"Variable-length" and "secret" don't really go together in the same sentence, as your work demonstrates. I would actually go further and strike that text altogether. I don't think it needs to be an open question. That lets us stick with a simple construction.
While the public values aren't secret so there's less strong of a guarantee, I'd go even further to drop the length prefixes inside the HybridKeyExchange structure. That saves four bytes on the wire. If someone does want to allocate a codepoint that needs the length prefixes, they can always define it for that code point. (That's another nice thing about using separate code points for separate hybrids rather than generic crypto combinators. We don't have to design for every improbable possibility.) I will note, we did have variable-width public values in DHE, but that caused interop issues and we fixed it in https://github.com/tlswg/tls13-spec/pull/458. David On Wed, Sep 16, 2020 at 12:27 PM Nimrod Aviram <nimrod.avi...@gmail.com> wrote: > Dear all, > > We are writing to ask about the possible security impact of > variable-length secrets on the "Hybrid key exchange in TLS 1.3" RFC > [1]. > > As you probably know, when using key material of variable length > and processing this material using hash functions, a timing side > channel may arise. In broad terms, when the secret is longer, the hash > function may need to process more blocks internally. In some unfortunate > circumstances, this has led to timing attacks, e.g. Lucky Thirteen [2] > and the newly-disclosed Raccoon Attack [3]. To be clear, we are not > aware of any attack on the proposed standard. Rather, we view this as > an opportunity to defend-in-depth against such attacks, while work on > the standard is in progress. > > Our proposal is to add language to the RFC explaining that variable-length > secrets may enable such attacks, and should therefore be avoided when > possible. Currently, the language seems to allow for variable-length > secrets, should the need arise: > "Variable-length shared secrets ... if it is envisioned that this > specification > be used with algorithms which do not have fixed-length shared secrets ..." > > We also note that a related RFC exists, "Hybrid Post-Quantum Key > Encapsulation Methods (PQ KEM) for Transport Layer Security 1.2" > [4]. However, that RFC apparently only uses BIKE, Kyber or SIKE as the > PQ KEM. To our knowledge, all three KEMs have fixed-length secrets. It > may be prudent to add cautionary language to that document as well, > in case other KEMs are used in the future. > > Kind regards, > The Raccoon Team > > [1] > https://www.ietf.org/id/draft-ietf-tls-hybrid-design-00.html#name-open-questions > [2] https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6547131 > [3] https://raccoon-attack.com/ > [4] > https://tools.ietf.org/id/draft-campagna-tls-bike-sike-hybrid-05.html#name-key-exchange-algorithms > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls