Hi, I am worried about the ITU-T work on TLS, which seems to significantly lower the security. https://datatracker.ietf.org/liaison/2141/
I suggest that TLS WG replies as follows: ---------------------------------- TLS WG is concerned that ITU-T describes QKD as a technology that can be practically deployed today. Previous IETF discussions have concluded that QKD is not practically secure at present, but may become usable in a few decades as a defense-in-depth mechanism for point-to-point connections. QKD implementations today are not practically secure, even for point-to-point connections, and are even less suitable over longer distances. The concept of “trusted nodes” runs counter to established security principles such as zero trust and end-to-end encryption. Alarmingly, some QKD and QRNG vendors claim that their products are “unbreakable” and that their output can be used directly for cryptographic purposes without a CSPRNG or asymmetric cryptographic algorithms for key exchange and authentication. This is exactly the kind of statements one would expect from a hardware vendor secretly influenced by a SIGINT organization. The TLS WG agrees with the direction taken by the Pentagon to not test, pilot, use, or procure QKD and PSK-based solutions for quantum resistance, and to phase out symmetric key distribution. https://dowcio.war.gov/Portals/0/Documents/Library/PreparingForMigrationPQC.pdf The solution in ITU-T Y.QKD-TL would not enhance the security of TLS; it would severely weaken it. ITU-T should recommend migration to hybrid key exchange mechanisms such as X25519MLKEM768, which have already seen significant deployment. https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/ https://radar.cloudflare.com/post-quantum The use of psk_ke symmetric key distribution significantly weakens the security of TLS by removing asymmetric cryptographic algorithms for key exchange and authentication. The psk_ke mode was designed for constrained IoT environments, is disabled in many TLS libraries, and is not suitable for high-security use cases such as critical infrastructure. If PSK-based solutions for quantum resistance are used, they should follow RFC 8773 (and its revision, 8773bis), which retains both certificate-based authentication and ephemeral key exchange. This ensures that security is not weakened by the introduction of PSK-based mechanisms for quantum resistance. https://www.rfc-editor.org/rfc/rfc8773.html https://datatracker.ietf.org/doc/draft-ietf-tls-8773bis/ ---------------------------------- Cheers, John Preuß Mattsson
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
