[TLS] Feedback on draft-tschofenig-tls-extended-key-update-01
Dennis Jackson <ietf@dennis-jackson.uk> Mon, 18 March 2024 16:37 UTC
Return-Path: <ietf@dennis-jackson.uk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6188CC18DBB3 for <tls@ietfa.amsl.com>; Mon, 18 Mar 2024 09:37:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dennis-jackson.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7zw5E2vpjFDW for <tls@ietfa.amsl.com>; Mon, 18 Mar 2024 09:37:40 -0700 (PDT)
Received: from mout-p-101.mailbox.org (mout-p-101.mailbox.org [80.241.56.151]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B6649C15198B for <tls@ietf.org>; Mon, 18 Mar 2024 09:37:38 -0700 (PDT)
Received: from smtp102.mailbox.org (smtp102.mailbox.org [IPv6:2001:67c:2050:b231:465::102]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-101.mailbox.org (Postfix) with ESMTPS id 4Tz0rX4vtkz9snf for <tls@ietf.org>; Mon, 18 Mar 2024 17:37:32 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dennis-jackson.uk; s=MBO0001; t=1710779852; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=b11NIU9ygw6EOpc6pGRGulcdABJNvx9YVHLXYlZ/PxU=; b=XwCq0NvOEPoulhdV1i9f/wES86H2pN4fiqC50uTHOIwjJ/E0v+dUqQLzHAsNkC79/3gir+ 6rrZXmIcH+8NJHTDyfwrA7ydSuvdBuedRbKcOZSn1E4aQoUfDMcW6QRWQcUBfC0ixr3EEO +A1qy4ztWFbmYSpdHVgqt7TZ/Sh+hoMfqaISlaFJ1pyUGnsdWioqpCh/UC1dfHYsYdZ0bZ eLKve6iDJf8+u2CUPbn+r3qJXaOd5QgJDwPjH4c64jXinYdnQW8xRGcGce9WiFApoaNlGA fOIo3pRRbDXapr4Y2CyhRiXd+vIB029gpmDokczD4YtgwK69Cjhrvo2i4DfBLA==
Message-ID: <309fed03-fd3b-4ebc-ac92-054c2d195aff@dennis-jackson.uk>
Date: Mon, 18 Mar 2024 16:37:31 +0000
MIME-Version: 1.0
Content-Language: en-US
From: Dennis Jackson <ietf@dennis-jackson.uk>
To: TLS List <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 4Tz0rX4vtkz9snf
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/3a9ZFqmYUjWCgnUWAECZT41rdXo>
Subject: [TLS] Feedback on draft-tschofenig-tls-extended-key-update-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2024 16:37:45 -0000
A new version of this draft was published a few weeks ago with an entirely new design. Unless I missed it, the new version hasn't yet been discussed on the TLS list and I was unaware of the changes until I came to prepare for the meeting. I have quite a few concerns - I'm sorry to bring them up so close to the meeting. Firstly, the draft as specified does not achieve the claimed security goal: > Security Considerations: > > To perform public key encryption the sender needs to have access to > the public key of the recipient. This document makes the assumption > that the public key in the exchanged end-entity certificate can be > used with the HPKE KEM. The use of HPKE, and the recipients long-term > public key, in the ephemeral-static Diffie-Hellman exchange provides > perfect forward secrecy of the ongoing connection and demonstrates > possession of the long-term secret key. An ephemeral-static Diffie-Hellman exchange does not provide forward secrecy. If the attacker can compromise the endpoint with the static public key, they can decrypt all previously transmitted ciphertexts to this peer and so recover all past keys, violating forward secrecy. This wasn't an issue in the old draft where ephemeral-ephemeral DH exchanges were used. Secondly, I think there is some confusion about what forward secrecy is. Forward secrecy means that compromise in the future will not enable the decryption of past messages. The existing KeyUpdate mechanism in TLS1.3 achieves forward secrecy by ratcheting forwards the used keys and throwing away the old ones. So no changes are required to TLS1.3 to enjoy forward secrecy in long-lived connections, just do the existing key update and be sure to throw away the old keys correctly. > Introduction: > > If a traffic secret (referred as application_traffic_secret_N) has > been compromised, an attacker can passively eavesdrop on all future > data sent on the connection, including data encrypted with > application_traffic_secret_N+1, application_traffic_secret_N+2, etc. This is not forward secrecy but post-compromise security (PCS) [1] (sometimes called Backwards Secrecy as it is the complement of Forward Secrecy). As the draft identifies, a fresh key exchange is needed to ensure PCS. However, as mentioned earlier in the PFS case, this key exchange needs to be with freshly generated ephemeral keys. It does no good to use an existing static key since the attacker might have already compromised it. Finally, I'm really not sure about the decision to mix the TLS and Application layers by having the application carry the HPKE ciphertexts. This seems rather complex and likely to go wrong. The original version of this draft where the key exchange was carried in the extended key update message seems much simpler to implement and easier to analyse. If the authors do want to go with some kind of application specific key exchange, I would suggest rethinking this draft as purely a way to bring entropy into the TLS1.3 key exchange, a TLS1.3 Key Importer if you will. This would work by having the application to signal to the TLS1.3 layer that a key was ready to be imported (with a particular key-id and key material). The TLS library would communicate this to the peer with a message similar to the one currently defined in the draft carrying the key-id. The new key material would be mixed to the current secret in when the peer confirmed it had also been passed the key id and material by its application. The details about some kind of application layer key exchange would then need to go in a different document and use ephemeral-ephemeral exchange as highlighted. Given the complexities around the use of middleboxes which may not be available to the peers, it might be necessary to use an exported authenticator so the applications could confirm they were sharing a single TLS connection and not two duct-taped together (which would be unable to successfully import new keys). This seems like a like of complexity compared to the initial draft. Best, Dennis [1] https://eprint.iacr.org/2016/221.pdf
- [TLS] Feedback on draft-tschofenig-tls-extended-k… Dennis Jackson
- Re: [TLS] Feedback on draft-tschofenig-tls-extend… John Mattsson
- Re: [TLS] Feedback on draft-tschofenig-tls-extend… Ilari Liusvaara