IETF Logo Mail Archive

[TLS] Re: Security Concern in TLS 1.3 and OpenSSL Implementation

Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de> Thu, 20 November 2025 10:41 UTC

Return-Path: <muhammad_usama.sardar@tu-dresden.de>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id BFE628D1F8C1 for <tls@mail2.ietf.org>; Thu, 20 Nov 2025 02:41:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.398
X-Spam-Level:
X-Spam-Status: No, score=-4.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=tu-dresden.de
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wVf7dxtQDgc9 for <tls@mail2.ietf.org>; Thu, 20 Nov 2025 02:41:23 -0800 (PST)
Received: from mailout4.zih.tu-dresden.de (mailout4.zih.tu-dresden.de [141.30.67.75]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 29E488D1F8B9 for <tls@ietf.org>; Thu, 20 Nov 2025 02:41:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=tu-dresden.de; s=dkim2022; h=Content-Type:In-Reply-To:From:References:CC:To :Subject:MIME-Version:Date:Message-ID:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=Hqd1/HAXMGfYPkRCkWO5KMxTiytrIjVcMZYSpXiXtaE=; b=r6x/Nz5IV3cXU5Ikpq3hdZZ3YC H1d8xnV87WEIbbs1aEfqKr6B+SNFOgeSL+bbOMZ0IbKYLSnO49JO0pQILK7ial9ib44H30elFNHy8 MxE5LbUEg7C+sgthqYVlb/cd0eeDL77gwZyqjCN9NVRp2oz/rORbCgicNKUM6qYhQzkhKbUeMMAYf VkX2eFzatwE/L1Ytee03xmKzG21fM+UzTb+xZ0JfD0snwEZD90JcVveSFfnGNiDginVaKLjuNNb1V ycpClCWE4ayfsWWPp+wngCqA/0Ea2vsONghwujuQQLqI/eD/qBWOVrBMLOnhhczhxWWN2uH0DeSMr DX0RxB6Q==;
Received: from msx-t422.msx.ad.zih.tu-dresden.de ([172.26.35.139] helo=msx.tu-dresden.de) by mailout4.zih.tu-dresden.de with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <muhammad_usama.sardar@tu-dresden.de>) id 1vM26L-00GKJK-AE; Thu, 20 Nov 2025 11:41:21 +0100
Received: from [10.12.5.228] (141.76.13.149) by msx-t422.msx.ad.zih.tu-dresden.de (172.26.35.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.29; Thu, 20 Nov 2025 11:41:09 +0100
Message-ID: <e8c85f81-3b07-4003-a05e-7265329d45ff@tu-dresden.de>
Date: Thu, 20 Nov 2025 11:41:08 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: "H.Rafiee" <ietf@rozanak.com>, Thom Wiggers <thom@thomwiggers.nl>
References: <7f563479-c1ac-4678-9d96-f8a0d8fb0e69@rozanak.com> <a649b086-9c38-4e06-bf06-0b5f57e0e9cb@tu-dresden.de> <b77d26df-0a68-423e-b4d7-651b1421e9a7@rozanak.com> <D2E3DD93-67F9-4A5D-B409-1483995AB27F@thomwiggers.nl> <99bbfbc8-673a-4e5f-ae8e-46008984e6c5@tu-dresden.de> <35FEF57D-52FE-484C-AB86-DCFDC676BEC3@thomwiggers.nl> <1c145c54-a006-48b7-9f97-3649305f5794@tu-dresden.de> <CE11817C-14AD-4121-B6AF-9C7BAEF721F6@thomwiggers.nl> <8a98a602-836e-419e-9647-fd8ed35d8035@tu-dresden.de> <f7d9d248-99f2-4f2a-8abe-0210e7af1323@rozanak.com>
Content-Language: en-US
From: Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de>
In-Reply-To: <f7d9d248-99f2-4f2a-8abe-0210e7af1323@rozanak.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms060907090602090403000109"
X-ClientProxiedBy: msx-t420.msx.ad.zih.tu-dresden.de (172.26.35.137) To msx-t422.msx.ad.zih.tu-dresden.de (172.26.35.139)
X-TUD-Virus-Scanned: mailout4.zih.tu-dresden.de
Message-ID-Hash: C7LLJRX73JWKCGIFQ5KUH7PJGB2XDT7D
X-Message-ID-Hash: C7LLJRX73JWKCGIFQ5KUH7PJGB2XDT7D
X-MailFrom: muhammad_usama.sardar@tu-dresden.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: tls@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Security Concern in TLS 1.3 and OpenSSL Implementation
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/4gpN6vydTewehM-8VPY0nEPZjj8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Hi Hosnieh,

On 20.11.25 10:48, H.Rafiee wrote:
>
> Before making any judgments, I kindly ask that you review my earlier 
> messages where I shared the exact key names I was concerned about.
>
Each one of your emails has problems in key names that I have 
highlighted in responses to each email, e.g., [0,1].

You were repeatedly referred to [2] to understand how the key schedule 
in TLS 1.3 works. I haven't seen any evidence in the interaction that 
you have even skimmed that. For example, the very first figure there 
clearly shows PSK and Main Secret as two separate keys, and you were 
until your last email still colluding PSK and Main Secret.

> My intention was only to raise a valid security concern regarding a 
> possible attack.
>
Calling it "valid" without proper justification is just illogical to me. 
I (and Thom) have tried to clarify you that your concern is not valid, 
rather a misunderstanding of the key schedule and the guarantees that 
PSK-based handshake provides.
>
> Unfortunately, instead of addressing it in detail, it was treated as 
> if I were spamming.
>
How much more "detail" do you expect than [0,1] for example? You were 
referred to [2] which has full details of key schedule. I am curious to 
know which "detail" is missing in [2].
>
> I regret that our communication has left me feeling disappointed.
>
There is nothing to be disappointed. You were welcomed in [1] to submit 
an Internet-Draft with a better proposal for key schedule that the WG 
can then discuss.
>
> I had hoped for more openness to different perspectives, but I 
> understand your approach.
>
Same as above.

-Usama

[0] https://mailarchive.ietf.org/arch/msg/tls/17zIQeq9mE0TUXQip1OSTg_l_pg/

[1] https://mailarchive.ietf.org/arch/msg/tls/A3cljbCAYzBPk7vE2qm-iyxi14M/

[2] 
https://www.researchgate.net/publication/396245726_Perspicuity_of_Attestation_Mechanisms_in_Confidential_Computing_Validation_of_TLS_13_Key_Schedule

v2.39.1 | Report a Bug | By Email | System Status