Experimental KEMTLS Client #20
Conversation
| #if defined(BOTAN_HAS_KYBER) | ||
| // TODO: those OIDs are taken from thomwiggers/mk-cert for interoperability | ||
| // https://github.com/thomwiggers/mk-cert/blob/dd845f3825d8dc5fd69e0e234f6a62266ee4dd4a/algorithms.py#L84 | ||
| if(alg_name == "1.3.6.1.4.1.44363.46.52") |
There was a problem hiding this comment.
This should work, I just want to emphasise that these OIDs aren't stable: if I add algorithms to mk-cert they tend to move around.
(Also I'm completely unsure whose OID namespace I cribbed)
There was a problem hiding this comment.
FWIW: For the OIDs in the current Kyber integration in Botan we followed this IETF draft.
src/lib/tls/msg_certificate_13.cpp
Outdated
| throw TLS_Exception(Alert::HANDSHAKE_FAILURE, | ||
| "Rejecting " + key->algo_name() + " signature"); | ||
| } | ||
| policy.check_peer_key_acceptable(*public_key()); |
| const auto master_secret = hkdf_extract(secure_vector<uint8_t>(m_hash->output_length(), 0x00)); | ||
|
|
||
| // Note: these labels differ from the research paper to comply with thomwiggers rustls implementation. | ||
| // https://thomwiggers.nl/publication/kemtls/kemtls.pdf |
There was a problem hiding this comment.
In the paper we were pretty space-constrained 😅
|
This now includes verification of certificates signed by Dilithium. It is not (yet) interoperable with the certificates generated by the KEMTLS reference implementation. Though, after this issue is sorted out and this experimental code is rebased accordingly, Dilithium-based certificates should be verifyable. |
This introduces experimental client-side support for KEMTLS as proposed by Schwabe et.al. [1, 2].
The implementation is compatible with the reference implementation by @thomwiggers and @claucece. It is based on the yet to be merged TLS 1.3 client implementation in Botan.
The TLS key exchange is performed using Botan's Kyber implementation. Certificate signature checks are omitted for now as Dilithium is not yet implemented.
This work is funded by the German Bundesministerium für Bildung und Forschung as part of the KBLS project (see also Botan Issue #2500).
How to run this code
1. Run the rustls server
Follow the instructions in thomwiggers/kemtls-experiment, but configure the server certificate to use Kyber rather than Dilithium (i.e. set
LEAF_ALG=Kyber512).2. Configure and compile Botan
3. Run the KEMTLS client
This step assumes that the rustls server is running on port 8443.
The
./botan tls_clientwill perform a TLS handshake and then wait for application data on stdin. Simply enter "GET /" to communicate with the rustls server after a successful handshake.Note that the underlying TLS 1.3 implementation will detect the KEMTLS negotiation in the Server Hello and will behave accordingly. Hence, the
./botan tls_clientinvocation will happily speak with cloudflare.com as well.At the time of this writing the Dilithium2 implementation was still under way. Once this is done, one should be able to verify the KEMTLS test server's certificate chain with:
Obtaining kemtls.root.pem
After generating the docker image, pull up a container from it:
And extract the freshly generated root certificate:
Store this PEM container as
kemtls.root.pemand launch the Botan KEMTLS client as stated above.References
[1] Schwabe, Peter, Douglas Stebila, and Thom Wiggers. "Post-quantum TLS without handshake signatures." Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. 2020.