IETF Logo Mail Archive

Re: [TLS] WGLC for draft-ietf-tls-hybrid-design

Kris Kwiatkowski <kris@amongbytes.com> Mon, 22 August 2022 14:11 UTC

Return-Path: <kris@amongbytes.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB0A0C14F74E for <tls@ietfa.amsl.com>; Mon, 22 Aug 2022 07:11:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HZ5Bvi1ftfLQ for <tls@ietfa.amsl.com>; Mon, 22 Aug 2022 07:11:42 -0700 (PDT)
Received: from 6.mo580.mail-out.ovh.net (6.mo580.mail-out.ovh.net [46.105.47.107]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 307D2C14F693 for <tls@ietf.org>; Mon, 22 Aug 2022 07:11:41 -0700 (PDT)
Received: from mxplan8.mail.ovh.net (unknown [10.109.143.222]) by mo580.mail-out.ovh.net (Postfix) with ESMTPS id B794227E66 for <tls@ietf.org>; Mon, 22 Aug 2022 14:11:39 +0000 (UTC)
Received: from amongbytes.com (37.59.142.100) by mxplan8.mail.ovh.net (172.16.2.61) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.2507.9; Mon, 22 Aug 2022 16:11:39 +0200
Authentication-Results: garm.ovh; auth=pass (GARM-100R003097f781a-db8b-49c9-b9b4-3bf7f81c83e1, 5A34025E1CAE475A43818959881E05204E2A961B) smtp.auth=kris@amongbytes.com
X-OVh-ClientIp: 90.251.255.1
Content-Type: multipart/alternative; boundary="------------7Fqtyap5EPEx0hG9OMTsGV0o"
Message-ID: <9f513169-7b45-2be0-13fd-b8aa2d2a2280@amongbytes.com>
Date: Mon, 22 Aug 2022 15:11:38 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.12.0
To: tls@ietf.org
References: <27E9945C-6A0A-46DD-89F0-22BE59188216@heapingbits.net> <e43fc649-3fc6-333b-c44d-55de0627c710@cs.tcd.ie> <Ymz7yncQAnzmp/eL@LK-Perkele-VII2.locald> <38de10e6-ab3c-6ea1-44b7-57057c97e7aa@cs.tcd.ie> <CH0PR11MB5444D7D4F32F195FFB189C10C1679@CH0PR11MB5444.namprd11.prod.outlook.com> <320bb3ca-890b-45c9-b55f-f0d65bdce7be@beta.fastmail.com> <CAMjbhoXMb93+hy3jjHS=BnMekyoksSejEjJwpPHN967RAH_acA@mail.gmail.com>
From: Kris Kwiatkowski <kris@amongbytes.com>
In-Reply-To: <CAMjbhoXMb93+hy3jjHS=BnMekyoksSejEjJwpPHN967RAH_acA@mail.gmail.com>
X-Ovh-Tracer-GUID: b25ba324-2432-4d3a-99b8-9d4817107dc8
X-Ovh-Tracer-Id: 10275806976255835927
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedvfedrvdeijedgjeegucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttdenucenucfjughrpegtkfffgggfuffvfhfhjgesrgdtreertdefjeenucfhrhhomhepmfhrihhsucfmfihirghtkhhofihskhhiuceokhhrihhssegrmhhonhhgsgihthgvshdrtghomheqnecuggftrfgrthhtvghrnhepvdejvdefueelhfeltdegudejleetjeekueetuddtffeuhfefvefffeefvdevheffnecukfhppedtrddtrddtrddtpdefjedrheelrddugedvrddutddtnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmohguvgepshhmthhpohhuthdphhgvlhhopehmgihplhgrnhekrdhmrghilhdrohhvhhdrnhgvthdpihhnvghtpedtrddtrddtrddtpdhmrghilhhfrhhomhepkhhrihhssegrmhhonhhgsgihthgvshdrtghomhdpnhgspghrtghpthhtohepuddprhgtphhtthhopehtlhhssehivghtfhdrohhrghdpoffvtefjohhsthepmhhoheektd
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/rkn4-Z24SpMMl7by_xG4HaQWicY>
Subject: Re: [TLS] WGLC for draft-ietf-tls-hybrid-design
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Aug 2022 14:11:43 -0000

On 22/08/2022 14:24, Bas Westerbaan wrote:
> Here they're speaking about adding non-FIPS PQ to a non-PQ FIPS kex,[2] but 
> the other way around is also ok — what am I missing?

Let's assume Kyber is FIPS-approved. Indeed, you'll be able to have
a FIPS library with Z generated by Kyber and T generated by X25519
(but not other way around).
As X25519 is not FIPS-approved, the lab won't be able to test it,
hence you can't declare any security on that scheme. This will be
reflected in the security policy (as a "non-approved algorithm, with
no security claimed"). In theory, X25519 may produce wrong results
and your product still gets FIPS certificate as the algorithm is
security irrelevant. It is similar situation as we have today, but
with Z generated by P-256 and T by Kyber.

What, I think, is more valuable for those who need FIPS, is to be
able to have hybrid construction in which both algorithms are properly
tested and certified by the FIPS lab.

Also, in that case, Z can be generated by either PQ or non-PQ as
both are FIPS-approved.

Kind regards,
Kris

v2.23.0 | Report a Bug | By Email