Bulletproof TLS Newsletter

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Received monthly by more than 50,000 subscribers. Written by Hanno Böck.

The US National Institute of Standards and Technology (NIST) has announced the first winners of a several-years-long competition for post-quantum encryption and signature algorithms. For encryption, NIST recommends the use of CRYSTALS-Kyber, although that recommendation may still change. For signatures, NIST has selected CRYSTALS-Dilithium as the primary algorithm, plus two additional algorithms, Falcon and SPHINCS+.

The decision was long awaited, having been delayed multiple times. The background is that future quantum computers could break practically all public key cryptography in use today. Algorithms like RSA or ones based on elliptic curves could be broken by an attacker using a powerful quantum computer. No such quantum computer exists today, but research on them is progressing.

Due to this thread, researchers started investigating possible algorithms that would be safe from such quantum attacks. These algorithms are called post-quantum cryptography. In 2016, NIST announced that it wanted to standardize such post-quantum algorithms and asked for proposals.

This competition now comes to a preliminary end, though NIST has mentioned that it plans to investigate some algorithms further that may be standardized in the future. Also, particularly for signatures, NIST announced that it will ask for additional proposals to diversify the class of algorithms.

The announcement of the winners comes with a significant catch. In a footnote in the detailed report NIST published, NIST mentions that it is seeking patent agreements with several holders of potentially relevant patents: “If the agreements are not executed by the end of 2022, NIST may consider selecting NTRU instead of Kyber.” NTRU is an algorithm that has been around for a while, and patents affecting it have expired by now. Both Kyber and NTRU are part of what is called lattice-based cryptography.

For signatures, the decision to select three algorithms shows some of the uncertainty in this space. The three selected algorithms balance security aspects against the practicality of implementing these in everyday protocols like TLS. Both Falcon and Dilithium are lattice-based algorithms, while SPHINCS+ is a hash-based algorithm.

Falcon has the smallest signature size of the three, but its small signatures come at a price: Falcon needs constant-time floating-point arithmetic, and if this isn’t done correctly, it may lead to side-channel attacks that could compromise the private key.

SPHINCS+ is the algorithm with the highest level of security assurance. It’s a hash-based algorithm and its security relies on the underlying hash function. And hash functions are a well-known cryptographic construction. But the signature sizes are challenging: depending on the variant and safety level, they range from around 8 to 50 kilobytes.

Although the preliminary winners have been chosen, it still isn’t time to start implementing these algorithms in protocols like TLS. The exact standards have to be specified and will likely reduce the variations and fix some parameters for the algorithms.

It’s expected that post-quantum encryption algorithms initially often will be used in a hybrid mode, combined with a traditional elliptic curve key exchange. In case of unexpected cryptographic breakthroughs against the new post-quantum schemes, the approach would still fall back to the security of the better-known elliptic curve cryptography. A draft specifying such a hybrid mode is available and is expected soon to be published as an RFC by the IETF.

Short news

Here are some things that caught our attention since the previous newsletter:

• In a blog post, AWS Security explains best practices to operate a private CA hierarchy with the AWS Certificate Manager.
• Michael Driscoll created a web page illustrating a DTLS connection.
• Google’s security blog explains the use of DNS-over-HTTP/3 on Android systems.
• OpenSSL released updates 3.0.5 and 1.1.1q, fixing two vulnerabilities: a memory corruption that we mentioned in last month’s newsletter and a bug in the OCB encryption mode.
• TLS-Anvil is a test suite for TLS implementations, published alongside a research paper for the upcoming USENIX conference. Marcel Maehren explains some background in a Twitter thread.
• Cloudflare published some statistics about the declining use of Internet Explorer.
• Sofía Celi has published notes from the PQNet workshop about TLS and DNSSEC that took place alongside Real World Crypto earlier this year.
• Chrome developer Emily Stark announced the deprecation of the Expect-CT feature in Chrome. This was an HTTP header indicating that a site would always support Certificate Transparency, but with the now-universal requirement for Certificate Transparency in certificates, it’s obsolete.
• Rich Salz wrote a blog post discussing possibly replacing OpenSSL.
• Microsoft announced the availability of DNS-over-TLS in Windows Insider builds.
• RFC 9261 specified Exported Authenticators in TLS. A detailed blog post by Jonathan Hoyland at Cloudflare explains the background.
• Coursera announced the Cryptography II course by Dan Boneh starting in October. Boneh created the very popular Cryptography I course many years ago; it covers mostly symmetric cryptography. A follow-up course covering public key cryptography was announced and delayed for a long time, which made it a running gag in the community. It seems the second course now finally will happen (unless it gets delayed again).
• Thomas Pornin from NCC Group wrote a blog post analyzing the NIST post-quantum selection (see also the main topic in this newsletter).
• Jean-Philippe Aumasson created a list of books about cryptography he recommends.
• Crypto Ancienne, a TLS library for old computing systems, has received TLS 1.3 support in version 2.0.
• NSS released version 3.81 with some minor bug fixes.
• Marc Stevens has published a collision detection tool for MD5 and SHA1.

Interesting jobs

Here are some interesting jobs we've come across in the last month:

• Principal Java Security Engineer - Oracle, via @seanjmullan
• Lecturer in Cyber-Physical Systems Security - University of Bristol, via @BristolCyberSec
• OpenDP Open-Source Community Manager - OpenDP, via @RichSalz

If you know of similar jobs that our readers might be interested in, for example cryptography, TLS, or PKI, let us know and we may add them to future newsletters.