- Newest
- Most votes
- Most comments
PQ key exchange is different in TLS1.2 vs TLS1.3.
The old TLS1.2 mechanism involved a cipher suite (ECDHE-KYBER-RSA-AES256-GCM-SHA384 in your example) and a KEM (kyber512r3 in your example). In TLS1.2, the key exchange method is defined by the cipher suite. The old TLS1.2 mechanism is not recommended and may be removed from s2n-tls.
The new TLS1.3 mechanism only involves a KEM group (x25519_kyber-512-r3 in your example). In TLS1.3, key exchange and cipher suite are independent, so PQ key exchange is unrelated to the cipher suite negotiated. Notice that the negotiated cipher suite (TLS_AES_256_GCM_SHA384) only defines an encryption algorithm ("AES256-GCM") and a hash algorithm ("SHA384"). In TLS1.3, key exchange method is defined by the "supported_groups" extension instead of the cipher suite. For PQ support, "hybrid PQ key exchange" is used, which means negotiating a PQ algorithm alongside the classical group. Notice that the "KEM group" includes both the classical "x25519" and the PQ "kyber512" options. That ensures you get the benefits of both classical and PQ key exchange, which is safer than using either alone.
So it looks to me like both your handshakes successfully used PQ, but you should prefer the TLS1.3 one.
+1 to everything that lrstewart@ has said here. Only one of
KEM
orKEM Group
will ever be populated during a TLS handshake, as they are using different TLS extensions to negotiate PQ (Ciphersuite vs SupportedGroup) and only one of them can be selected.KEM
is used for TLS 1.2, andKEM Group
is used for TLS 1.3. It is likely that the PQ TLS 1.2KEM
will eventually be removed from s2n in favor of the PQ TLS 1.3KEM Group
.Also, there are relevant workshop materials at the below links on how to capture and analyze PQ TLS 1.3 handshakes to KMS endpoints using s2nc that you may find helpful:
Found another cipher suite that is working.
It seem to use TLS1.3 now (proto version and MIDDLEBOX_COMPAT), however the negotiated cipher is no longer consist of Kyber. Also, the KEM (Key Encapsulation Mechnism) is set to NONE but there is now a KEM Group.
Potentially, this lacks only the proper explanation, but how do I connect to an KMS endpoint by using TLS1.3 and PQ-Ciphers?
[ec2-user@ip-172-31-0-117 bin]$ ./s2nc -c PQ-TLS-1-0-2021-05-23 kms.eu-central-2.amazonaws.com
CONNECTED:
Handshake: NEGOTIATED|FULL_HANDSHAKE|MIDDLEBOX_COMPAT
Client hello version: 33
Client protocol version: 34
Server protocol version: 34
Actual protocol version: 34
Server name: kms.eu-central-2.amazonaws.com
Curve: NONE
KEM: NONE
KEM Group: x25519_kyber-512-r3
Cipher negotiated: TLS_AES_256_GCM_SHA384
Server signature negotiated: RSA-PSS-RSAE+SHA256
Early Data status: NOT REQUESTED
Wire bytes in: 6586
Wire bytes out: 1224
s2n is ready
Connected to kms.eu-central-2.amazonaws.com:443
Relevant content
- Accepted Answerasked 3 years ago
- asked 3 years ago
- Accepted Answerasked 6 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 5 months ago
Not sure if you had chance to look at these materials: https://docs.aws.amazon.com/kms/latest/developerguide/pqtls.html https://github.com/aws-samples/aws-kms-pq-tls-example