Bring back more ciphersuites #279
Conversation
| | Component | Contents | | ||
| |:----------|:---------| | ||
| | MLS | The string "MLS" followed by the major and minor version, e.g. "MLS10" | | ||
| | LVL | The security level | |
There was a problem hiding this comment.
This doesn't seem all that useful, I would drop it.
There was a problem hiding this comment.
The idea is to give you a rough idea of the overall security level for informational purposes. Maybe @beurdouche can elaborate more on that.
draft-ietf-mls-protocol.md
Outdated
|
|
||
| * Hash function: SHA-256 | ||
| * AEAD: AES-128-GCM | ||
| The ciphersuites are defined in section {{MLS Ciphersuites}}. |
There was a problem hiding this comment.
I think you need a bit more description here, just to say what a ciphersuite indicates, namely:
- Parameters for an instance of HPKE
- A KDF to be used
- As a consequence, a Derive-Key-Pair function, as defined below.
There was a problem hiding this comment.
Also, does {{MLS Ciphersuites}} actually work? Might need to be {{mls-ciphersuites}}.
There was a problem hiding this comment.
- That's why I wanted to leave "HPKE" in the name of the ciphersuite
- I guess that should then go in line 809
- That's what we have in the "Diffie-Hellmann groups section"
Regarding the notation for hyperlinks, I'll take your word for it
There was a problem hiding this comment.
I fixed this in mine. The anchor is {#anchor} and then you link in text with {{anchor}}.
|
|
||
| When HPKE is used with this ciphersuite, it uses the following | ||
| algorithms: | ||
| ### Notes on Diffie-Hellman groups |
There was a problem hiding this comment.
This extra section heading doesn't seem necessary.
There was a problem hiding this comment.
I blew it away in mine.
| * Hash function: SHA-256 | ||
| * AEAD: AES-128-GCM | ||
| Given an octet string X, the private key produced by the | ||
| Derive-Key-Pair operation is SHA-512(X) truncated to 448 bits (Recall that any 56-octet |
There was a problem hiding this comment.
Should we use HKDF instead of SHA directly? In other words, make node secrets variable-length, where the length is determined by the KEM in use.
- P256, X25519: 32 bytes
- X448: 56 bytes
- P521: 66 bytes
As a bonus, that would save a couple of hash invocations.
There was a problem hiding this comment.
Unless there is a specific reasons not to do it (cc @beurdouche), I think it would be great to harmonise this. Having different hash algorithms in here makes no sense to me if it can be avoided.
|
It seems like we have a few separable issues here:
Let's discuss this at the interim and maybe break this PR into a few bits |
This seems to accurately reflect the consensus we had at the last interim, and there's nothing I can't live with otherwise.
I will probably file a follow-up to convert the Derive-Key-Pair operations to use HKDF directly, as discussed, avoiding the need for intermediate node_secret values or truncation of SHA-512.
bifurcation
added
today! (?)
There are some items missing that I believe we agreed on at the last in-person interim:
- It's not clear from reading the PR that the signature scheme is now fixed per-group.
- Need to verify that CIKs correspond to current suite and express support for all algorithms currently used.
- Recommendation that we be conservative when adding new suites in the future.
- Justification for why the current suites are minimal.
bifurcation
added
ready to merge
and removed
today! (?)
|
Note that specification required registries imply that there is a designated expert pool. I will add some text to create one. The text is very similar to the TLS DE pool text from RFC8447 with some tweaks that, hopefully, address the misunderstandings uncovered during non-standards track registry requests. Note the process is: (assuming that the IESG eventually approves this draft) When the IESG approves this draft, the responsible AD assigns some DEs (like 2-3 suggested by the WG chairs). These DEs are in charge of all registrations regardless of whether the draft comes from the WG or elsewhere as all requests go to the MLS DEs mailing list. |
| X25519_SHA256_AES128GCM(0x0001), | ||
| (0xFFFF) | ||
| } CipherSuite; | ||
| The signature algorithm specified in the ciphersuite is the mandatory algorithm to be used for the signatutes in MLSPlaintext and the tree signatures. It can be different from the signature algorithm specified in credential fielf of ClientInitKeys. |
There was a problem hiding this comment.
- Please wrap this at 80-ish chars
- "field"
- Can it really be different?
| Derive-Key-Pair operation is SHA-256(X). (Recall that any 32-octet | ||
| string is a valid Curve25519 private key.) The corresponding public | ||
| Derive-Key-Pair operation is SHA-256(X) (Recall that any 32-octet | ||
| string is a valid X25519 private key). The corresponding public |
There was a problem hiding this comment.
The punctuation was correct before
Alternatively, lower-case r in "Recall"
draft-ietf-mls-protocol.md
Outdated
| CipherSuite MLS_LVL_KEM_AEAD_HASH_SIG = VALUE; | ||
| ~~~ | ||
|
|
||
| Where VALUE is a is represented as two 8bit octets: |
There was a problem hiding this comment.
VALUE is represented
8-bit
| | KEM | The KEM algorithm used for HPKE in TreeKEM group operations | | ||
| | AEAD | The AEAD algorithm used for HPKE and message protection | | ||
| | HASH | The hash algorithm used for HPKE and the MLS KDF | | ||
| | SIG | The Signature algorithm used for message authentication | |
There was a problem hiding this comment.
lower-case s in "Signature"
| The initial contents for this registry are as follows: | ||
| The mandatory-to-implement ciphersuite for MLS 1.0 is | ||
| `MLS10\_128\_HPKE25519\_AES128GCM\_SHA256\_Ed25519` which is using | ||
| Curve25519, HKDF over SHA2-256 and AES-128-GCM for HPKE, |
There was a problem hiding this comment.
HKDF over SHA-256, AES-128-GCM for HPKE,
| `MLS10\_128\_HPKE25519\_AES128GCM\_SHA256\_Ed25519` which is using | ||
| Curve25519, HKDF over SHA2-256 and AES-128-GCM for HPKE, | ||
| and AES-128-GCM with Ed25519 for symmetric encryption and | ||
| signatures. |
There was a problem hiding this comment.
"message encryption and authentication"
No description provided.