IETF Logo Mail Archive

[TLS] Re: Disallowing reuse of ephemeral keys

Thom Wiggers <thom@thomwiggers.nl> Fri, 13 December 2024 12:17 UTC

Return-Path: <thom@thomwiggers.nl>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39FC3C151547 for <tls@ietfa.amsl.com>; Fri, 13 Dec 2024 04:17:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=thomwiggers.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bhv3lZ_NloYR for <tls@ietfa.amsl.com>; Fri, 13 Dec 2024 04:17:07 -0800 (PST)
Received: from mail-ed1-x535.google.com (mail-ed1-x535.google.com [IPv6:2a00:1450:4864:20::535]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63134C151535 for <tls@ietf.org>; Fri, 13 Dec 2024 04:17:07 -0800 (PST)
Received: by mail-ed1-x535.google.com with SMTP id 4fb4d7f45d1cf-5d4e2aa7ea9so3132882a12.2 for <tls@ietf.org>; Fri, 13 Dec 2024 04:17:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thomwiggers.nl; s=google; t=1734092226; x=1734697026; darn=ietf.org; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc:subject:date:message-id :reply-to; bh=gjGl638wNmQ+i5pqJ5wFlSB0GJCyk8gyQCVgmwW5KVI=; b=LCZ+aD1/FC1KSmBgui9abGlR86Ofk1w5A0ZIzm262R3R0UhAbRXtLArF+z/MVoBDFR 2uLr5pzntw5vkPwtriE7IrqcD2GiQUSZpxrpOK5pMuv0z3jdnO5EZZyTdDn1v8D+D0cF v8H50OqPeMdIi0MTh8y1oR2zRAfNQ7AsXDjK0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1734092226; x=1734697026; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=gjGl638wNmQ+i5pqJ5wFlSB0GJCyk8gyQCVgmwW5KVI=; b=OJQ5aj+4A9k4usXFbJgG5ADRlUuMUDhmpaLVRP5zBRDTV3JMMrsWLiG6USbFd+XUrm wrk2wRjjJSjXUHV0OC6wc1rYlDEJCSHitW7FNqu3bKhGMNY0tCV35tLYBj4os4GU2/S4 URlybYe0MtZoK9HxSsp6Q8fl5EZ0FpHIvDmZstHMMzGLfXsLZCMV9F2+1Z/iEdubT7BI iUC4JGgbyrS09SnXaVTiMDIqubWlUJk/exNG/y459McHX508qe7gOSZc+iPbnZ6CWcj9 HIgsLFM3N+R6KlEo7wm2RxafARO5mNKQPV7kMrSsjhjE5MCk7yCCPFDPXLOJRlDqfXox xkfw==
X-Forwarded-Encrypted: i=1; AJvYcCXDMtENARQPfVilME9XSHK4GKUx3I0YQu6iM1Zmmp2DR+XR0JTOa4rsA7/002ZjJ6ovFGs=@ietf.org
X-Gm-Message-State: AOJu0YyAxR/beHVmmf9wLzQus47dQzqpgNnxJ2THNZDe2hCIID4V2bEN 8zqXCiROj/uuNG1UxijIlnhxd3rkg/O0Y24LxCS5eQsuJiIcdarMD6N8w6y2vxm04us2vtE70Er n
X-Gm-Gg: ASbGncs6LEw1OIPJsoIEKqe9ZrEVgnX2d8jfMc8whzAlh58qQFSlDhfipBCx3l6atjI aYLQw0S0RNImu5G4QHpBwV37Zd8TDBeH1WQWGf+yQzbOpdDCJ2+wCo5qbffdpVVpcm2+kO85hsQ EJquqDLUaynMjnPAXdVluCLtYCklW9yDPfmIxFBed1ntbtkmi2M3TQ25YYE7UdweVsQu7JeaDjJ PnrFsm0//4xVMwBcCWlRNTbK6hRIsP40fd/kL+z50Thw5qrG3u+6RqcouMGFJ/G2w1Evb/JZD4H UA6DDrvVVDplBS9SlQm3gAfyhm+aq/CX0m3UdyRIzQ==
X-Google-Smtp-Source: AGHT+IF5TTH7/juBE82iHJTlAWZHwS70TbsWvGXe+xdgQZyk2JDvt6nN6+QiQfMliJesHqNgEkZUCg==
X-Received: by 2002:a17:907:d28:b0:aa6:7f99:81aa with SMTP id a640c23a62f3a-aab778be614mr252103166b.6.1734092225728; Fri, 13 Dec 2024 04:17:05 -0800 (PST)
Received: from smtpclient.apple (139-165-187-31.ftth.glasoperator.nl. [31.187.165.139]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-aa6809888d1sm751255366b.14.2024.12.13.04.17.05 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 13 Dec 2024 04:17:05 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Thom Wiggers <thom@thomwiggers.nl>
Mime-Version: 1.0 (1.0)
Date: Fri, 13 Dec 2024 13:16:54 +0100
Message-Id: <DCFF75BC-B5A4-4320-8686-525CD5824E74@thomwiggers.nl>
References: <ME0P300MB0713142598D8A555143A4C62EE382@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM>
In-Reply-To: <ME0P300MB0713142598D8A555143A4C62EE382@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
X-Mailer: iPad Mail (22C152)
Message-ID-Hash: J42MIIBYESFJSY2R327UEPKCONRZIYE3
X-Message-ID-Hash: J42MIIBYESFJSY2R327UEPKCONRZIYE3
X-MailFrom: thom@thomwiggers.nl
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: tls@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Disallowing reuse of ephemeral keys
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/-eWfxuj53S4Om5jDHlHswJeQEu0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Hi all,

> Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:
> 
> Richard Barnes <rlb@ipv.sx> writes:
> 
>> 3 seems like it encodes the expectation of most people for what the protocol
>> means.  If you're using a cipher suite labeled something like "ECDHE", it's
>> reasonable to expect that it's actually ephemeral,
> 
> I'd support 3 as well for the same reason, it says (EC)DH-Ephemeral, not
> (EC)DH-Possibly-Ephemeral-But-We-Cant-Guarantee-Anything-Who-Knows-What-You-
> Might-Get-Are-You-Feeling-Lucky.

I also agree with this point. If we include a MUST be ephemeral in RFC8446bis, then we send the clear signal that this is the way to do things. It is also the version of TLS 1.3 that was analyzed by the provable security people (though I don’t expect that it makes a difference other than make the proofs more complicated). 

If we put this change in -bis, then the applications that don’t use true ephemeral keys will still be compliant with (though then superseded) RFC8446-not-bis, right? So even if we had a Protocol Police then those committing this particular Protocol Crime have some defense. ;-)

Cheers,

Thom Wiggers

v2.30.2 | Report a Bug | By Email | System Status