[Docs] [txt|pdf|xml|html] [Tracker] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01

LAMPS                                                       M. Ounsworth
Internet-Draft                                          Entrust Datacard
Intended status: Informational                        September 17, 2019
Expires: March 20, 2020


   Post-quantum Multi-Key Mechanisms for PKIX-like protocols; Problem
                Statement and Overview of Solution Space
                   draft-pq-pkix-problem-statement-01

Abstract

   With the widespread adoption of post-quantum (PQ) cryptography will
   come uncertainty about the strength of cryptographic primitives.  For
   example; when will RSA and ECC fall?  Are Lattice schemes as strong
   as we believe?  The cryptographic community is calling for hybrid
   schemes that combine classic and post-quantum crypto in ways that
   remain strong so long as at least one of the algorithms used remains
   strong.

   This document defines the problem statement for digital signatures in
   PKIX-like protocols, and gives an overview of the general families of
   solutions.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on March 20, 2020.

Copyright Notice

   Copyright (c) 2019 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents



Ounsworth                Expires March 20, 2020                 [Page 1]


Internet-Draft       PQ PKIX Sigs Problem Statement       September 2019


   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Problem Statement . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Formal Security Requirements  . . . . . . . . . . . . . .   2
   2.  Solution Space  . . . . . . . . . . . . . . . . . . . . . . .   3
     2.1.  "Composite" concatenated keys and signatures  . . . . . .   4
     2.2.  Application: X.509  . . . . . . . . . . . . . . . . . . .   5
       2.2.1.  Multiple Certificate Chains . . . . . . . . . . . . .   5
       2.2.2.  "Hybrid" v3 extensions  . . . . . . . . . . . . . . .   6
   3.  Conclusion  . . . . . . . . . . . . . . . . . . . . . . . . .   7
   4.  Intellectual Property Considerations  . . . . . . . . . . . .   8
   5.  Contributors and Acknowledgements . . . . . . . . . . . . . .   8
   6.  Informative References  . . . . . . . . . . . . . . . . . . .   8
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   8

1.  Problem Statement

   In general terms, "hybrid" or "layered" signatures means that the
   document signer performs multiple, parallel, signatures over the
   document and provides them all to the verifier.  The verifier's job
   is to check that all signatures are valid.

   The general concept is straight-forward, but the devil is in the
   details.

1.1.  Formal Security Requirements

   A solution to the PQ multi-signature problem MUST meet the following
   "security" properties:

   o  S1.  In order to break the overall signature, an attacker must
      break all the signatures.

   o  S2.  Robust to stripping and substitution attacks, which in most
      cases reduces to the following statement: the verifier needs a way
      to know which and how many signature algorithms to expect on a
      given message.

   A solution to the PQ multi-signature problem MAY meet the following
   "desirable" properties, depending on context of the protocol in which



Ounsworth                Expires March 20, 2020                 [Page 2]


Internet-Draft       PQ PKIX Sigs Problem Statement       September 2019


   the signature is being performed.  And yes, some of these conflict
   with each other:

   o  D1.  The set of signing algorithms is negotiated dynamically
      between client and server.

   o  D2.  Since post-quantum public keys and signatures are large, they
      should only be sent when you know the client will verify them.
      For bonus points, the protocol should control when and how the
      large PQ data is transmitted.  Note that all three schemes below
      could include a hash and external delivery of the large post-
      quantum data (for example, HTTP URL, delivered via protocol
      extension, etc).  Since this trick is orthogonal to and applies
      equally to all three schemes, it is not considered here.

   o  D3.  Backwards compatibility: there is a mechanism either for the
      client to negotiate whether it wants multi-key signatures, or the
      signature mechanism is designed in such a way that a legacy
      verifier will ignore the PQ parts.

   o  D4.  Protocol compatibility: a multi-key solution should "drop-in"
      to existing protocol message formats.  For example, a solution
      where any PKIX-like protocol simply needs to pick up new OIDs with
      no other code changes would meet this property.  Note that this
      conflicts with D2 which (probably) requires protocol-level
      awareness of the multiple keys.

   o  D5.  A mechanism that supports 3 or more algorithms is desirable
      to hedge our bets against algorithm compromise; possibly allowing
      a set of public keys / signatures to continue being used so long
      as there remain an acceptable number of un-broken algorithms.

   o  D6.  Some applications may be limited to a single signing
      certificate and/or key without significant redesign (for example
      smart cards).

2.  Solution Space

   At the time of writing, there have been proposed three broad families
   of solutions being considered: concatenating multiple public keys and
   signatures together into a large single public key / signature
   object, multiple independent traditional certificate chains, and
   placing PQ data into v3 extensions.  Since this discussion came out
   of LAMPS, the solutions that have drafts are X.509-focused, but we
   note that the first solution ("composite") is more general.

   Each solution space is described below.  I am trying to keep these
   abstract and not solution-specific.



Ounsworth                Expires March 20, 2020                 [Page 3]


Internet-Draft       PQ PKIX Sigs Problem Statement       September 2019


2.1.  "Composite" concatenated keys and signatures

   Concatenate public keys, algorithmIDs, and signatureValues into
   "composite" versions of those structures.

   Pros:

   o  D4: "Drop-in" to most protocols because once the underlying crypto
      layer supports the composite primitive, then the protocol only
      needs to add support for the composite algorithmID.

   o  D5: Trivially extends to 3 or more algorithms.

   o  Complexity of composite signature generation and verification is
      moved to crypto layer, and therefore protocol designers and
      implementers do not need to worry about it.  Note this is also a
      con, see below.  Crypto layer maintainers have control of which
      combinations of algorithms are acceptable.  This could be exposed
      to the application layer, for example, through config files or
      APIs.

   o  D6: - D6: Single certificate and key object should be a near drop-
      in replacement for applications such as smart cards whose
      architectures limit them to a single certificate.

   Cons:

   o  D1: Does not apply well to negotiated protocols, at least not
      without a quadratic or exponential proliferation of certificates
      using every combination of algorithms (possibly equip servers with
      two certificates: a high-security certificate, and a high-
      compatibility one).  Another option is to allow servers to perform
      signatures with a subset of keys in the certificate, or allow
      clients to selectively ignore some signatures.  Note that this
      requires a complex verification algorithm which is easy to mis-
      implement, and makes it very difficult to detect stripping
      attacks.  So this is probably not a good direction to go.

   o  D2: All public keys and signatures are contained in the
      certificate, and therefore need to be transferred.

   o  D3: Is not immediately backwards-compatible since clients need to
      be patched to understand the composite message structures and OID.
      But once that's done the verification algorithm can be designed to
      skip unknown algorithmIDs (this is not unique to this scheme, and
      violates D2, but it's possible _shrug_).





Ounsworth                Expires March 20, 2020                 [Page 4]


Internet-Draft       PQ PKIX Sigs Problem Statement       September 2019


   o  Policy moved to crypto layer; protocol can not (easily) be
      negotiate the algorithms, or control what counts as an
      "acceptable" combination of algorithms.

   Neutral:

   o  S1 & S2: Substitution and stripping attacks; if an attacker can
      break one or more of the signature algorithms, then they can strip
      out the other algorithmIDs and re-generate the signatures they
      have broken.  This can be mitigated by requiring that a composite
      public key produces signatures using all keys.  A verifier can
      check against their local trust store to see that the EndEntity
      certificate contains the same algorithms as its issuer.

   o  D2: Large PQ data is always sent to the client.  This can be
      either viewed as a bad thing (bandwidth) or a good thing (protect
      data now, patch clients later).

   This family of solutions has been instantiated in [draft-ounsworth-
   pq-composite-sigs-01].

2.2.  Application: X.509

2.2.1.  Multiple Certificate Chains

   If you want multiple public keys on multiple cryptographic
   algorithms, then get multiple certificates from multiple PKIs.  The
   protocol has control of negotiating which algorithms get used, how to
   encapsulate the large PQ data, etc.  In many ways, this is the most
   obvious solution.

   Pros:

   o  D1: Highly friendly to negotiated protocols since it allows the
      server to sign a transaction with the combination of algorithms
      that was negotiated with the client.

   o  D2: Protocol has control of how and when to transmit the large PQ
      certificates and signatures.

   o  During the RSA to ECC migration, many web servers added support
      for loading multiple certificates, and deciding which to use based
      on the TLS negotiation, so this work is already half done.

   o  D3: Clients will only be served certificate algorithms that they
      have requested.





Ounsworth                Expires March 20, 2020                 [Page 5]


Internet-Draft       PQ PKIX Sigs Problem Statement       September 2019


   o  D4: Does not require any modification to PKI hierarchies.  Does
      not require any changes to X.509, and only minor changes to CMS
      (for example, current CMS implementations have inconsistent
      behaviour when multiple SignerInfos are present).

   o  D5: Trivially extends to 3 or more certificates on different
      algorithms.

   Cons:

   o  S1 & S2: Unclear how this applies to non-negotiated protocols.

   o  S1 & S2: mitigation against stripping and substitution attacks is
      left up to the protocol, and is easy to get wrong.  Possibly some
      kind of extension could be placed in root CA certs to indicate
      which "sister PKIs" a verifier can expect to see, but such a
      solution would be fairly complex.

   o  D4: Requires updates to all protocols to add or specify the
      behaviour of multiple SignatureAlgorithm and SignatureValue
      fields.

   o  D6: Will have compatibility issues with applications such as smart
      cards that are limited to a single signing certificate.

   At time of writing, I am not aware of any internet drafts or other
   implementations of this family of solutions.

2.2.2.  "Hybrid" v3 extensions

   Place the PQ data into X.509v3 extensions.  This has two general
   forms; the "PQ extension" contains a complete second certificate, or
   the "PQ extensions" contain an alternative public key, signature
   algorithm, and signature value.

   Pros:

   o  D3: Highly backwards compatible; if the PQ extension(s) are marked
      as non-critical, then legacy clients will ignore the PQ data and
      verify the "outer" signature as normal.

   o  D6: Single certificate should be compatible with applications such
      as smart cards whose architectures limit them to a single
      certificate.  Though API / communication with the card would need
      to support two signatures or challenge-responses.

   Cons:




Ounsworth                Expires March 20, 2020                 [Page 6]


Internet-Draft       PQ PKIX Sigs Problem Statement       September 2019


   o  D1: Does not apply well to negotiated protocols; at least not
      without a quadratic proliferation of certificates on every
      combination of algorithms.

   o  D3: May be too backwards-compatible; in a large PKI deployment, it
      is very hard to be know if/when clients are all using the PQ data.

   o  D4: Requires updates to all protocols to add or specify the
      behaviour of multiple SignatureAlgorithm and SignatureValue
      fields.

   o  D5: Does not extend to 3 or more keys + signatures on its own, but
      could be used in combination with the "composite" solution to do
      so.

   Neutral:

   o  S1 & S2: Substitution and stripping attacks; if an attacker can
      break the outer signature (assumed to be RSA for backwards
      compatibility reasons), then they can strip or substitute the PQ
      extension and re-generate the outer signature.  This can be
      mitigated by requiring that a hybrid CA containing an alt public
      key always produces hybrid certificates containing a corresponding
      alt signature.  When building a certificate chain, a verifier can
      check that alt signatures are present and valid all the way down
      the certificate chain.

   o  D2: Large PQ data is always sent to the client.  This can be
      either viewed as a bad thing (bandwidth) or a good thing (protect
      data now, patch clients later).

   This family of solutions has been instantiated in [draft-truskovsky-
   lamps-pq-hybrid-x509-01], and has a related standard currently before
   the ITU.

3.  Conclusion

   None of these solution families are a panacea.  Multi-cert looks
   preferable for online negotiated protocols, hybrid looks preferable
   for environments with strong backwards compatibility requirements for
   legacy clients, and composite looks preferable for controlled
   environments where you know the clients will support the composite
   message format.








Ounsworth                Expires March 20, 2020                 [Page 7]


Internet-Draft       PQ PKIX Sigs Problem Statement       September 2019


4.  Intellectual Property Considerations

   Hybrid certificates, specifically [draft-truskovsky-lamps-pq-hybrid-
   x509-01] has IPR held by ISARA which has an IPR statement available
   at https://datatracker.ietf.org/ipr/3287/.

   Composite certificates, specifically [draft-ounsworth-pq-composite-
   sigs-01] has IPR held by Max Pala and CableLabs, but with open
   license terms, available at https://datatracker.ietf.org/ipr/3481/.

5.  Contributors and Acknowledgements

   This document incorporates contributions and comments from a large
   group of experts, including the authors list of [draft-ounsworth-pq-
   composite-sigs-01] and hallway chats at IETF105 and other crypto
   conferences.

   This document borrows text from similar documents, including those
   referenced below.  Thanks go to the authors of those documents.
   "Copying always makes things easier and less error prone" -
   [RFC8411].

6.  Informative References

   [I-D.ounsworth-pq-composite-sigs]
              Ounsworth, M. and M. Pala, "Composite Keys and Signatures
              For Use In Internet PKI", draft-ounsworth-pq-composite-
              sigs-01 (work in progress), July 2019.

   [I-D.truskovsky-lamps-pq-hybrid-x509]
              Truskovsky, A., Geest, D., Fluhrer, S., Kampanakis, P.,
              Ounsworth, M., and S. Mister, "Multiple Public-Key
              Algorithm X.509 Certificates", draft-truskovsky-lamps-pq-
              hybrid-x509-01 (work in progress), August 2018.

   [RFC8411]  Schaad, J. and R. Andrews, "IANA Registration for the
              Cryptographic Algorithm Object Identifier Range",
              RFC 8411, DOI 10.17487/RFC8411, August 2018,
              <https://www.rfc-editor.org/info/rfc8411>.

Author's Address










Ounsworth                Expires March 20, 2020                 [Page 8]


Internet-Draft       PQ PKIX Sigs Problem Statement       September 2019


   Mike Ounsworth
   Entrust Datacard Limited
   1000 Innovation Drive
   Ottawa, Ontario  K2K 1E3
   Canada

   Email: mike.ounsworth@entrustdatacard.com












































Ounsworth                Expires March 20, 2020                 [Page 9]


Html markup produced by rfcmarkup 1.129c, available from https://tools.ietf.org/tools/rfcmarkup/