Hybrid-Key Exchanges As an Interim-To-Permanent Solution to Cryptographic Agility Matthew Campagna Amazon Web Services Agenda
Total Page:16
File Type:pdf, Size:1020Kb
Hybrid-Key Exchanges as an Interim-to-Permanent Solution to Cryptographic Agility Matthew Campagna Amazon Web Services Agenda Classical cryptographic reasoning Post-quantum cryptography Hybrid key exchange Post-Quantum-s2n Here is what keeps me up at night Record AWS Cloud Client Internet Here is what keeps me up at night Record New capabilities AWS Cloud Client Internet Here is what keeps me up at night Record plaintext data and harvest New capabilities AWS Cloud Client Internet Confidentiality requirement Security of an algorithm The computation complexity of the best known attacks. ! • Defines the bit strength of an algorithm. • Bounds the algorithm security lifetime. O(2n) How assured am I better attacks are not coming? L [a, c] n • How long has this problem been studied? • Who has studied it and what is the published record of that analysis. • No compression of the iterative analyze/discover/disseminate process Best known attacks Best known attack Invented Standardized Widely used Year Attack ECC 1985 1999 2000s 1978 Pollard rho 2" 1/3 FF 1976 1991 1990s 1990 NFS Ln[1/3, (64/9) ] 1/3 RSA 1978 1998 1990s 1990 NFS Ln[1/3, (64/9) ] AES 1998 2001 2005 - Exhaust 2n DES 1975 1977 1980s 1991 Differential cryptanalysis SHA1 - 1995 1990s 2005 Collision < 2" SHA2 2001 2002 2005 - Birthday attack 2" SHA3 2008 2015 ? - Birthday attack 2" ChaCha20 2008 2015 2018 - Exhaust 2n Impact of quantum computing on cryptography Shor’s algorithm (1994): Can solve the discrete log problem (breaking Diffie-Hellman and Elliptic Curve Cryptography), and factor composite numbers (breaking RSA) Grover’s algorithm (1996): Can search an unsorted database of N items in Ο( # ) time (reducing the security of symmetric ciphers and preimage search for hash functions) Timeline for quantum computing What has ETSI been doing 2013 – Initial ETSI IQC Quantum Safe Cryptography Workshop 2014 – Started ETSI QSC Industry Specification Group 2015 – Published the ETSI Quantum Safe Cryptography and Security 2016 – ETSI CYBER QSC Technical Committee (Chair: Mark Pecen) CYBER-QSC-008 (TR 103 616): Quantum Safe Signatures CYBER-QSC-0012 (TR 103 618): Quantum Safe Identity Based Encryption CYBER-QSC-0015 (TS): Quantum-Safe Hybrid Key Exchanges NIST Standardization Process 2015 - NSA changes Suite B algorithms to prepare for post-quantum 2016 – NIST issues a call for proposals for post-quantum proposals 2017 – Round 1: 69 initial complete packages 2019 – Round 2: 17 key encapsulation mechanisms, 9 signature schemes round candidates More analysis … conference nd Conference rd round candidates st round candidatesst Analysis and evaluationAnalysisnd and evaluation Draft standards Call for proposal1 1 2 2 3 ……… Jan, Nov, April, Jan, Aug, 2022- 2017 2017 2018 2019 2019 2023 NIST PQ KEM Round 2 Submissions 300000 bytes 20000 bytes 10000 bytes 5000 bytes 2500 bytes 1000 bytes 100K 1M 10M 100M 1B Quantum-safe cryptography - recap We can’t solely rely on new algorithms until we have more assurance We want to test them to understand impact to applications and protocols we use today We do both - perform hybrid key exchanges One classical, like Elliptic Curve Diffie Hellman One quantum-safe, like BIKE or SIKE Combine them in a cryptographically non-lossy way Hybrid key agreements Alice Bob Generate (a, A) A Generate (b, B) B K = KDF(aB) K = KDF(bA) Hybrid key agreements Alice Bob Generate (a, A) , pk ( sk, pk ) = Gen( ) A Generate (b, B) B Hybrid key agreements Alice Bob Generate (a, A) , pk ( sk, pk ) = Gen( ) A Generate (b, B) (ss, ct) = Encaps(pk) B , ct Hybrid key agreements Alice Bob Generate (a, A) , pk ( sk, pk ) = Gen( ) A Generate (b, B) (ss, ct) = Encaps(pk) ss = Decaps(sk, ct) B , ct K = KDF(aB || ss) K = KDF(bA || ss) PQ-TLS 1.2 – hybrid key exchange Client Server (Cert(d, N), e) ClientHello Generate ECDHE (a, A) Certificate (Cert(d, N)) (sk, pk) = KeyGen( ) ServerKeyExchange (A, pk, sig)) sig = Sign(A, pk…, e) Verify(sig, A, pk…, (d, N)) Generate ECDHE (b, B) (ss, ct) = Encaps(pk) ClientKeyExchange (B, ct) keys = derive keys (bA, ss …) ss = Decaps(sk, ct ) keys = derive keys (aB, ss…) ApplicationData This is a sketch of a TLS_ECDHE_SIKE_RSA_* negotiated cipher suite connection PQ-TLS 1.2 – hybrid key exchange Draft experimental RFC within IETF for hybrid key exchange in TLS 1.2 Added SIKE and BIKE reference code into AWS’s s2n (libssl) code base Add in a hybrid key exchange cipher suites into s2n TLS_ECDHE_BIKE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_SIKE_RSA_WITH_AES_256_GCM_SHA384 Apply the same rigor to this new code as we do to s2n PQ-TLS 1.2 – Bandwidth usage (bytes) ClientHello ServerKeyExchange ClientKeyExchange ECDHE-RSA-AES256-GCM-SHA384 139 329 66 ECDHE-BIKE-RSA-AES256-GCM-SHA384 147 2875 2610 ECDHE-SIKE-RSA-AES256-GCM-SHA384 147 711 470 PQ s2n Performance numbers - P50 (ms) Local host us-west2 us-west1 eu-west2 ap-south1 Ping 0.08 0.69 21 133 22 ECDHE 1.2 2.6 43 278 434 ECDHE-BIKE Hybrid 25 27 67 302 458 ECDHE-SIKE Hybrid 155 156 197 431 588 What comes next Integrate PQ s2n into AWS SDKs and deploy pq-hybrid into AWS KMS Move from the Round 1 candidates to Round 2 Add a lattice-based scheme into PQ s2n Use an ETSI standardized hybrid-key agreement scheme Increase performance (10x): move from reference code to optimized code Move from TLS 1.2 to TLS 1.3, consider alternatives to pq-hybrid Double-hulled TLS AWS Cloud FIPS-Certified ECDHE & TLS-AES256-GCM-SHA384 Client Double-hulled TLS AWS Cloud FIPS-Certified PQ-KEM & TLS-CHACHA20-POLY1305-SHA3-384 ECDHE & TLS-AES256-GCM-SHA384 Client 7th ETSI/IQC Quantum Safe Cryptography Workshop When: 5 – 7 November 2019 Where: Amazon Headquarters in Seattle, US Who: Admission is open to all Executive Track: CTO/CISO/Executives and government decision makers looking to understand current trends in quantum-safe or post-quantum cryptography. Technical Track: Technologists and standards participants looking to increase their knowledge in the state of the art in quantum-safe cryptography. Additional Dates: Submission deadline is 22 June 2019 Thank you! Additional details AWSLabs: https://github.com/awslabs/s2n IETF: https://tools.ietf.org/html/draft-campagna-tls-bike-sike-hybrid-01 https://tools.ietf.org/html/draft-stebila-tls-hybrid-design-00 ETSI: https://www.etsi.org/events/1607-etsi-iqc-quantum-safe- cryptography-workshop-2019 https://portal.etsi.org/tb.aspx?tbid=856&SubTB=856#/ NIST: https://csrc.nist.gov/Projects/Post-Quantum-Cryptography.