Bulletproof TLS Newsletter

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Received monthly by more than 50,000 subscribers. Maintained by Hanno Böck.

A post-quantum key exchange method once considered promising is apparently insecure and can be completely broken with classical computers. Researchers recently published attacks on both supersingular isogeny Diffie-Hellman (SIDH) and the supersingular isogeny key encapsulation (SIKE) variation that was submitted for NIST's post-quantum competition.

These key exchange methods use so-called isogenies over supersingular elliptic curves. Using these mathematical objects for cryptography is a relatively new idea: the SIDH algorithm was published in 2011 by Luca de Feo, David Jao, and Jérôme Plût.

SIDH was seen as promising because the key size was relatively small compared to many other post-quantum methods. Also, as the name indicates, the algorithm works similarly to the Diffie-Hellman key exchange.

But all of this has probably become irrelevant, as a paper posted by Wouter Castryck and Thomas Decru from KU Leuven described an attack that allows for completely breaking SIDH and SIKE in less than an hour. Independently, the attack was also described by Luciano Maino and Chloe Martindale from the University of Bristol. These attacks would only work in special cases of SIDH, but a later improvement of the attack by Damien Robert from Inria Bordeaux completely breaks SIDH. Steven Galbraith has given a description of the mathematical ideas behind the attack in a blog post and explained how the three different published papers relate to each other in a second blog post. Galbraith was also a guest in the Security. Cryptography. Whatever. podcast episode that covered the attack.

Although cryptographers had been sometimes concerned that cryptography based on isogenies was insufficiently studied, this devastating attack was still a surprise for many. Chris Peikert, an expert in lattices and post-quantum cryptography, commented on Twitter: "Wow! This completely breaks SIDH/SIKE level-1 parameters on a single core in an hour. A monumental result."

While the attack completely breaks SIDH and SIKE, other variations of isogeny-based cryptography may still be secure. Currently, the CSIDH key exchange and several signature algorithms based on isogenies remain safe. Luca de Feo created a web page that provides an overview.

There are a few takeaways from this episode. It shows that public key cryptography is hard and that surprising breakthroughs can happen. This comes just months after another promising post-quantum algorithm, the Rainbow signature scheme, was also completely broken (as mentioned in our February Newsletter).

Both Rainbow and SIKE were considered by NIST as potential candidates for standardization as part of its post-quantum competition.

But there's also an optimistic takeaway: because isogeny-based cryptography was widely seen as a field that hadn’t been studied enough to create confidence, cryptographers were careful about SIDH. Therefore, SIDH and SIKE haven’t been used in any significant real-world systems.

Short news

Here are some things that caught our attention since the previous newsletter:

• NSS 3.82 was released with a couple of bug fixes in ASN.1 parsing.
• The thelatticeclub.com website collects scientific resources about lattice-based cryptography.
• A blog post by Ralph Holz for APNIC explores the deployment of TLS 1.3 and how large actors like Google and Facebook have accelerated deployment at scale. This was based on research published in ACM SIGCOMM Computer Communication Review.
• Soatok discusses cryptographic agility and alternatives in a blog post.
• Emily Stark writes about how a key pinning mechanism could be integrated into Certificate Transparency, though she largely comes to the conclusion that this wouldn’t be a good idea.
• The European Union Agency for Cybersecurity (ENISA) published a report about Trusted Services security incidents in 2021.
• Python’s pip introduced a new feature using the system’s certificate trust store, and the creators have asked for help testing it.
• Nettle released version 3.8.1, a minor bugfix release.
• GnuTLS fixed a double free vulnerability.
• LibreSSL received a patch to implement the Baillie-PSW algorithm for primality testing.
• WolfSSL 5.4.0 was released with support for DTLS 1.3 and some security fixes.
• Jason Donenfeld created a patch for the Linux kernel supporting getrandom in vDSO.
• Cloudflare announced updates to its post-quantum experiments, including support for Kyber, one of the winners of the NIST post-quantum competition.
• Let’s Encrypt updated its subscriber agreement.
• Sofía Celi shared slides from a talk about post-quantum TLS.
• Agam More wrote an introduction to lattice-based cryptography.
• WolfSSL announced support for an API for QUIC. (A similar API for OpenSSL was rejected, which caused quite a bit of controversy.)
• A paper published at USENIX looks at various fault-based attacks on TLS.
• OpenSSL 3.0.0 received a FIPS certification.
• Chrome will no longer perform default OCSP checks for EV certificates due to privacy concerns. Chrome hasn’t performed OCSP checks for other certificates for quite some time.
• A bug report in curl indicates that in some situations, the windows Schannel API will leave key material on the filesystem.
• A paper published at Usenix analyzes the behavior of bots scraping Certificate Transparency data.
• Google has published a library called Paranoid to analyze public keys and signatures for known vulnerabilities.
• A blog post by Arseniy Sharoglazov for PT Swarm explains how to analyze time correlation in Certificate Transparency data.
• A blog post at APNIC gives an overview of the current state of the HTTPS DNS record.
• Google announced support for the ACME protocol in its Cloud Certificate Manager.

Interesting jobs

Here are some interesting jobs we've come across in the last month:

• Systems Development Eng III, AWS Private Certificate Authority - AWS, via @Todd Cignetti
• Software Development Manager, AWS Cryptography - AWS, via @Todd Cignetti
• Privacy Engineering Manager - Mozilla, via @attackndefense
• PhD position in the CyberExcellence project - Université de Liège, via @frochet

If you know of similar jobs that our readers might be interested in, for example cryptography, TLS, or PKI, let us know and we may add them to future newsletters.