search

open-quantum-safe / openssh

Fork of OpenSSH that includes prototype quantum-resistant key exchange and authentication in SSH based on liboqs. PROJECT INACTIVE. CONTRIBUTORS WANTED.
https://openquantumsafe.org/
Other
166 stars 60 forks source link

PQ KEM method names per draft iteration #134

Closed csosto-pk closed 1 year ago

csosto-pk commented 1 year ago

Hi folks,

Some collaborators are trying to interop our PQ SSH key exchange in NIST NCCOE's PQ Migration effort. As we are working through this, we will all try to interop with the ecdh-nistp256-kyber-512-sha256. It is supported in OQS OpenSSH and wolfSSH, which is great.

Now there is one concern about backwards compatibility. Someone that implements the method name ecdh-nistp256-kyber-512-sha256 today may have interop issues in a couple of years when Kyber has been slightly tweaked or something in the method has been tweaked in the draft and the peer implements the latest version. That is a concern for any RFC draft which changes over time.

To prevent such problems we could introduce a temporary identifier that basically creates a snapshot of the method in time. For example, we could rename ecdh-nistp256-kyber-512-sha256 to method name ecdh-nistp256-kyber-512r3-sha256-d00. That basically means the method is specific to the time it was implemented (Kyber-512 round 3 the way draft -00 explained the method). In the next change which breaks compatibility for that method, its name will change to something like ecdh-nistp256-kyber-512r4-sha256-d01 or something like that. So, old clients that were not upgraded would not be able to negotiate ecdh-nistp256-kyber-512r3-sha256-d00 any more and they would still interop using classical methods. When the RFC is ratified, the final standardized name would be ecdh-nistp256-kyber-512-sha256

I know this is not something we have done for TLS 1.3 group names, or SSH methods. But have you given it any thought? Would it be too much overhead to rename the method every time something underlying (KEM algorithm, or implementation detail) changes?

baentsch commented 1 year ago

Would it be too much overhead to rename the method every time something underlying (KEM algorithm, or implementation detail) changes?

Simple answer probably is "No": Speaking for the arguably equivalent TLS group names that I'm more familiar with, it surely would be possible to map them to specific liboqs versions (carrying specific Kyber versions); it's "just software" after all and "there's no problem in CS that cannot be solved by another level of indirection".

But I see the following implications/questions affecting any software where different algorithm versions are lifted to/exposed at "user level":

So, old clients that were not upgraded would not be able to negotiate ecdh-nistp256-kyber-512r3-sha256-d00 any more and they would still interop using classical methods.

This I find very risky: Is the suggestion that although PQ has been configured, the client shall silently fall back to classic crypto because of an algorithm version mismatch? Wouldn't it be more advisable to have users experience a real error (due to client and server not being able to interop via PQ due to actually different algorithms being used) such as to trigger a check of code/library version and a suitable upgrade?

In sum, I'd personally try to refrain from creating PQ "legacy software" (defined as code that can keep working in a future it wasn't written for) from the get-go, but rather standardize things more quickly. I do agree, though, that using names without some "draft" moniker can mislead users into thinking PQ is already as stable as classic crypto.

csosto-pk commented 1 year ago

Hi Michael @baentsch ,

Thx for the feedback.

Bigger issue: Which entity defines "the need" for a name change -- and to which specific name?

The way I think it should work is that every time you are making a compatibility breaking change, that is where you change the identifier. For example, if you change the combiner (in SSH the draft has option 1, 2a, 2b and 2c), or if there is a new Kyber Round 4 version. One example for TLS 1.3 is when the IETF draft switched from using the length of the key_share before the key/ciphertext itself. A later version of the draft removed the length, and that would trigger a new group identifier to negotiate.

The IETF draft should be responsible for incrementing this value imo. I mean for TLS 1.3, right now OQS OpenSSL is the source of truth, so OQS OpenSSL would be defining new identifiers for TLS 1.3 until the draft started defining them. But generally speaking, the IETF draft should be changing the identifiers per iteration (in the end only the final one is added in the IANA registry of course).

Practically, (sample) code / downstream integrations would need to be constantly upgraded as some PQ algorithm detail changes if that is encoded in a (configurable) name. I'm not sure everyone would appreciate this.

I think only the compatibility breaking changes warrant a new identifier. And to be honest, someone would not need to drop the old ones. No one needs to drop support for old identifiers, so that does not break backward compatibility. Only very up-to-date implementations would be negotiating the latest identifiers, older ones could still be functional with older ones.

In sum, I'd personally try to refrain from creating PQ "legacy software" (defined as code that can keep working in a future it wasn't written for) from the get-go, but rather standardize things more quickly.

I understand, and to be honest this has not been done well in the past either. Other RFC drafts have not been using a similar logic.

Let me rephrase my question, and focus on OpenSSH. As we are working through the draft, what if we added an extra identifier? Currently the draft includes SSH method names:

What if we made them

Would OQS OpenSSH be willing to add support for these two in OQS OpenSSH?

dstebila commented 1 year ago

I agree that versioning the names makes sense, and in principle yes we should do that in OQS-OpenSSH. One tricky part is making sure we actually get the version naming correct, but we should be able to figure that out. As the underlying liboqs will only have one version of an algorithm available at a time, we won't be able to have multiple versions available -- e.g., once we migrate liboqs to kyber-512r3, we won't have kyber-512r2 available in the same binary.

dstebila commented 1 year ago

Regarding putting the draft identifier in, how do you plan to deal with increments to the draft that don't affect the actual technical details? For example, if d05 and d06 yield the same protocol, but just the text changes, what should be in the implementation?

csosto-pk commented 1 year ago

Hi Douglas,

As the underlying liboqs will only have one version of an algorithm available at a time,

Agreed. OQS OpenSSH or any other implementation that is not worried about backwards compatibility would just keep updating the latest method name / identifier and it would just forget about the previous one. You would only support the latest version.

Often drafts put in TBD in the new identifiers when IANA has not assigned them. Basically we do the same thing and just put something in for implementers to implements.

Note that I am mostly focusing on OQS OpenSSH right now. OQS OpenSSL did not have any identifiers in the draft, so pretty much OQS historically defined the test identifiers. And updating them in the very early stages with all the algorithms would be hard. So, I am OK with the TLS 1.3 identifiers. I just want to address the OpenSSH problem now that we have a draft to follow.

Regarding putting the draft identifier in, how do you plan to deal with increments to the draft that don't affect the actual technical details? For example, if d05 and d06 yield the same protocol, but just the text changes, what should be in the implementation?

I think in this case we would skip 06 and stay at 05 . We would just use the 0x only for the next version that makes a compatibility breaking change. To avoid confusion, note that we could do it by just putting in ecdh-nistp256-kyber-512r3-sha256-tmp1, ecdh-nistp256-kyber-512r4-sha256-tmp2 etc if we did not want to tie it to the draft version. Other ways could be possible too.

dstebila commented 1 year ago

Makes sense, sounds good to me.

csosto-pk commented 1 year ago

Sorry, updating this again based on discussions. I think we are in agreement here.

After discussing it, we realized that the names as they are will not overlap in the final ratified version of the draft because there will be no Kyber. NIST will rename it to MLWE-KEM or something like that. Let's say we keep he names as they are in the draft for now

Sorry, I take it back. I think I will change the draft to include the versioning even for the first version. That will be ecdh-nistp256-kyber-512r3-sha256-tbd1 and x25519-kyber-512r3-sha256-tbd1. We want to be backwards compatible.

In the next iteration of the draft that breaks backwards compatibility, update the names to follow the new nomenclature ecdh-nistp256-kyber-512r4-sha256-tbd2 and x25519-kyber-512r4-sha256-tbd2 or something like that.

@dstebila , @baentsch , @christianpaquin , we will submit a PR to update the name in OQS OpenSSH to support both ecdh-nistp256-kyber-512r3-sha256-tbd1 and ecdh-nistp256-kyber-512r3-sha256 so you don't break backwards compatibility.

Let us know if you are violently against this, so we don't go through the trouble.

csosto-pk commented 1 year ago

I think this can be closed since we have consensus. I will leave this to the OQS team if they agree.