[TLS] Re: [TLS]Working Group Last Call for "Hybrid key exchange in TLS 1.3"

Stephen Farrell <stephen.farrell@cs.tcd.ie> Sun, 01 September 2024 22:13 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABDBBC14F5E7 for <tls@ietfa.amsl.com>; Sun, 1 Sep 2024 15:13:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.009
X-Spam-Level:
X-Spam-Status: No, score=-2.009 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NpAHLb9-SVxG for <tls@ietfa.amsl.com>; Sun, 1 Sep 2024 15:13:05 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2115.outbound.protection.outlook.com [40.107.22.115]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25480C14F609 for <tls@ietf.org>; Sun, 1 Sep 2024 15:13:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=H3W+6476Oea15HYuuw+dlbadsBKLwnUncpVB5ZNfMfCgk54HeXjisf8pikVAUpdm77+4T3dV45lrFOOXY/dB8O0B6OHO4xv3Sgt2J3GxTSCVLS4K6HVruRIpDnRBnc9qJ2n4ouFkK/EQ2ikfnP45ZsbdJ79zWKCW8PpWov74zEap+titGB6h9bd2HekhyQV/dn13B7POfrBrWQVuF899/QSH33ouKL0jWvH6CBqXHFgdC/0N7/1oqE73ja61kW+XM7cJ63hJdIPOueiFdaGqg4/E0d0cFCFj6nyIiiOGzAekBen4AodDhPz/hyoBJ9D/q8VE6XokaY4rGoD2uSbw6g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ku7R83wbCqt6Hhz/gQr8Uu7xnq+wlL96jGI7mxAq1kg=; b=kK6AGoQBJ1RKooaRyb5NOL2FUQarvmoxBEPtXf74S2QunjgbZuhAySGSLHXBVCOWMqkesayKIWRyHqbprADhCWUaEDfra5PRu7mtknRYYIijvEIrb1YvpmbB6eNv8PuGFv8sTrbGBeXjjYMZ/JKdiO5NnabnVkKttk4SBpEvQeIM7gNqn5VAK66n7S84WcZQh8Vf4XvItrxgcxtdrAcaCW1Qwj6HfSfKhwlDaRYfdypwluRWw7IDFIVqJAZEsBADggZgz+J5SKmaak7w9vF5ClDOGInXf0zTd2JPSr4o9tvEaR1W2s6dyataGfkWewFup+9wHoiuoeIkGfdrCJ1Ejw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ku7R83wbCqt6Hhz/gQr8Uu7xnq+wlL96jGI7mxAq1kg=; b=gncVswPaMHG75PcS1WIJAvGD5hyr9AnlKYp/B9UhOsr8mTRliPV249S1uw2SYQ/rUgb3gUEw+hvn9kEnzdWbWdntt1do6cQfIXJUR6soxV6mNB1ntCUnDjbmdx5RHggEIwcNV5hIO5eKbrfpwhgxpATIELp1vFTM+bxSEi/7rMJUMgqkLMtLVCQ6vXnxxfXG6VxLrSvz/VEojbM5FuXMKOrRGpXUv+sX+CmnNx496CrYBLlfDfbDP5YDzaQUUxgE5rbv9BzrEIvnEf37SaiXh1coVlRYSQatv4Op8Q9Q3/j0+97mab5UhSo1sG9HPlkDjT+4T/5QDNI+pb2BhKg3uA==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cs.tcd.ie;
Received: from DB8PR02MB5946.eurprd02.prod.outlook.com (2603:10a6:10:11c::16) by AS2PR02MB10429.eurprd02.prod.outlook.com (2603:10a6:20b:5f4::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7918.24; Sun, 1 Sep 2024 22:13:01 +0000
Received: from DB8PR02MB5946.eurprd02.prod.outlook.com ([fe80::e0d3:772e:a68d:d54a]) by DB8PR02MB5946.eurprd02.prod.outlook.com ([fe80::e0d3:772e:a68d:d54a%6]) with mapi id 15.20.7918.024; Sun, 1 Sep 2024 22:13:01 +0000
Message-ID: <da5d12d4-e2a9-49b5-9a6a-cafc16611953@cs.tcd.ie>
Date: Sun, 01 Sep 2024 23:12:59 +0100
User-Agent: Mozilla Thunderbird
To: Douglas Stebila <dstebila@gmail.com>
References: <CAFR824wCMcyF1szc76P+4i8LKv2-d1ciHWRMFFmZ8hpi=1PHtA@mail.gmail.com> <ffb33944-00e8-46e2-93d5-e5dd14d457af@cs.tcd.ie> <6F7D3FC5-1875-4C7B-AEB8-5FBFAAA6B41C@gmail.com>
Content-Language: en-US
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Autocrypt: addr=stephen.farrell@cs.tcd.ie; keydata= xjMEY9GzphYJKwYBBAHaRw8BAQdAo6JvjmSbxHdQWPZdvciQYsHhM1NxQBU398Mmimoy4p7N M1N0ZXBoZW4gRmFycmVsbCAoMjU1MTkpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPsKQ BBMWCAA4FiEEMG54R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwMFCwkIBwIGFQoJCAsCBBYC AwECHgECF4AACgkQ5Njp+ZeoM93bogEA25ElRyX0wwg+kGEN1AoL60MoZfvQZ/VtmXY6IC5j +csBAIBpkL5ySuzJK2zLNZn9qQGht8IaUcA7cvDcLvS2uHUEzjgEY9GzphIKKwYBBAGXVQEF AQEHQILCPWOwW36e8D3pY8GmvvtItIT+A5uV80ist+WokVsQAwEIB8J4BBgWCAAgFiEEMG54 R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwwACgkQ5Njp+ZeoM92bcAEA8R+8cpqRUIS+SoAN iO05xE6O/wEx8/e88BqzAYki3SoBAOQdwiPX+MQrAxkWD8xxOsdMOAtxYKpkD1n8aPJUw6QJ
In-Reply-To: <6F7D3FC5-1875-4C7B-AEB8-5FBFAAA6B41C@gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------gsy0UijgoSehFUcclEIEKFxI"
X-ClientProxiedBy: DU2P251CA0004.EURP251.PROD.OUTLOOK.COM (2603:10a6:10:230::14) To DB8PR02MB5946.eurprd02.prod.outlook.com (2603:10a6:10:11c::16)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DB8PR02MB5946:EE_|AS2PR02MB10429:EE_
X-MS-Office365-Filtering-Correlation-Id: 65fc6010-0830-4bbc-dc7a-08dccad33e12
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|366016|376014;
X-Microsoft-Antispam-Message-Info: DI8us2X6Ez4jeuyXmHC0IZa24VUknJ65SD2wcDRPZTSPWVgKQS0LttkLv7J0oUzGE+p3iVdw5uTwrIHxIV2J5rAtwUcIU9teEqsC4Vmsda66LkzbmHHCNnb/s5uSz79efdrgBnRoR77NQx/cGxSWpqWwRd+mr3PFKY9MzjpepDF0r8HaCmDT4cpNS9Kv5X4UMgddlDwL+iusc9tlD5/tHrX7P9jCYjyCa3RZQzJax4Xd4xTEnyZ9VoFMtIPsTH6aMT0GQUyvGNO/OWcZXAMoIUfewaNWcJLyFBHITd/T5dbax6YZ6jGF4evKsdCvAEJpqKOlHzHcRSvqsrL1//N5cBPQP9dcL6SlUM6kZPEgelJ14LlwNZ3eEtVb8kXSUYJmLI5Q1fBtdw/BQQjboqnrBt2oAyQY7yRLs/kTGrLV/4V38aQEcy6AQlaYcsRkz1xj/sWw8nTrE++yICKvk+/Zp8T/4/QjFKsnxsM3ZJmbPo6VAhXzSkm/u0stwtD1faq0ZiOVirLjIFBGFLbw/cDsISDxZMWVVKq0t7Cg9bafvUBDIW6PFxvIsRcav9t+0DFl7eOOL8NdDM40fDaFuPATW2wtY6X+iVx19aYytl+8XNe8acdatVStUah3tyA4xXa5cVGAHyp/7zm0yXWwhr6HDhXBznBhDEOZIRc5b3Z5TeYtAdyOAmdbEne0WNG9c4eyEe8zgQ7qOV0315QTCD99M9qV6apNDpTMLp+cgEYIUNSK3mzjw4UyekosYNlShKvthWVHeO1dzEvNaxOwqv0ZG5BwsySkq1gwzFJXDsqUK23N5dvqehPp8Sf63NHZEZkOUz8O3hsbLsZNVLuhWMDpLrhgxQ13Jr/cMNcr499nx2AYYvsdOE8mFrYfvRJwFKMwowzWM73ywtNPQHTbTZ8Y8YR+hIIMyjoiqc3wUlMS16Ycg2OqZ0O9MDoMF4CjBIb0ExxOnkELaRq6hHT1E2ZVwppQXqKXmtgV/EAtuISCpXCnqUTvttQ7gaMrKVkM7iwL9B/RPOmBYi0r5ZXK9EYTyLlajj/p8GitzLlCy3FJP4kyO5oae5i7IMwsfh1fU58F3gwSdQwA3pGBGfOnUcEQ2yaJ5qug0Cnt3/9EM7liLrVRZcGsooaw/QeBXGs8Jsc4p/P1dOGyzqSmJpeSPm+nkXaE4CC0TT+IRg5ihTmPLhXEmWJjG5F46zXqTCh56wf1dISKw7wXmz1ge6BAPuxl+2G8dHCl/XnBaBUF/6DQv3vll2+xAMX7BaZ6BU3XyKN0DMi714hA+Ap6xocew+SqADDIc61Xr425fxdD6YRPiWfYgerExRV6asMS453XPr6q0up9i+OM7jfAQyT8G4MaVQ==
X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DB8PR02MB5946.eurprd02.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014);DIR:OUT;SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: Nqg68PfP4G+eDM3oeL0xSpNLhs6WmJawPq0A4vSj98BSgYWkO8T1XqQg/J0C7Unz5u+4WnOjBNmxJB9HixabXHlYbas9XVHYFv9r1+5HGlkDbLhu8IR0lOw22rUIz0wVsdYgzr1LJuRjigapxpN0qNMt3cyIXyDZ8A50GinJMEzol7sKmnV7H1IjvT1oP6cDymwmfHZo++6Ump+P1YtnSbjz+dfbLXi06WH/pzMVtQ5U2cPzkjj6oQi27Wxllc2h3msMVUtvEaH0saAfK5l9X+criAamlJ+a6GOv5gs87FVmhogGV9EqA7Qgzlm4tm1ejrcnIuYb/4v4uXuGalPDej2JvZfIwwV21oC2Vw0t+OqapDNoXUpOclQo4MI+afLUBCnb28/T5honAPQI1L/j4ANaw/JHVXdUHRqnexg0XMn++pZfRnmofrLZ9cgc3VNxsj25wmW8z6JovAQrRfUvq0WO9t14BE2CS0MOMFSoiq47j8q7+jx86WGgdLKpihUxVuk1rJSYrdZ38nxPzOw19RHbwOpo98597FCjG4+6LALQUokEhvw6Gy+oatlzW6s0jwr2tpDALEU02idBFiF2jZGnLrWDSSyjOwMlJfnZYSyJzPiftiH77Zf5cRlhSx3DMn894Qf9NJKwSIHhLUpDu452d4PxR+a5ZpyhzwBfp17kjwHQeB1JoyRq3akx3HMY9YfFRtz9u+Fz6Uim+3SRkaZSwVCnxpNPM2wCogkdBQhmjdAzogiBrpxafuUoTk6gIX+2cn2unx4C6P0mzzrRHQX9bsQfNWvekTGZ2WNDSw/LSXbMnbCjBLflGeIcDf/x2tnZ36OHFMNBg/F3Tc8PB2KTeKWh+U8NuauelW3GcR/v9uziaB5Wi/+DMDLd+0EZMCiPsRIlUhQT1HstVCrig+qXpBoB0M4sFyqpO2wNGzyO626/3YufimTlSzP7L0gPHVKxwtN0hyk0zQLBFLL47NLaTmshYsTBrfKzDnOQhI3Rvq3FbfSzyIZcOpDVhYDtkwK8qoTdrOdek/BTPvaTg6vEp/C0pigTiYBjlaQOOMcauOdyShqAWPZlKI9rVtmf17hFj5AxnnywnGzDwI1zKHgIJY5XcJgn7LueqWzc/UgKLXRiPqVshp+9vMrx5vAnYXdIUYgKzaE6hxp+RPwksNkI4FaVDRiYOPQedeHnUxO8gYN2P7qjp6C+c8dW6S+27tG++jRFrPTiRVdIOVHqbVz0AjnsJbFYpjzcK3ZpxDjAUmnwfn1u5acZzZ9cx1rEC706vgODMzR3YbV7RMr60/wxdNpwBDk/q3qnGkeUA7f/pbQMKZ2eXf/VlQ/Scp8ogtXxCjcTBUvBUUNY0DXc4jDPwh4t/xQcHbFQadBsJ79Mcswq66lm3gzYQvqz91c0OBJ8imVUi1LYcc979xDggemlZzAKc2siApLsgqILxMsDDqEJw6yF0VQIiMyDpqidO8/O1KyEqozCR9cvxxQZl1GrF7WnN8CVek8B1cM5GBsw9oadeq/a5F1j9sonmpHIlLHquoztRCBO2CHajg9q95zfFwRcxeE03yCV2wvSDP3j3VJhwjGGA62yo4aLQl0vP7hY79oeK6DA/CR4fQa2AwkSmjwL4skTYokdsOnRpLy7ycSJSFLgCKlyU6v150HR
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: 65fc6010-0830-4bbc-dc7a-08dccad33e12
X-MS-Exchange-CrossTenant-AuthSource: DB8PR02MB5946.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Sep 2024 22:13:01.1630 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: BteTEDaVNaQqqX0hZGmrLfXFmAvnyGjlznhbKczwO5TWfjYBPLC8EWRuhZv43zlA
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS2PR02MB10429
Message-ID-Hash: J5CFJLVISCUDGG6AYNIY2NKO6L2Q4TH2
X-Message-ID-Hash: J5CFJLVISCUDGG6AYNIY2NKO6L2Q4TH2
X-MailFrom: stephen.farrell@cs.tcd.ie
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "TLS@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS] Re: [TLS]Working Group Last Call for "Hybrid key exchange in TLS 1.3"
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/1fmRLy_b-nRVfX77R3oZnvwyTdY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Hiya,

On 9/1/24 22:04, Douglas Stebila wrote:
>> On Sep 1, 2024, at 10:47 AM, Stephen Farrell
>> <stephen.farrell@cs.tcd.ie> wrote:
>> 
>> Section 3.2 says there are two allowed ways to handle the same 
>> component algs being used in multiple key shares. However, doesn't
>> ECH mean that additional possibilities exist? What should a client
>> do in terms of re-use when using ECH?
> 
> That's a good question.  I'm not very familiar with subtleties
> around ECH.  Is there any re-use allowed between ECH and the main
> handshake?

"main" handshake isn't quite trelatedhe right way of describing
things - whether the client's inner or outer CH turns out
to be the one used for the session depends on whether the
ECH decryption has worked or not.

But in any case, it's relatively undefined in ECH, which
says:

"
    Repeating large extensions, such as "key_share" with post-quantum
    algorithms, between ClientHelloInner and ClientHelloOuter can lead to
    excessive size.  To reduce the size impact, the client MAY substitute
    extensions which it knows will be duplicated in ClientHelloOuter.
"

I forget what browsers do now, (can test if useful), but
IIRC it can vary between sending new key shares in the inner
CH vs. having the inner CH also use the key shares from the
outer. I'd not be surprised if the incentive to re-use the
outer CH key shares was more pressing in this situation. The
ECH code I'm trying to upstream to OpenSSL allows any of the
possibilities as of now (esp. on the server side), but that
code hasn't been upstreamed yet, so if we decide to be more
prescriptive/restrictive, that'd be ok from my POV anyway.

There's also a related issue about what sets of ECHConfig
values to publish/use for ECH, if one wants to see the same
level of record-now-decrypt-later protection for the ECH
encryption and the TLS handshake.

All in all, I'd say this maybe warrants a bit of discussion,
but I'd say it shouldn't be too hard to figure a good answer
and what words to use. (I don't have a set of words to offer
now, sorry;-)

Cheers,
S.