GSS-API Key Exchange with hybrid ML-KEM

In new SSH key exchange algorithms based on PQ/T Hybrid Key Exchange Methods are introduced. We reuse much of section 2 of to define GSS-API-authenticated PQ/T Hybrid Key Exchanges.

This section reuses much of the scheme defined in Section 2.1 of and combines it with the scheme defined in Section 2 of ; in particular, all checks and verification steps prescribed in Section 2.1 of apply here as well. This section defers to as the source of information on GSS-API context establishment operations, Section 3 being the most relevant. All Security Considerations described in apply here too. A GSS Context is established according to Section 4 of ; The client initiates the establishment using GSS_Init_sec_context() and the server responds to it using GSS_Accept_sec_context(). For the negotiation, the client MUST set mutual_req_flag and integ_req_flag to "true". In addition, deleg_req_flag MAY be set to "true" to request access delegation, if requested by the user. Since the key exchange process authenticates only the host, the setting of anon_req_flag is immaterial to this process. If the client does not support the "gssapi-keyex" user authentication method described in Section 4 of , or does not intend to use that method in conjunction with the GSS-API context established during key exchange, then anon_req_flag SHOULD be set to "true". Otherwise, this flag MAY be set to true if the client wishes to hide its identity. This key exchange process will exchange only a single message token once the context has been established, therefore the replay_det_req_flag and sequence_req_flag SHOULD be set to "false". The client MUST include its Traditional public key and Post-Quantum encapsulation key with the first message it sends to the server during this process; if the server receives more than one key or none at all, the key exchange MUST fail. That is, the Q_C field of SSH_MSG_KEXGSS_INIT must contain the concatenation of C_PK2 and C_PK1 from section 2.1 of . During GSS Context establishment multiple tokens may be exchanged by the client and the server. When the GSS Context is established (major_status is GSS_S_COMPLETE) the parties check that mutual_state and integ_avail are both "true". If not the key exchange MUST fail. When the GSS Context is established, the Q_S field in server's SSH_MSG_KEXGSS_COMPLETE message needs to contain the concatenation of of S_CT2 and S_PK1 from section 2.1 of . Once a party receives the peer's public key it proceeds to compute a shared secret K. This is done as specified in section 2.4 of . To verify the integrity of the handshake, peers use the Hash Function defined by the selected Key Exchange method to calculate H: H = hash(V_C || V_S || I_C || I_S || K_S || Q_C || Q_S || K). The GSS_GetMIC() call is used by the server with H as the payload and generates a MIC. The GSS_VerifyMIC() call is used by the client to verify the MIC. If any GSS_Init_sec_context() or GSS_Accept_sec_context() returns a major_status other than GSS_S_COMPLETE or GSS_S_CONTINUE_NEEDED, or any other GSS-API call returns a major_status other than GSS_S_COMPLETE, the key exchange MUST fail. The same recommendations expressed in Section 2.1 of are followed with regards to error reporting. The following is an overview of the key exchange process:

Client Server ------ ------ Generate ephemeral key pairs. Calls GSS_Init_sec_context(). SSH_MSG_KEXGSS_INIT ---------------> Verify received keys are valid. (Optional) <------------- SSH_MSG_KEXGSS_HOSTKEY (Loop) | Calls GSS_Accept_sec_context(). | <------------ SSH_MSG_KEXGSS_CONTINUE | Calls GSS_Init_sec_context(). | SSH_MSG_KEXGSS_CONTINUE ------------> Calls GSS_Accept_sec_context(). Generate ephemeral key pair and encapsulate key. Compute shared secret. Computes hash H. Calls GSS_GetMIC( H ) = MIC. <------------ SSH_MSG_KEXGSS_COMPLETE Verify received key is valid, decapsulate key. Compute shared secret. Compute hash = H Calls GSS_VerifyMIC( MIC, H ) This is implemented with the following messages:

The client sends: byte SSH_MSG_KEXGSS_INIT string output_token (from GSS_Init_sec_context()) string Q_C, client's ephemeral public keys octet string

The server may responds with: byte SSH_MSG_KEXGSS_HOSTKEY string server public host key and certificates (K_S)

The server sends: byte SSH_MSG_KEXGSS_CONTINUE string output_token (from GSS_Accept_sec_context()) Each time the client receives the message described above, it makes another call to GSS_Init_sec_context().

The client sends: byte SSH_MSG_KEXGSS_CONTINUE string output_token (from GSS_Init_sec_context())

As the final message the server sends either: byte SSH_MSG_KEXGSS_COMPLETE string Q_S, server's ephemeral public key and encapsulated key octet string string mic_token (MIC of H) boolean TRUE string output_token (from GSS_Accept_sec_context())

Or the following if no output_token is available: byte SSH_MSG_KEXGSS_COMPLETE string Q_S, server's ephemeral public key and encapsulated key octet string string mic_token (MIC of H) boolean FALSE

The hash H is computed as the HASH hash of the concatenation of the following: string V_C, the client's version string (CR, NL excluded) string V_S, server's version string (CR, NL excluded) string I_C, payload of the client's SSH_MSG_KEXINIT string I_S, payload of the server's SSH_MSG_KEXINIT string K_S, server's public host key string Q_C, client's ephemeral public keys octet string string Q_S, server's ephemeral public key and encapsulated key octet string mpint K, shared secret This value is called the exchange hash, and it is used to authenticate the key exchange. The exchange hash SHOULD be kept secret. If no SSH_MSG_KEXGSS_HOSTKEY message has been sent by the server or received by the client, then the empty string is used in place of K_S when computing the exchange hash. Since this key exchange method does not require the host key to be used for any encryption operations, the SSH_MSG_KEXGSS_HOSTKEY message is OPTIONAL. If the "null" host key algorithm described in Section 5 of is used, this message MUST NOT be sent. If the client receives a SSH_MSG_KEXGSS_CONTINUE message after a call to GSS_Init_sec_context() has returned a major_status code of GSS_S_COMPLETE, a protocol error has occurred and the key exchange MUST fail. If the client receives a SSH_MSG_KEXGSS_COMPLETE message and a call to GSS_Init_sec_context() does not result in a major_status code of GSS_S_COMPLETE, a protocol error has occurred and the key exchange MUST fail.

The following new key exchange methods are defined: Key Exchange Method Name Implementation Recommendations gss-mlkem768nistp256-sha256-*SHOULD/RECOMMENDED gss-mlkem1024nistp384-sha384-*MAY/OPTIONAL gss-mlkem768x25519-sha256-*SHOULD/RECOMMENDED Each key exchange method is implicitly registered by this document. The IESG is considered to be the owner of all these key exchange methods; this does NOT imply that the IESG is considered to be the owner of the underlying GSS-API mechanism. Each method in any family of methods specifies GSS-API-authenticated Post-Quantum Traditional Hybrid key exchanges as described in . The method name for each method is the concatenation of the family method name with the Base64 encoding of the MD5 hash of the ASN.1 DER encoding of the underlying GSS-API mechanism's OID. Base64 encoding is described in Section 6.8 of . Family method refences Family Name prefix Hash Function Parameters / Function Name Definition gss-mlkem768nistp256-sha256-SHA-256mlkem768nistp256 Section 2.3.1 of gss-mlkem1024nistp384-sha384-SHA-384mlkem1024nistp384 Section 2.3.2 of gss-mlkem768x25519-sha256-SHA-256mlkem768x25519 Section 2.3.3 of