy2cNWhzvuk6lClyHEIfe/gP+jALmUtcctWPAoW0LWghn6702vf +fJqXOiD0mlplCHcwCCVYDcXmEdtyA/UdvzOfDxPfHFGB2/1TmqXKFxLd7oCY9IhBXsG +Www==
X-Gm-Message-State: AOJu0YzOVKMWA+lCO9QleaOOW4gbE/r3/SxHA8DxnJ6CNsHoyEoo04sJ CrSemMzjJuyY8NRvPBQL2jFShPJjjtShKCvvpkvaeTb6X9+siXKZ/a13wHwV2Z3nxxsdGzQ8Glb pLC2anxOxMrc/wTA8PAChVnLSWObYxJCCbO/VshBmtqmvwlSm5bI=
X-Google-Smtp-Source: AGHT+IHOpcCPgHeRkMw00QtHbWI7BMcK1dIjAexRKriVisPMybqpUXq/EE7TNLYvse92fU0TkxRm7ujh5hLT3PdYsLE=
X-Received: by 2002:a81:a253:0:b0:60a:374:969a with SMTP id z19-20020a81a253000000b0060a0374969amr13070768ywg.50.1710826006298; Mon, 18 Mar 2024 22:26:46 -0700 (PDT)
MIME-Version: 1.0
References: <CH0PR11MB544488B051C041EB32541AB6C12C2@CH0PR11MB5444.namprd11.prod.outlook.com>
In-Reply-To: <CH0PR11MB544488B051C041EB32541AB6C12C2@CH0PR11MB5444.namprd11.prod.outlook.com>
From: David Benjamin <davidben@chromium.org>
Date: Tue, 19 Mar 2024 15:26:27 +1000
Message-ID: <CAF8qwaDmYMprxW4aYCiEEWKAw04xoSEZU=6fXCHqOcqjnhG6_w@mail.gmail.com>
To: "Scott Fluhrer (sfluhrer)" <sfluhrer=40cisco.com@dmarc.ietf.org>
Cc: "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006179520613fcb86e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/qMrYTB6qRrjEMTVswOaMO83awq4>
Subject: Re: [TLS] A suggestion for handling large key shares
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2024 05:26:51 -0000

> If the server supports P256+ML-KEM, what Matt suggested is that, instead
of accepting P256, it instead a ClientHelloRetry with P256+ML_KEM.  We then
continue as expected and end up negotiating things in 2 round trips.

I assume ClientHelloRetry was meant to be HelloRetryRequest? If so, yeah, a
server which aims to prefer P256+ML-KEM over P256 should, well, prefer
P256+ML-KEM over P256. :-) See the discussions around
draft-davidben-tls-key-share-prediction. In particular, RFC 8446 is clear
on the semantics of such a ClientHello:

   This vector MAY be empty if the client is requesting a
   HelloRetryRequest.  Each KeyShareEntry value MUST correspond to a
   group offered in the "supported_groups" extension and MUST appear in
   the same order.  However, the values MAY be a non-contiguous subset
   of the "supported_groups" extension and MAY omit the most preferred
   groups.  Such a situation could arise if the most preferred groups
   are new and unlikely to be supported in enough places to make
   pregenerating key shares for them efficient.

rfc8446bis contains further clarifications:
https://github.com/tlswg/tls13-spec/pull/1331

Now, some servers (namely OpenSSL) will instead unconditionally select from
key_share first. This isn't wrong, per se. It is how you implement a server
which believes all of its supported groups are of comparable security level
and therefore prioritizes round trips. Such a policy is plausible when you
only support, say, ECDH curves. It's not so reasonable if you support both
ECDH and a PQ KEM. But all the spec text for that is in place, so all that
is left is that folks keep this in mind when adding PQ KEMs to a TLS
implementation. A TLS stack that always looks at key_share first is not
PQ-ready and will need some changes before adopting PQ KEMs.

Regarding the other half of this:

> Suppose we have a client that supports both P-256 and P256+ML-KEM.  What
the client does is send a key share for P-256, and also indicate support
for P256+ML-KEM.  Because we’re including only the P256 key share, the
client hello is short

I don't think this is a good tradeoff and would oppose such a SHOULD here.
PQ KEMs are expensive as they are. Adding a round-trip to it will only make
it worse. Given the aim is to migrate the TLS ecosystem to PQ, penalizing
the desired state doesn't make sense. Accordingly, Chrome's Kyber
deployment includes X25519Kyber768 in the initial ClientHello. While this
does mean paying an unfortunate upfront cost, this alternative would
instead disincentivize servers from deploying post-quantum protections.

If you're interested in avoiding the upfront cost, see
draft-davidben-tls-key-share-prediction-01. That provides a mechanism for
clients to predict more accurately, though it's yet to even be adopted, so
it's a bit early to rely on that one. Note also the Security Considerations
section, which further depends on the server expectations above.

David

On Tue, Mar 19, 2024 at 2:47 PM Scott Fluhrer (sfluhrer) <sfluhrer=
40cisco.com@dmarc.ietf.org> wrote:

> Recently, Matt Campagna emailed the hybrid KEM group (Douglas, Shay and
> me) about a suggestion about one way to potentially improve the performance
> (in the ‘the server hasn’t upgraded yet’ case), and asked if we should add
> that suggestion to our draft.  It occurs to me that this suggestion is
> equally applicable to the pure ML-KEM draft (and future PQ drafts as well);
> hence putting it in our draft might not be the right spot.
>
>
>
> Here’s the core idea (Matt’s original scenario was more complicated):
>
>
>
>    - Suppose we have a client that supports both P-256 and P256+ML-KEM.
>    What the client does is send a key share for P-256, and also indicate
>    support for P256+ML-KEM.  Because we’re including only the P256 key share,
>    the client hello is short
>    - If the server supports only P256, it accepts it, and life goes on as
>    normal.
>    - If the server supports P256+ML-KEM, what Matt suggested is that,
>    instead of accepting P256, it instead a ClientHelloRetry with P256+ML_KEM.
>    We then continue as expected and end up negotiating things in 2 round trips.
>
>
>
> Hence, the non-upgraded scenario has no performance hit; the upgraded
> scenario does (because of the second round trip), but we’re transmitting
> more data anyways (and the client could, if it communicates with the server
> again, lead off with the proposal that was accepted last time).
>
>
>
> Matt’s suggestion was that this should be a SHOULD in our draft.
>
>
>
> My questions to you: a) do you agree with this suggestion, and b) if so,
> where should this SHOULD live?  Should it be in our draft?  The ML-KEM
> draft as well (assuming there is one, and it’s not just a codepoint
> assignment)?  Another RFC about how to handle large key shares in general
> (sounds like overkill to me, unless we have other things to put in that
> RFC)?
>
>
>
> Thank you.
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email