key component order in hybrid keys #579
Comments
|
Ouch. Are you saying that the TLS RFC for the same hybrid combination requires a different concatenation order (plus a hash) than the SSH RFC? A quick glance over both documents seems to confirm this: https://datatracker.ietf.org/doc/html/draft-ietf-tls-hybrid-design-10:
vs https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke/
--> This clearly is currently not supported by oqsprovider: It only caters for the TLS1.3 KEM use case. That said, it should be possible to define a different(ly named) hybrid supporting the SSH semantics -- but that requires code changes... Thus, the enhancement label seems appropriate.... |
|
For protocol just published second part from pkix-ssh [hybrid-demo] (https://gitlab.com/secsh/pkixssh/-/commits/hybrid_demo), commits
Quite from "hack": interoperability test between asyncssh as client and pkix-ssh as server pass. |
|
Let put "on hold" any implementation attempts (enhancements) in "oqs-provider". I'm still thinking about model to use. One possible model uses two pkeys. |
Completely agree.
That's the approach pursued in OpenSSL: openssl/openssl#25884 |
|
@dstebila As you are the author of both specs, can you shed some light on this: It seems you intentionally created different logic for what's conceptually the same thing: Why? The below is a bit shy on details:
Is your expectation that a "hybrid" implementation takes an option to differentiate the "flavour" to support both? Or would there be a rationale for completely separate implementations? What's your expectation how (whether?) oqsprovider should handle either (or indeed, both)? In my eyes TLS hybrid logic always took preference, neglecting SSH hybrids. Or even more generally, in which way do you envision OQS cares about SSH using (want to support use of?) openssl (and oqsprovider in turn) in this regard? Could you see a way to streamline the support for "oqs-openssh" by way of using |
|
In a sense, TLS also hashes the concatenated shared secrets together, it's just that that operation is already part of the existing TLS key schedule (HKDF.Extract to get handshake secret), whereas SSH does not have a key schedule in between the raw shared secret derivation and the next level of the SSH key exchange computations (called the "exchange hash"), so the SSH draft explicitly hashes the concatenation before feeding it up to the "exchange hash" portion of the protocol. Of course in TLS one could hash the raw concatenation before feeding it up to the existing TLS key schedule; but that introduces an extra hash computation, increasing cost. I'm struggling to understand the rest of your comment. Right now, oqs-provider does several things, including: exposing un-hybridized KEMs via the EVP API; and adding hybrid key exchange groups to TLS 1.3 key exchange in OpenSSL. SSH implementations needing to build hybrid key exchange to implement the SSH draft can do so by separately calling the un-hybridized KEMs via the EVP API, regardless of whatever hybridization post-processing is done in the TLS 1.3 hybrid key exchange portion of oqs-provider. Unless you are asking if oqs-provider should add new functionality exposing hybridized KEMs via the EVP API, in which case the question becomes: what hybridization format/flavour? Each hybridization format/flavour effectively has 3 choices: how to hybridize public keys, how to hybridize ciphertexts, and how to hybridize shared secret calculation. If this is what you are wanting to do, then unfortunately yes, one would require differentiating between different hybridization formats/flavours:
|
|
Thanks for the background @dstebila .
Good solution. It'd be nice if the provider hybrid code doesn't get even more convoluted and hard to grasp by adding another option just for SSH.
I don't want to do it; the thought crossed my mind that it may be a "friendly" option that might eliminate "the need" for OQS maintaining a separate SSH fork and SSH users having to write separate code. But then again, I don't know enough about (Open)SSH to judge whether this is realistic/possible. Either way, OK to close the issue as per the recommendation by @dstebila above, @petrovr ? |
|
PKIX-SSH is different project that uses OpenSSL EVP API in preference while OpenSSH still produce code with deprecated in OpenSSL 0.9.8 (released in 2005) API. Using EVP API plus PKEY allows easily to integrate functionality profiled by cryptographic library.
Another point is #572. It seems to me code may use "....encoded..." function instead "...raw..." one (**). Dilemma: To use (*) and (**) with exiting functionality or to implement own composite algorithm. It seems to me second one ensure easy integration with functionality already delivered (existing OS packages). Conclusion: Hybrid Key Exchange in SSH requires only 3 new description records in oqs-provider but I'm not sure who will use this. Off-topic: final "digest" - it is part of another expired draft with "Streamlined NTRU Prime" i.e., used in existing ssh programs that implements it. So those programs need only TLS like functionality to exist and should reuse "digest" specific to ssh. |
Documentation "Internet-Draft":
According documentation X25519MLKEM768(see 1) group match mlkem768x25519-sha256(see 2) key exchange.
The difference is between "SecP256r1MLKEM768" and "mlkem768nistp256-sha256" and "mlkem1024nistp384-sha384" from (2). SSH draft defines always classical(traditional) key as second. TLS draft puts P-256 first in SecP256r1MLKEM768, as reason is in (1).
Also oqs-provider defines "p384_mlkem1024" using rules from (1).
Question (defect, enhancement) is how to use oqs-provider to get key order according specifications.
Unlike #572 this is specific to some hybrid definitions.
The text was updated successfully, but these errors were encountered: