TLS T. Reddy Internet-Draft Nokia Intended status: Standards Track T. Hollebeek Expires: 18 May 2025 DigiCert J. Gray Entrust S. Fluhrer Cisco Systems 14 November 2024 Use of Composite ML-DSA in TLS 1.3 draft-reddy-tls-composite-mldsa-00 Abstract This document specifies how the post-quantum signature scheme ML-DSA [FIPS204], in combination with traditional algorithms RSA- PKCS#1v1.5,RSA-PSS, ECDSA, Ed25519, and Ed448 can be used for authentication in TLS 1.3. The composite ML-DSA approach is beneficial in deployments where operators seek additional protection against potential breaks or catastrophic bugs in ML-DSA. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 18 May 2025. Copyright Notice Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Reddy, et al. Expires 18 May 2025 [Page 1] Internet-Draft Use of Composite ML-DSA in TLS 1.3 November 2024 Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Conventions and Terminology . . . . . . . . . . . . . . . 3 2. ML-DSA SignatureSchemes Types . . . . . . . . . . . . . . . . 3 3. Selection Criteria for Composite Signature Algorithms . . . . 5 4. Security Considerations . . . . . . . . . . . . . . . . . . . 5 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 6.1. Normative References . . . . . . . . . . . . . . . . . . 6 6.2. Informative References . . . . . . . . . . . . . . . . . 7 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 8 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 1. Introduction The advent of quantum computing poses a significant threat to current cryptographic systems. Traditional cryptographic algorithms such as RSA, Diffie-Hellman, DSA, and their elliptic curve variants are vulnerable to quantum attacks. During the transition to post-quantum cryptography (PQC), there is considerable uncertainty regarding the robustness of both existing and new cryptographic algorithms. While we can no longer fully trust traditional cryptography, we also cannot immediately place complete trust in post-quantum replacements until they have undergone extensive scrutiny and real-world testing to uncover and rectify potential implementation flaws. Unlike previous migrations between cryptographic algorithms, the decision of when to migrate and which algorithms to adopt is far from straightforward. Even after the migration period, it may be advantageous for an entity's cryptographic identity to incorporate multiple public-key algorithms to enhance security. Cautious implementers may opt to combine cryptographic algorithms in such a way that an attacker would need to break all of them simultaneously to compromise the protected data. These mechanisms are referred to as Post-Quantum/Traditional (PQ/T) Hybrids [I-D.ietf-pquip-pqt-hybrid-terminology]. Reddy, et al. Expires 18 May 2025 [Page 2] Internet-Draft Use of Composite ML-DSA in TLS 1.3 November 2024 Certain jurisdictions are already recommending or mandating that PQC lattice schemes be used exclusively within a PQ/T hybrid framework. The use of Composite scheme provides a straightforward implementation of hybrid solutions compatible with (and advocated by) some governments and cybersecurity agencies [BSI2021]. ML-DSA [FIPS204] is a post-quantum signature schemes standardised by NIST. It is a module-lattice based scheme. This memo specifies how a composite ML-DSA can be negotiated for authentication in TLS 1.3 via the "signature_algorithms" and "signature_algorithms_cert" extensions. The use of composite ML-DSA is valuable in deployments where disabling algorithms is complex or slow. Hybrid signatures provide additional safety by ensuring protection even if vulnerabilities are discovered in one of the constituent algorithms. 1.1. Conventions and Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. These words may also appear in this document in lower case as plain English words, absent their normative meanings. This document is consistent with the terminology defined in [I-D.ietf-pquip-pqt-hybrid-terminology]. It defines composites as: _Composite Cryptographic Element_: A cryptographic element that incorporates multiple component cryptographic elements of the same type in a multi-algorithm scheme. 2. ML-DSA SignatureSchemes Types As defined in [RFC8446], the SignatureScheme namespace is used for the negotiation of signature scheme for authentication via the "signature_algorithms" and "signature_algorithms_cert" extensions. This document adds new SignatureSchemes types for the composite ML- DSA as follows. Reddy, et al. Expires 18 May 2025 [Page 3] Internet-Draft Use of Composite ML-DSA in TLS 1.3 November 2024 enum { mldsa44_ecdsa_secp256r1_sha256 (0x0907), mldsa65_ecdsa_secp384r1_sha384 (0x0908), mldsa87_ecdsa_secp384r1_sha384 (0x0909), mldsa44_ed25519 (0x090A), mldsa65_ed25519 (0x090B), mldsa44_rsa_pkcs1_sha256 (0x090C), mldsa65_rsa_pkcs1_sha384 (0x090D), mldsa44_rsa_pss_pss_sha256 (0x090E), mldsa65_rsa_pss_pss_sha384 (0x090F), mldsa87_ed448 (0x0910) } SignatureScheme; Each entry specifies a unique combination of an ML-DSA parameter, an elliptic curve or RSA variant, and a hashing function. The first algorithm corresponds to ML-DSA-44, ML-DSA-65, and ML-DSA-87, as defined in [FIPS204]. It is important to note that the mldsa* entries represent the pure versions of these algorithms and should not be confused with prehashed variants, such as HashML-DSA-44, also defined in [FIPS204]. Support for prehashed variants is not required because TLS computes the hash of the message (e.g., the transcript of the TLS handshake) that needs to be signed. Note that TLS 1.3 removed support for RSASSA-PKCS1-v1_5 [RFC8017] in CertificateVerify messages, opting for RSASSA-PSS instead. Similarly, this document restricts the use of the composite signature algorithms mldsa44_rsa_pkcs1_sha256 and mldsa65_rsa_pkcs1_sha384 to the "signature_algorithms_cert" extension and does not define them for use in the "signature_algorithms" extension. In TLS, the data used for generating a digital signature is unique for each TLS session, as it includes the entire handshake. Thus, ML- DSA can utilize the deterministic version. The context parameter defined in [FIPS204] Algorithm 2/Algorithm 3 MUST be an empty string. The signature MUST be computed and verified as specified in Section 4.4.3 of [RFC8446]. The Composite-ML-DSA.Sign function, defined in [I-D.ietf-lamps-pq-composite-sigs], will be utilized by the sender to compute the signature field of the CertificateVerify message. Conversely, the Composite-ML-DSA.Verify function, also defined in [I-D.ietf-lamps-pq-composite-sigs], will be employed by the receiver to verify the signature field of the CertificateVerify message. Note: In the LAMPS WG, it is being discussed that the composite signature API should avoid using protocol-specific encoding. Reddy, et al. Expires 18 May 2025 [Page 4] Internet-Draft Use of Composite ML-DSA in TLS 1.3 November 2024 The corresponding end-entity certificate when negotiated MUST use the First AlgorithmID and Second AlgorithmID respectively as defined in [I-D.ietf-lamps-pq-composite-sigs]. The schemes defined in this document MUST NOT be used in TLS 1.2 [RFC5246]. A peer that receives ServerKeyExchange or CertificateVerify message in a TLS 1.2 connection with schemes defined in this document MUST abort the connection with an illegal_parameter alert. 3. Selection Criteria for Composite Signature Algorithms The composite signatures specified in the document are restricted set of cryptographic pairs, chosen from the intersection of two sources: * The composite algorithm combinations as recommended in [I-D.ietf-lamps-pq-composite-sigs], which specify both PQC and traditional signature algorithms. * The mandatory-to-support or recommended traditional signature algorithms listed in TLS 1.3. By limiting algorithm combinations to those defined in both [I-D.ietf-lamps-pq-composite-sigs] and TLS 1.3, this specification ensures that each pair: * Meets established security standards for composite signatures in a post-quantum context, as described in [I-D.ietf-lamps-pq-composite-sigs]. * Is compatible with traditional digital signatures recommended in TLS 1.3, ensuring interoperability and ease of adoption within the TLS ecosystem. This conservative approach reduces the risk of selecting unsafe or incompatible configurations, promoting security by requiring only trusted and well-vetted pairs. Future updates to this specification may introduce additional algorithm pairs as standards evolve, subject to similar vetting and inclusion criteria. 4. Security Considerations The security considerations discussed in Section 11 of [I-D.ietf-lamps-pq-composite-sigs] needs to be taken into account. Reddy, et al. Expires 18 May 2025 [Page 5] Internet-Draft Use of Composite ML-DSA in TLS 1.3 November 2024 5. IANA Considerations This document requests new entries to the TLS SignatureScheme registry, according to the procedures in Section 6 of [TLSIANA]. +======+================================+=============+===========+ |Value | Description | Recommended | Reference | +======+================================+=============+===========+ |0x0907| mldsa44_ecdsa_secp256r1_sha256 | N | This | | | | | document. | +------+--------------------------------+-------------+-----------+ |0x0908| mldsa65_ecdsa_secp384r1_sha384 | N | This | | | | | document. | +------+--------------------------------+-------------+-----------+ |0x0909| mldsa87_ecdsa_secp384r1_sha384 | N | This | | | | | document. | +------+--------------------------------+-------------+-----------+ |0x090A| mldsa44_ed25519 | N | This | | | | | document. | +------+--------------------------------+-------------+-----------+ |0x090B| mldsa65_ed25519 | N | This | | | | | document. | +------+--------------------------------+-------------+-----------+ |0x090C| mldsa44_rsa_pkcs1_sha256 | N | This | | | | | document. | +------+--------------------------------+-------------+-----------+ |0x090D| mldsa65_rsa_pkcs1_sha384 | N | This | | | | | document. | +------+--------------------------------+-------------+-----------+ |0x090E| mldsa44_rsa_pss_pss_sha256 | N | This | | | | | document. | +------+--------------------------------+-------------+-----------+ |0x090F| mldsa65_rsa_pss_pss_sha384 | N | This | | | | | document. | +------+--------------------------------+-------------+-----------+ |0x0910| mldsa87_ed448 | N | This | | | | | document. | +------+--------------------------------+-------------+-----------+ Table 1 6. References 6.1. Normative References [I-D.ietf-lamps-pq-composite-sigs] Ounsworth, M., Gray, J., Pala, M., Klaußner, J., and S. Fluhrer, "Composite ML-DSA For use in X.509 Public Key Reddy, et al. Expires 18 May 2025 [Page 6] Internet-Draft Use of Composite ML-DSA in TLS 1.3 November 2024 Infrastructure and CMS", Work in Progress, Internet-Draft, draft-ietf-lamps-pq-composite-sigs-03, 21 October 2024, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, . [TLSIANA] Salowey, J. A. and S. Turner, "IANA Registry Updates for TLS and DTLS", Work in Progress, Internet-Draft, draft- ietf-tls-rfc8447bis-10, 3 November 2024, . 6.2. Informative References [BSI2021] Federal Office for Information Security (BSI), "Quantum- safe cryptography - fundamentals, current developments and recommendations", October 2021, . [FIPS204] "FIPS-204: Module-Lattice-Based Digital Signature Standard", . [I-D.ietf-pquip-pqt-hybrid-terminology] D, F., P, M., and B. Hale, "Terminology for Post-Quantum Traditional Hybrid Schemes", Work in Progress, Internet- Draft, draft-ietf-pquip-pqt-hybrid-terminology-04, 10 September 2024, . [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, DOI 10.17487/RFC5246, August 2008, . Reddy, et al. Expires 18 May 2025 [Page 7] Internet-Draft Use of Composite ML-DSA in TLS 1.3 November 2024 [RFC8017] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch, "PKCS #1: RSA Cryptography Specifications Version 2.2", RFC 8017, DOI 10.17487/RFC8017, November 2016, . Acknowledgments Thanks to Bas Westerbaan, Alicja Kario, Ilari Liusvaara and Sean Turner for the discussion and comments. Authors' Addresses Tirumaleswar Reddy Nokia Bangalore Karnataka India Email: kondtir@gmail.com Timothy Hollebeek DigiCert Pittsburgh, United States of America Email: tim.hollebeek@digicert.com John Gray Entrust Limited 2500 Solandt Road – Suite 100 Ottawa, Ontario K2K 3G5 Canada Email: john.gray@entrust.com Scott Fluhrer Cisco Systems Email: sfluhrer@cisco.com Reddy, et al. Expires 18 May 2025 [Page 8]