IETF Logo Mail Archive

[TLS] Re: ML-DSA in TLS

Eric Rescorla <ekr@rtfm.com> Fri, 25 October 2024 15:04 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C82AFC15152B for <tls@ietfa.amsl.com>; Fri, 25 Oct 2024 08:04:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.802
X-Spam-Level:
X-Spam-Status: No, score=-1.802 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ef2jDW6S4NE3 for <tls@ietfa.amsl.com>; Fri, 25 Oct 2024 08:04:24 -0700 (PDT)
Received: from mail-yw1-x1132.google.com (mail-yw1-x1132.google.com [IPv6:2607:f8b0:4864:20::1132]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9045C1D8747 for <tls@ietf.org>; Fri, 25 Oct 2024 08:04:23 -0700 (PDT)
Received: by mail-yw1-x1132.google.com with SMTP id 00721157ae682-6e5a5a59094so20131047b3.3 for <tls@ietf.org>; Fri, 25 Oct 2024 08:04:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1729868663; x=1730473463; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=uzjyMC1rpmaH3wKRpmxsF4373lW5vdX1QgZMM5++pRU=; b=GuyEqsGKVmFkfW+aaVA0qGPbAbqqZipFbrQ6roIxs0BN32PTjn1+562KAcUsC02r7X 9Ib/cc+5FLu+mzR76A3gIVfPKU93jSMNXN5CEtdxVrfVtJJKjvqFzsd9ReRR7/yNI/OP dh7m73MmtlFlMRAvFegR1kOkugmNsg7kbanJnR0tX3EUULn+CoDbbY7Ju7JWafXTZ1qb z+NYBUeM6DYgz7ykqcK0Rm2X08CX7PRFnb/mFZ1pSz/IfN62k8BmZNC7ZYXl1FGextQo e441JWhbKTNAsO6rPblmZ/e0rRRALLM7m/Nfy2FW6KSEsoTyzFR1waEPBvciM4C1EIyi lI2g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729868663; x=1730473463; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=uzjyMC1rpmaH3wKRpmxsF4373lW5vdX1QgZMM5++pRU=; b=YqyO4dgn42NE+55BfjrcugMDH+8vFD6BzaufSIyDGvc9fonXUwzNn3wWN5/mGi/O0e pkw/30h6H/4coidBKdSdfWHJFWL4lefioeJ3VWiYM6tKa07tFNbPrXR8DTZQ710XyP8G EbL48YyP1ikw6c93ZAZAxubiR7zsfCY4x4+YWCV2L//x2HoGC6zjwUfUw96g450Vm14G wrjixZWeq9ixExWi6AZln9ZUYxC6x3CVvxYeOkIM+cJfY+IdeRedarNuJEIbPmV3dpns 3es/Sx6Ms8A0XuyBCaga6/817o/OCb3pspKkWA9Nf5CI7Y3tivZlQ5Gr4h4SGZy3JpCI 1fUQ==
X-Forwarded-Encrypted: i=1; AJvYcCX2EtaA3fMzuJ2c/s8dBbE19oSZ70l/LR3pVx9/7OExHEgecZJI1HX5UNTAjRda0XMbFAw=@ietf.org
X-Gm-Message-State: AOJu0Yylkf3sJy3uaR0xApwMbD+//cLqdmeH2ilj9vNg/n9/GhxJsmkO ayw8sLGsx1PYos6vae1K+EQyQqJn1MeenKP2NR/FCMceN8NuQhw73LjLL27JlZyDHYh30TzJcKM c0D4X5XlpD0YyL/nlZlx4GJKb3Np9M3q0DsTgqzOhoywMjSodEZU=
X-Google-Smtp-Source: AGHT+IGKxWqbPLHsPW+glRkaaMlxt1LWMBFtH54NTHH28g6czyLU/fH8XYIHHanbmElCrpPrxMoJeMHgszgJFKxWQ4w=
X-Received: by 2002:a05:690c:4a03:b0:6e2:446f:422c with SMTP id 00721157ae682-6e7f0e4735emr119690797b3.21.1729868662876; Fri, 25 Oct 2024 08:04:22 -0700 (PDT)
MIME-Version: 1.0
References: <CAMjbhoUFkL=UT0Pt2xjPLm998=j1ef+wdm0WO14_W7OJDJ-hOg@mail.gmail.com> <bcb2e444-7fc7-477d-b290-77adad4a1630@redhat.com> <GVXPR07MB9678B11440060A8A315ED39B894D2@GVXPR07MB9678.eurprd07.prod.outlook.com> <CABcZeBMAg=r8MfJsJsVLe=bkPwE2e88ETnvop=JjCeHbCdct_w@mail.gmail.com> <CAMjbhoXomCFmfuGO09Pqr-BOdksmgOmVc08-g6niqqvj1k1mdA@mail.gmail.com> <CABcZeBMBRgpHawmJStR-prVQWguo1TJPJpXVzQWzysS5RDtLhw@mail.gmail.com> <CAMjbhoUkA44fvybQW=ZSD=_5t63+LD+F-UV4v3yE4fF4rfDYxg@mail.gmail.com>
In-Reply-To: <CAMjbhoUkA44fvybQW=ZSD=_5t63+LD+F-UV4v3yE4fF4rfDYxg@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 25 Oct 2024 08:03:46 -0700
Message-ID: <CABcZeBMPPU+pK+4Mn1X-xj40W9Vo3qG49Cp4ZjmwCvMRmmMgBA@mail.gmail.com>
To: Bas Westerbaan <bas@cloudflare.com>
Content-Type: multipart/alternative; boundary="00000000000028c69a06254e6fad"
Message-ID-Hash: P537ZDCFAX2TZHRGCPJA2EBKITRFAFPH
X-Message-ID-Hash: P537ZDCFAX2TZHRGCPJA2EBKITRFAFPH
X-MailFrom: ekr@rtfm.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "<tls@ietf.org>" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: ML-DSA in TLS
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/tb54No-nCB3KuxfPHGcZJBIXmq8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

On Fri, Oct 25, 2024 at 7:54 AM Bas Westerbaan <bas@cloudflare.com> wrote:

> Hi Eric,
>
>
>> Hi Bas,
>>
>> I'm not sure I agree with this analysis, but perhaps it depends on
>> what you mean by "ready-to-go".
>>
>> I would think that the natural thing to do here is to get fairly
>> widespread deployment of support for PQ certificates but then prefer
>> non-PQ certificates. I.e.,
>>
>> 1. Clients would support both PQ and non-PQ certificates.
>> 2. Servers would have both PQ and non-PQ certificates, but would
>>    provide the non-PQ certificate if the client supported it.
>>
>> This would enable clients to decide that the risk from non-PQ was high
>> (as you say "the CRQC is near") and disable non-PQ.  Note that it
>> doesn't matter whether the server supports non-PQ as well, as the
>> security benefit comes from the client refusing it [0]. Do we agree so
>> far?
>>
>
> Unless a CRQC is near, there is no value, only risk to advertise support
> for ML-DSA. Thus I'd say clients would add support, but not advertise it.
> That requires an update at the time CRQC are near.
>

I'm not sure I agree that there is no value. In general, we try to roll out
new mechanisms slowly so that we get some experience with how they perform
in the wild. Given the experience with PQ key establishment, we should
probably have some concern that ML-DSA won't just work in all cases, and
we'd like to find that out now, which requires some level of deployment.



> The proposal you sketch also requires an update at the time CRQCs are near
> to disable the non-PQ certificates.
>

Absolutely. We're just in an asymmetrical position in that we're already
exposed to the risk of non-PQ but not to the risk of PQ.

-Ekr


> If you have a system that cannot have an update, then you indeed need a
> hybrid.
>
>
>> In general, the client is exposed to the union of the risks of
>> compromise of the signature algorithms it supports. Thus, in a world
>> where the client supports: [ECDSA, ML-DSA], then compromise of either
>> algorithm is an issue. By contrast, if the client supports [ECDSA,
>> EC-DSA+ML-DSA], then compromise of ML-DSA alone is insufficient to
>> result in an attack. This is of course the same logic that leads
>> to hybrids for key establishment.
>>
>> An obvious response here is "if something goes wrong with ML-DSA,
>> we'll just turn it off quickly". This is certainly true for browsers,
>> but I'm less sure it's true for other systems. If you think that
>> it takes a long time to disable algorithms, then it seems like
>> that's an argument that hybrid signatures are safer.
>>
>> -Ekr
>>
>>
>> [0] There is benefit in the servers supporting PQ ahead of time
>> because the client will have to make a cost/benefit decision in
>> terms of breakage, and the more servers support PQ, the easier
>> this decision is.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>>
>>> It's uncomfortable though if the first blessed SignatureScheme would be
>>> a non-hybrid. (Also regulators don't make the distinction between
>>> authentication and encryption, but at least most of them insist on hybrids
>>> for both though.)
>>>
>>> So I agree it makes sense to set recommended=N for now.
>>>
>>> Best,
>>>
>>>  Bas
>>>
>>>
>>>
>>> On Thu, Oct 24, 2024 at 4:47 AM Eric Rescorla <ekr@rtfm.com> wrote:
>>>
>>>> I think an adoption call is a bit premature here. We've got some time,
>>>> especially in the WebPKI setting.
>>>>
>>>> In particular, we should have a discussion of whether we want to
>>>> standardize pure ML-DSA or hybrid ML-DSA/EC algorithms; I currently lean
>>>> towards the latter, but I, at least, would like to hear arguments to the
>>>> contrary.
>>>>
>>>> -Ekr
>>>>
>>>>
>>>> On Wed, Oct 23, 2024 at 11:02 AM John Mattsson <john.mattsson=
>>>> 40ericsson.com@dmarc.ietf.org> wrote:
>>>>
>>>>> Let’s have an adoption call asap.
>>>>>
>>>>>
>>>>>
>>>>> I made some minor suggestions
>>>>> https://github.com/bwesterb/tls-mldsa/pull/3
>>>>>
>>>>>
>>>>>
>>>>> John
>>>>>
>>>>>
>>>>>
>>>>> *From: *Alicja Kario <hkario@redhat.com>
>>>>> *Date: *Wednesday, 23 October 2024 at 19:59
>>>>> *To: *Bas Westerbaan <bas=40cloudflare.com@dmarc.ietf.org>
>>>>> *Cc: *<tls@ietf.org>
>>>>> *Subject: *[TLS] Re: ML-DSA in TLS
>>>>>
>>>>> Hi,
>>>>>
>>>>> Thanks for the draft, will definitely be helpful.
>>>>>
>>>>> Few issues:
>>>>>  * The range 0x0900-0x0903 is reserved for backwards compatibility
>>>>>    I think it will be better to continue the numbering in the 0x08..
>>>>> space
>>>>>  * the must in "must use id_ML-DSA(...)" probably should be
>>>>> capitalised, as
>>>>>    if it doesn't match, the connection needs to be aborted
>>>>>
>>>>> open question is if we should document error handling explicitly:
>>>>>  - illegal_parameter alert if the peer used algorithm not advertised,
>>>>> or
>>>>>    signature algorithm does not match the certificate
>>>>>  - decrypt_error when verification of the signature failed
>>>>>
>>>>> On Wednesday, 23 October 2024 19:29:06 CEST, Bas Westerbaan wrote:
>>>>> > Hi all,
>>>>> >
>>>>> > Unless I overlooked something, we don't have a draft out to
>>>>> > assign a SignatureAlgorithm to ML-DSA for use in TLS.
>>>>> >
>>>>> > It's two days past the I-D submission deadline, but I wanted to
>>>>> > point you to a short draft we put together to fill this gap.
>>>>> >
>>>>> >
>>>>> https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbwesterb.github.io%2Ftls-mldsa%2Fdraft-tls-westerbaan-mldsa.html&data=05%7C02%7Cjohn.mattsson%40ericsson.com%7C8fef63d5eddc4cb44fee08dcf38c63f4%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638653031501883034%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=1oIREiL3cz5iRqrSRQ2PKnw5%2BdAkv89rBl9AnUJwAgs%3D&reserved=0
>>>>> <https://bwesterb.github.io/tls-mldsa/draft-tls-westerbaan-mldsa.html>
>>>>> >
>>>>> > So far, I see only one open question: whether to set a non-zero
>>>>> > context string.
>>>>> >
>>>>> > Best,
>>>>> >
>>>>> >  Bas
>>>>> >
>>>>> >
>>>>> >
>>>>>
>>>>> --
>>>>> Regards,
>>>>> Alicja (nee Hubert) Kario
>>>>> Principal Quality Engineer, RHEL Crypto team
>>>>> Web:
>>>>> https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.cz.redhat.com%2F&data=05%7C02%7Cjohn.mattsson%40ericsson.com%7C8fef63d5eddc4cb44fee08dcf38c63f4%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638653031501906645%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=OEPmJIyNseoOyEubpjkOsGFhcqmd2HRTqwKcj4Xwkqk%3D&reserved=0
>>>>> <http://www.cz.redhat.com/>
>>>>> Red Hat Czech s.r.o., Purkyňova 115, 612 00, Brno, Czech Republic
>>>>>
>>>>> _______________________________________________
>>>>> TLS mailing list -- tls@ietf.org
>>>>> To unsubscribe send an email to tls-leave@ietf.org
>>>>> _______________________________________________
>>>>> TLS mailing list -- tls@ietf.org
>>>>> To unsubscribe send an email to tls-leave@ietf.org
>>>>>
>>>>

v2.29.0 | Report a Bug | By Email | System Status