Enable the post-quantum x25519+ML-KEM-768 TLS 1.3 ciphersuite by default #4305
Conversation
randombit
force-pushed
the
jack/enable-pqc
branch
from
503d8df
to
ee8f6c0
Compare
There was a problem hiding this comment.
🚀 Nice! The PQ-era is here!
As a side note: This points at an open tech debt regarding the management of ciphersuites (also noted for a long time in #2990). As it is now, there's a lot of if {} else if {} else scattered around many places in the TLS implementation. Whenever algorithms are added, there's a lot of potential to miss something.
|
Something is wrong - I know I tested that our client connecting to our server would negotiate Kyber (highly relevant since Botan being on both sides of the connection is very common) but now this doesn't work .... |
|
Oh I see. I tested us<->us in my initial attempt which put Kyber at the absolute top of the preference list. However I realized later this caused us to send a large keyshare that is ignored much of the time, which is non-optimal. But it seems - unlike the stacks in |
|
OK I think we just need to adjust the logic in |
... I was about to say that. Currently, the code there optimizes for round-trips and avoids sending a HelloRetryRequest whenever it can. I.e.: it will go for the non-PQ group if it is offered and fits with our supported groups. |
|
I'll take a look at that BoringSSL and co do here. I expect it looks something like a 2-tier selection
|
Sounds reasonable to me as a default policy. I was thinking to propose an additional policy setting like |
|
|
|
OTOH we already have a lot of fucking policy toggles 😅 |
randombit
force-pushed
the
jack/enable-pqc
branch
from
18b58a2
to
83a05cc
Compare
randombit
force-pushed
the
jack/enable-pqc
branch
3 times, most recently
from
ec0d301
to
a354031
Compare
randombit
changed the title
| allow_dtls12 = true | ||
| ciphers = ChaCha20Poly1305 AES-256/GCM AES-128/GCM | ||
| macs = AEAD SHA-256 SHA-384 SHA-1 | ||
| signature_hashes = SHA-512 SHA-384 SHA-256 | ||
| signature_methods = ECDSA RSA | ||
| key_exchange_methods = ECDH DH | ||
| key_exchange_groups = x25519 x448 secp256r1 brainpool256r1 secp384r1 brainpool384r1 secp521r1 brainpool512r1 ffdhe/ietf/2048 ffdhe/ietf/3072 ffdhe/ietf/4096 ffdhe/ietf/6144 ffdhe/ietf/8192 | ||
| key_exchange_groups = x25519 secp256r1 x25519/Kyber-768-r3 x448 secp384r1 secp521r1 brainpool256r1 brainpool384r1 brainpool512r1 ffdhe/ietf/2048 ffdhe/ietf/3072 |
There was a problem hiding this comment.
That should use ML-KEM now, no? Just like the default_tls13.txt
| key_exchange_groups = x25519 secp256r1 x25519/Kyber-768-r3 x448 secp384r1 secp521r1 brainpool256r1 brainpool384r1 brainpool512r1 ffdhe/ietf/2048 ffdhe/ietf/3072 | |
| key_exchange_groups = x25519 secp256r1 x25519/ML-KEM-768 x448 secp384r1 secp521r1 brainpool256r1 brainpool384r1 brainpool512r1 ffdhe/ietf/2048 ffdhe/ietf/3072 |
| By default, we offer a key share for the most-preferred pure ECC group | ||
| by default, if any pure ECC group is enabled in the policy. |
There was a problem hiding this comment.
| By default, we offer a key share for the most-preferred pure ECC group | |
| by default, if any pure ECC group is enabled in the policy. | |
| By default, we offer a key share for the most-preferred pure ECC group | |
| if any pure ECC group is enabled in the policy. |
| @@ -198,7 +203,7 @@ class BOTAN_PUBLIC_API(3, 2) Group_Params final { | |||
| m_code == Group_Params_Code::FFDHE_8192; | |||
| } | |||
|
|
|||
| constexpr bool is_pure_kyber() const { | |||
| constexpr bool is_pure_kyber_r3() const { | |||
There was a problem hiding this comment.
This is a public API. I think we'll have to go with deprecation of is_pure_kyber() here.
randombit
force-pushed
the
jack/enable-pqc
branch
2 times, most recently
from
7d241d6
to
9a1a4d8
Compare
This change also rearranges the default kex list, and removes some of the most expensive FFDHE groups. Group selection logic is changed such that if the client supports a post quantum algorithm, it is always preferred even if the client sent other (non-PQC) key shares. Expose which group was used for key exchange in the Session_Summary. Co-authored-by: René Meusel <[email protected]>
Tested with cloudflare.com, google.com and ourselves.
This adjusts the default logic for both which groups to offer and which group to select during negotiation.
For offering, we send the first pure ECC group in the preference list. This avoids sending large PQ shares to servers that don't support them. If the client for whatever reason does not have any pure ECC groups, then we send a share of whatever their top preference is.
On the server side, if the client indicated support for any mutually supported PQ algorithm, we always select it, even if the client sent some other type of keyshare. Previously we would always prefer to select a group that the client sent a share of, to reduce round trips.