Debian Bug report logs - #803787
[strongswan] Enable post-quantum algorithms

Reply or subscribe to this bug.

Display info messages

Message #5 received at [email protected] (full text, mbox, reply):

From: Nicolas Braud-Santoni <[email protected]>

To: [email protected]

Subject: [strongswan] Enable post-quantum algorithms

Date: Mon, 2 Nov 2015 20:36:06 +0100

[Message part 1 (text/plain, inline)]

Package: strongswan
Severity: wishlist
X-Debbugs-CC: [email protected]

--- Please enter the report below this line. ---
Dear maintainers,

The NTRU and BLISS post-quantum cryptosystems are available in strongswan
(releases 5.1.2 and 5.2.2, respectively).

Please enable the corresponding --enable-ntru and --enable-bliss configure
flags.  Including 5.2.2 in the next point-release would be appreciated too,
though a backport might be more relevant in that case: in 5.3, Strongswan
switched to the BLISS-B variant (with a global config option to revert to
BLISS).


Best,

  nicoo

[signature.asc (application/pgp-signature, inline)]

Message #10 received at [email protected] (full text, mbox, reply):

From: Yves-Alexis Perez <[email protected]>

To: Nicolas Braud-Santoni <[email protected]>, [email protected]

Subject: Re: [Pkg-swan-devel] Bug#803787: [strongswan] Enable post-quantum algorithms

Date: Mon, 02 Nov 2015 21:06:38 +0100

[Message part 1 (text/plain, inline)]

On lun., 2015-11-02 at 20:36 +0100, Nicolas Braud-Santoni wrote:
> The NTRU and BLISS post-quantum cryptosystems are available in strongswan
> (releases 5.1.2 and 5.2.2, respectively).

There's a lot of stuff available in strongSwan. We don't actually enable
everything, on purpose.
> 
> Please enable the corresponding --enable-ntru and --enable-bliss configure
> flags.

Could you elaborate on that? Why would we do that? (besides “to provide those
plugins“)

>   Including 5.2.2 in the next point-release would be appreciated too,
> though a backport might be more relevant in that case: in 5.3, Strongswan
> switched to the BLISS-B variant (with a global config option to revert to
> BLISS).

Point release update won't happen. I can't talk about backports, I'm not
interested in them right now.

Regards,
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

Message #15 received at [email protected] (full text, mbox, reply):

From: Yves-Alexis Perez <[email protected]>

To: Nicolas Braud-Santoni <[email protected]>, [email protected]

Subject: Re: [Pkg-swan-devel] Bug#803787: [strongswan] Enable post-quantum algorithms

Date: Tue, 03 Nov 2015 17:01:00 +0100

[Message part 1 (text/plain, inline)]

On mar., 2015-11-03 at 16:56 +0100, Nicolas Braud-Santoni wrote:
> Post-quantum key-exchange, as provided by NTRU, is needed by users who want to provide
> forward-secrecy in the mid/long-term, given that quantum computers might become a legitimate
> threat within the next 5 or 10 years (and we are aware that some people do collect and save
> traffic for later cryptanalysis).

I'm not sure I want to debate about the security of DH, ECDH and other key-
exchange mechanisms (and especially for passive attackers), but I'm not really
a huge fan of enabling more code to an already quite complex stack.

In any case, if we decide to enable this, it'll be in the extra plugins binary
package.

Regards,
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

Message #20 received at [email protected] (full text, mbox, reply):

From: Nicolas Braud-Santoni <[email protected]>

To: Yves-Alexis Perez <[email protected]>, [email protected]

Subject: Re: [Pkg-swan-devel] Bug#803787: [strongswan] Enable post-quantum algorithms

Date: Tue, 3 Nov 2015 16:56:00 +0100

[Message part 1 (text/plain, inline)]

Hello,

On Mon, Nov 02, 2015 at 09:06:38PM +0100, Yves-Alexis Perez wrote:
> On lun., 2015-11-02 at 20:36 +0100, Nicolas Braud-Santoni wrote:
> > The NTRU and BLISS post-quantum cryptosystems are available in strongswan
> > (releases 5.1.2 and 5.2.2, respectively).
> 
> There's a lot of stuff available in strongSwan. We don't actually enable
> everything, on purpose.

Post-quantum key-exchange, as provided by NTRU, is needed by users who want to provide
forward-secrecy in the mid/long-term, given that quantum computers might become a legitimate
threat within the next 5 or 10 years (and we are aware that some people do collect and save
traffic for later cryptanalysis).

BLISS, while potentially nice-to-have, is (in my opinion) less of an immediate concern given the
unlikelyhood of the signature schemes currently-available in strongswan being broken.  The
difference here being that migrating to safer signature scheme might happen as needed (modulo the
time required to deploy new configuration), whereas future threat against the encryption
(including key-exchange) threaten the forward-secrecy of traffic being currently exchanged.

> Point release update won't happen. I can't talk about backports, I'm not
> interested in them right now.
Ok.


Best regards,

  nicoo

[signature.asc (application/pgp-signature, inline)]

Message #25 received at [email protected] (full text, mbox, reply):

From: Gerald Turner <[email protected]>

To: [email protected]

Subject: Re: [Pkg-swan-devel] Bug#803787: [strongswan] Enable post-quantum algorithms

Date: Mon, 30 Nov 2015 13:34:24 -0800

[Message part 1 (text/plain, inline)]

Hello,

I am also interested in the NTRU key exchange algorithm for the same
reasons Nicolas Braud-Santoni explains.  Prior to realizing that this
bug existed, I had tested the strongswan with the attached patch which
enables additional plugins.

Note that I enabled BLISS but have no intention of using it due to the
requirement have having to redeploy certificates.

Also note that I enabled ChaCha20/Poly1305, which would be interesting
to use on systems which don't have AES-NI CPU instructions, but
unfortunuately I do not have enough hosts running a 4.2 kernel so I
cannot test this cipher at the moment.  FYI, Linux 4.2 is required to
use this cipher, otherwise error "received netlink error: Function not
implemented (38)" occurs while adding SAD entries.  Very similar to the
problem of enabling AES-GCM-256 on kernels older than ~4.1.

Finally note that I enabled SHA3 but hadn't tested with it because I'm
using AEAD ciphers exclusively.

Let me know if it would be at all useful for me to clean up the patch
such that it only enables NTRU.

-- 
Gerald Turner <[email protected]>        Encrypted mail preferred!
OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80  3858 EC94 2276 FDB8 716D

[0002-Configure-and-install-bliss-chapoly-ntru-and-sha3-pl.patch (text/x-diff, inline)]

From 75df33a0622731cb3e0760ed3543b2f5845b476d Mon Sep 17 00:00:00 2001
From: Gerald Turner <Gerald Turner [email protected]>
Date: Thu, 26 Nov 2015 16:01:46 -0800
Subject: [PATCH 2/2] Configure and install bliss, chapoly, ntru, and sha3
 plugins

---
 debian/changelog                           |  1 +
 debian/control                             |  4 ++++
 debian/libstrongswan-extra-plugins.install | 12 ++++++++++++
 debian/rules                               |  1 +
 4 files changed, 18 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 4182835..3fc87ee 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,7 @@ strongswan (5.3.4-1.1) UNRELEASED; urgency=medium
 
   * debian/rules:
     - enable the aesni plugin.
+    - enable bliss, chapoly, ntru, and sha3 plugins.
 
  -- Gerald Turner <[email protected]>  Thu, 26 Nov 2015 15:17:09 -0800
 
diff --git a/debian/control b/debian/control
index 4717b1e..e1f61c9 100644
--- a/debian/control
+++ b/debian/control
@@ -124,6 +124,10 @@ Description: strongSwan utility and crypto library (extra plugins)
     rdrand instruction found on Ivy Bridge processors)
   - aesni (AES crypto primitives using Intel AES-NI and PCLMULQDQ instructions
     found on Ivy Bridge processors)
+  - bliss (BLISS post-quantum signature scheme)
+  - chapoly (ChaCha20/Poly1305 AEAD cipher)
+  - ntru (NTRU lattice-based post-quantum encryption algorithm)
+  - sha3 (SHA3 Keccak-F1600 hash algorithm family)
   - test-vectors (Set of test vectors for various algorithms)
 
 Package: libcharon-extra-plugins
diff --git a/debian/libstrongswan-extra-plugins.install b/debian/libstrongswan-extra-plugins.install
index 2a7c209..2f08aa0 100644
--- a/debian/libstrongswan-extra-plugins.install
+++ b/debian/libstrongswan-extra-plugins.install
@@ -6,6 +6,10 @@ usr/lib/ipsec/plugins/libstrongswan-curl.so
 usr/lib/ipsec/plugins/libstrongswan-gcrypt.so
 usr/lib/ipsec/plugins/libstrongswan-ldap.so
 usr/lib/ipsec/plugins/libstrongswan-pkcs11.so
+usr/lib/ipsec/plugins/libstrongswan-bliss.so
+usr/lib/ipsec/plugins/libstrongswan-chapoly.so
+usr/lib/ipsec/plugins/libstrongswan-ntru.so
+usr/lib/ipsec/plugins/libstrongswan-sha3.so
 usr/lib/ipsec/plugins/libstrongswan-test-vectors.so
 # default configuration files
 usr/share/strongswan/templates/config/plugins/ccm.conf
@@ -15,6 +19,10 @@ usr/share/strongswan/templates/config/plugins/curl.conf
 usr/share/strongswan/templates/config/plugins/gcrypt.conf
 usr/share/strongswan/templates/config/plugins/ldap.conf
 usr/share/strongswan/templates/config/plugins/pkcs11.conf
+usr/share/strongswan/templates/config/plugins/bliss.conf
+usr/share/strongswan/templates/config/plugins/chapoly.conf
+usr/share/strongswan/templates/config/plugins/ntru.conf
+usr/share/strongswan/templates/config/plugins/sha3.conf
 usr/share/strongswan/templates/config/plugins/test-vectors.conf
 etc/strongswan.d/charon/ccm.conf
 etc/strongswan.d/charon/cmac.conf
@@ -23,4 +31,8 @@ etc/strongswan.d/charon/curl.conf
 etc/strongswan.d/charon/gcrypt.conf
 etc/strongswan.d/charon/ldap.conf
 etc/strongswan.d/charon/pkcs11.conf
+etc/strongswan.d/charon/bliss.conf
+etc/strongswan.d/charon/chapoly.conf
+etc/strongswan.d/charon/ntru.conf
+etc/strongswan.d/charon/sha3.conf
 etc/strongswan.d/charon/test-vectors.conf
diff --git a/debian/rules b/debian/rules
index 3c8e139..be5c182 100755
--- a/debian/rules
+++ b/debian/rules
@@ -22,6 +22,7 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \
 		--enable-error-notify \
 		--enable-unity \
 		--enable-connmark \
+		--enable-bliss --enable-chapoly --enable-ntru --enable-sha3 \
 		--disable-blowfish --disable-des # BSD-Young license
 	#--with-user=strongswan --with-group=nogroup
 	#	--enable-kernel-pfkey --enable-kernel-klips \
-- 
2.6.2

[signature.asc (application/pgp-signature, inline)]

Message #30 received at [email protected] (full text, mbox, reply):

From: Nicolas Braud-Santoni <[email protected]>

To: [email protected]

Subject: Re: [strongswan] Enable post-quantum algorithms

Date: Sun, 21 Feb 2016 17:51:26 +0100

[Message part 1 (text/plain, inline)]

In an out-of-band conversation with corsac, it appeared that I didn't
  make my point clearly enough, so here is a recap:

- It is known that nation-state adversaries, interested in mass
  surveillance, are currently recording encrypted traffic they observe,
  in the hope of being able to decrypt it in the future (by obtaining
  the keys or through cryptanalytic means).
- Currently available key exchange mechanisms are all broken by a
  passive, quantum adversary.
- Hence, the forward-secrecy of **currently-transmitted traffic** lasts
  at most as long as nation-state adversaries do not obtain quantum
  computers.
- While quantum computers do not exist yet [0], estimates on the time
  before discovery vary wildly, from 5 to 50 years.


In that light, having a post-quantum kex makes sense.  The NTRU scheme
  has been first formulated 20 years ago and has withstood serious
  scrutiny.  Interestingly, the PQCRYPTO workgroup spoke is evaluating
  the Stehle–Steinfeld variant (not the one available in StrongSwan)
  for long-term security [1].


Note that this is purely about making future mass surveillance, assisted
  by quantum computers, more costly.  This isn't about targeted
  attacks against a specific IPSec deployment (where the situation is
  much more complex, and endpoint security plays a more prevalent role).


[0]: The DWave machines are quantum annealers, and aren't known to be
     able to run Shor's or Grover's algorithms, nor any other
     algorithm relevant for cryptanalysis.

[1]: http://pqcrypto.eu.org/docs/initial-recommendations.pdf

[Message part 2 (application/pgp-signature, inline)]

Message #35 received at [email protected] (full text, mbox, reply):

From: Gerald Turner <[email protected]>

To: [email protected]

Subject: Re: [Pkg-swan-devel] Bug#803787: [strongswan] Enable post-quantum algorithms

Date: Sun, 23 Apr 2017 15:16:40 -0700

[Message part 1 (text/plain, inline)]

Control: tags -1 + patch

Hi, this is a cleanup of the previously submitted patch.  The mgf1
plugin was added in 5.5.1 and is a dependency of bliss (and newhope)
plugins.  I removed chapoly from the patch as it has it's own bug report
(bug #814927).  FYI newhope, another post-quantum key exchange
algorithm, was added in 5.5.1, but I'll be opening a separate bug
report/patch.

---
 debian/control                             |  4 ++++
 debian/libstrongswan-extra-plugins.install | 11 +++++++++++
 debian/rules                               |  2 ++
 3 files changed, 17 insertions(+)

diff --git a/debian/control b/debian/control
index 59e08ce9..a7d84fd7 100644
--- a/debian/control
+++ b/debian/control
@@ -140,6 +140,8 @@ Description: strongSwan utility and crypto library (extra plugins)
  Included plugins are:
   - af-alg [linux] (AF_ALG Linux crypto API interface, provides
     ciphers/hashers/hmac/xcbc)
+  - bliss (Bimodal Lattice Signature Scheme (BLISS) post-quantum computer
+    signature scheme)
   - ccm (CCM cipher mode wrapper)
   - cmac (CMAC cipher mode wrapper)
   - ctr (CTR cipher mode wrapper)
@@ -147,7 +149,9 @@ Description: strongSwan utility and crypto library (extra plugins)
   - gcrypt (Crypto backend based on libgcrypt, provides
     RSA/DH/ciphers/hashers/rng)
   - ldap (LDAP fetching plugin based on libldap)
+  - mgf1 (MGF1 mask generation function)
   - mysql (MySQL database backend based on libmysqlclient)
+  - ntru (Key exchange based on post-quantum computer NTRU encryption)
   - padlock (VIA padlock crypto backend, provides AES128/SHA1)
   - pkcs11 (PKCS#11 smartcard backend)
   - rdrand (High quality / high performance random source using the Intel
diff --git a/debian/libstrongswan-extra-plugins.install b/debian/libstrongswan-extra-plugins.install
index e5f8baac..6bd32976 100644
--- a/debian/libstrongswan-extra-plugins.install
+++ b/debian/libstrongswan-extra-plugins.install
@@ -1,37 +1,48 @@
 # libstrongswan plugins
+usr/lib/ipsec/plugins/libstrongswan-bliss.so
 usr/lib/ipsec/plugins/libstrongswan-ccm.so
 usr/lib/ipsec/plugins/libstrongswan-cmac.so
 usr/lib/ipsec/plugins/libstrongswan-ctr.so
 usr/lib/ipsec/plugins/libstrongswan-curl.so
 usr/lib/ipsec/plugins/libstrongswan-gcrypt.so
 usr/lib/ipsec/plugins/libstrongswan-ldap.so
+usr/lib/ipsec/plugins/libstrongswan-mgf1.so
 usr/lib/ipsec/plugins/libstrongswan-mysql.so
+usr/lib/ipsec/plugins/libstrongswan-ntru.so
 usr/lib/ipsec/plugins/libstrongswan-pkcs11.so
 usr/lib/ipsec/plugins/libstrongswan-sqlite.so
 usr/lib/ipsec/plugins/libstrongswan-test-vectors.so
 usr/lib/ipsec/plugins/libstrongswan-unbound.so
 # default configuration files
+usr/share/strongswan/templates/config/plugins/bliss.conf
 usr/share/strongswan/templates/config/plugins/ccm.conf
 usr/share/strongswan/templates/config/plugins/cmac.conf
 usr/share/strongswan/templates/config/plugins/ctr.conf
 usr/share/strongswan/templates/config/plugins/curl.conf
 usr/share/strongswan/templates/config/plugins/gcrypt.conf
 usr/share/strongswan/templates/config/plugins/ldap.conf
+usr/share/strongswan/templates/config/plugins/mgf1.conf
 usr/share/strongswan/templates/config/plugins/mysql.conf
+usr/share/strongswan/templates/config/plugins/ntru.conf
 usr/share/strongswan/templates/config/plugins/pkcs11.conf
 usr/share/strongswan/templates/config/plugins/sqlite.conf
 usr/share/strongswan/templates/config/plugins/test-vectors.conf
 usr/share/strongswan/templates/config/plugins/unbound.conf
 usr/share/strongswan/templates/database/sql/mysql.sql
 usr/share/strongswan/templates/database/sql/sqlite.sql
+etc/strongswan.d/charon/bliss.conf
 etc/strongswan.d/charon/ccm.conf
 etc/strongswan.d/charon/cmac.conf
 etc/strongswan.d/charon/ctr.conf
 etc/strongswan.d/charon/curl.conf
 etc/strongswan.d/charon/gcrypt.conf
 etc/strongswan.d/charon/ldap.conf
+etc/strongswan.d/charon/mgf1.conf
 etc/strongswan.d/charon/mysql.conf
+etc/strongswan.d/charon/ntru.conf
 etc/strongswan.d/charon/pkcs11.conf
 etc/strongswan.d/charon/sqlite.conf
 etc/strongswan.d/charon/test-vectors.conf
 etc/strongswan.d/charon/unbound.conf
+# support libs
+usr/lib/ipsec/libnttfft.so*
diff --git a/debian/rules b/debian/rules
index 08c8aa09..d99b21c6 100755
--- a/debian/rules
+++ b/debian/rules
@@ -7,6 +7,7 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \
 		--enable-addrblock \
 		--enable-agent \
 		--enable-attr-sql \
+		--enable-bliss \
 		--enable-ccm \
 		--enable-certexpire \
 		--enable-cmd \
@@ -32,6 +33,7 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \
 		--enable-lookip \
 		--enable-mediation \
 		--enable-mysql \
+		--enable-ntru \
 		--enable-openssl \
 		--enable-pkcs11 \
 		--enable-sqlite \
-- 
Gerald Turner <[email protected]>        Encrypted mail preferred!
OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80  3858 EC94 2276 FDB8 716D

[signature.asc (application/pgp-signature, inline)]

Message #44 received at [email protected] (full text, mbox, reply):

From: Christian Ehrhardt <[email protected]>

To: [email protected]

Subject: Info on BLISS

Date: Tue, 10 Mar 2020 08:01:34 +0100

[Message part 1 (text/plain, inline)]

I recently had a discussion on this for [1][2] and enabled it in Ubuntu.
Out of that I'd want to let you know what upstream (Thanks Tobias) let me
know about it as it would matter for this bug here as well.
Quoting from [3]:

"Enabling the bliss Plugin is probably not such a good idea. There is a
potential local side-channel attack on strongSwan's BLISS implementation (
https://eprint.iacr.org/2017/505).

The ntru plugin should be fine. However, using NTRU with IKEv2 is not
standardized (uses an algorithm identifiers from the private use range
etc.).

Multiple IKEv2 protocol extensions are currently being developed, for
instance, additional exchanges to use fragmentation during the key exchange
or using multiple and more generic key exchanges, in particular,
post-quantum key encapsulation mechanisms (KEM, of which most have quite
large public keys). The latter (plus signature algorithms) are currently
being standardized by NIST (
https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization)
and versions of NTRU are among the contenders in round 2 (
https://csrc.nist.gov/projects/post-quantum-cryptography/round-2-submissions).
BLISS is not, but CRYSTALS-DILITHIUM is designed by the same people. It
might be a while until strongSwan supports the protocol extensions (there
is a branch with a partial implementation) and especially the new
algorithms (we currently use the liboqs library in said branch,
https://github.com/open-quantum-safe/liboqs/)."

[1]: https://salsa.debian.org/debian/strongswan/-/merge_requests/8
[2]: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1863749
[3]:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1863749/comments/14

-- 
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd

[Message part 2 (text/html, inline)]

Send a report that this bug log contains spam.