IETF Logo Mail Archive

[TLS] Re: FW: I-D Action: draft-kwiatkowski-tls-ecdhe-mlkem-03.txt

John Mattsson <john.mattsson@ericsson.com> Sun, 09 March 2025 14:03 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 1CDA99572BC for <tls@mail2.ietf.org>; Sun, 9 Mar 2025 07:03:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.536
X-Spam-Level:
X-Spam-Status: No, score=-2.536 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.442, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=ericsson.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gJKczCo2hVGc for <tls@mail2.ietf.org>; Sun, 9 Mar 2025 07:02:58 -0700 (PDT)
Received: from EUR03-DBA-obe.outbound.protection.outlook.com (mail-dbaeur03on2043.outbound.protection.outlook.com [40.107.104.43]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id C2ECB9572B0 for <tls@ietf.org>; Sun, 9 Mar 2025 07:02:58 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=uhRpDB5pMYNH2woFgJSoSP8ydH5g4Bbldfi5wbDSk7uxfeqTKK6eqA1j6PF4U4wPopFdEynjRZQs0YMTQSKJKS3zjEa1Fgj2bTIBszC9rUQOxKD5OVI7ZauMhbGI1+nSsjw9zF/0XRbtFmUDoaBzmze0P07sYGqH8diiGwRGAKMHrTkAMClJBJHPhJ81Pob3MRN9R8idnTKr6YapDn223ghOlLeEyTSjbFOD0bFyM7A4nY00w4C0ZgTDfvHFt9BrorIADNaR0dWhmkHtqX83W+1Nz4f/oYoLm21Afqx95lHTQDTZ5dah6eU6VZIMlXrici3UgtEe+OiT96tPb58IyA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=J/0YTb+33WGpCFUT2d5sldTs3vOji6kHKNHaSDfOSGI=; b=M7eUSjhnkHHGUwmYSl/EkOBPGesFwQXNQ/A7nfommAAoKBFPNIVX7hAinmp7RF/PYdsQjp7VzZnt8fV8okn43rww/lHUGaX3c9ZKiQdFIDcMjvddtcrfNuDmgB0aKwG4H7OnlT2cXrpGlQgrGvs6U3rJAduTMA7KqHTOzJfx5C8jaQmeFygdAdRzgrUb5zqsAAI95cpXH2ljRZYnm3FHI6qGDoFXX9QskfPl9LSgDvwO3VCCihcpuq+4EHsngcsbSUDtONLEEN1Clvlc4nk+RXk8bwBT74IC1l58W7u9v5+al/g3f/ybA3Sf6zEmTqzW6MYg8DTmWHiV701DZ0khAg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=J/0YTb+33WGpCFUT2d5sldTs3vOji6kHKNHaSDfOSGI=; b=GtA06Z+bNdzh5qQEho2BzuBi8VHZqKmBPAxWIiLr9T+FyaHb8sX1ualK2m6fLKOERxNdtIYBUaON63mLWBpap166KTGx3CTL+5KSyNoZgEVaHy8A4/e+9ADlqddhjgq6APFDvG6ihUD+70mfP6FcBmruNpdvOMKCkCbq2EbKxTxdTK+PrmyFGz+cm8su5RwYkAMw4KUSUESQyZ3TqdsUN6S7QV+GmI9dzpQtlkX3RyTXSTmOjPikONSFB8PSJeDeHocP4Da9bL+c9WP3pp9pNH+EtkwzrQTAgFGc1PmjEkwEf1UPTcRxUc1BOiaiRc0hYss1z5OT0vvSmh6s3oMBhw==
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by DB9PR07MB7722.eurprd07.prod.outlook.com (2603:10a6:10:26e::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8511.26; Sun, 9 Mar 2025 14:02:56 +0000
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8%7]) with mapi id 15.20.8511.025; Sun, 9 Mar 2025 14:02:55 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Re: FW: I-D Action: draft-kwiatkowski-tls-ecdhe-mlkem-03.txt
Thread-Index: AQHbkO2ehAcnOcvdxk63BWeYOC61mrNqz28AgAAEVt8=
Date: Sun, 09 Mar 2025 14:02:55 +0000
Message-ID: <GVXPR07MB9678BFF2F2284DEDCC6B6AF989D72@GVXPR07MB9678.eurprd07.prod.outlook.com>
References: <GVXPR07MB9678E29CF1D00E59164EB89089D72@GVXPR07MB9678.eurprd07.prod.outlook.com> <Z82aAuvLY1tiDxbQ@chardros.imrryr.org>
In-Reply-To: <Z82aAuvLY1tiDxbQ@chardros.imrryr.org>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-reactions: allow
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|DB9PR07MB7722:EE_
x-ms-office365-filtering-correlation-id: 56ea5b49-5fe4-412c-bf2d-08dd5f131748
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|4022899009|376014|366016|1800799024|8096899003|7053199007|38070700018;
x-microsoft-antispam-message-info: gq21D9A/U2jLGYawZ3fSAlsoo59NaKttiYPFCtyJrv5PlD+X8qLpOCmAsyb4KfeWZFKgkJG3vEBpb7PXjPvjrnRc/BoNN7r/k8ErppHGK12F7TZs7ms6yf9U9PEFtn+kWwgqA9ztP1J/IdinPTePGT5U5nuUliqEFToZTrtIIgagrgV3rFVdMqBlDId0RcHUZNcpIT7YIaMZ0XaHTWE2bb7+bu33yFQ749Fx3E28NvisE4SFpJdY++6ggnDym2lj7wSURG0GbuJor1K+St6tF5tVH4S2E3FCl92qbhZlgpR+Or1T+gk+vMOQ5a7yOfKfC7KREtSTfYoLZPCIfU90Br44cpATB/RF2KJ5K6WjWFhpZ825tIQGTHldBZfReid4BzyKWg9cVMJY1DdCYpdLCTmnIhv7gOWU3BK0Mze3nrA9IlV3NvfveEeVh+OlCogK0McKdXyMAS/POQumXmkl+b6Sa0TqhQyG3kZKoKOFMS0c3wrMcQM02EUOFepzAvl09O+ujPmsI9/eyfIoj+HY3+LJ6U3y/P7/a6rkLIBZvyDsZaIp43iXiL7k8cxGbQ0e7Fd+EDzGZ9dj5gOW1GhBfiHTXBaysUF7aPttV/OZlDIWdlPjwcipnZLb362faUcfGinkICFZNmk96q+F0M/Pux5G7y4xF2+TV4CKFkqyol3kNlK59Ztddi4w8jvhYuW2g56SRWEM2xnelocZhMRplP8ByU48zSZIQh3HTA94hpi5Uzq6TJVwnMFPYwt9in/4RaNOfmitYoSjaEWgA7IBW4vBnGaiuS9ZFzdRObr/dQvhY1WhFUlZ3XTMqItXU67UEIGPqHE+XoHRnajelA/pNK7IfuPCEc1mrwzCF8D1alRaa5FAU2LFqg8qPtCaIcZgxruAzIl3Q+SZwaUoVdQ94qG5MPc5jViPsb4bx02eWmrED+ClhYSX4HhSRkE9XmzuMKeNnbdVd2e9ZpVqqt0l5Pku8BUI+CP1oMb88eHrfv4iPtSa5S7kbyK1Fiv3ZEZnjMlFBjbQPjKSV0/Hc8cgMscRFlMldXeANeiO176CPWBpHkpiVF0CgpcVAOxJw3+RRMjW5i9ZkFn9FKUKQ7v7+7+zH6O5i4OSXim1bMZv9ipOqK3ppI02KC/QDPn4YeytkwkcbQCDx2BbAAfp/3g4i6Zpo6ae5tXTIdRja7VTqlrzxlPUw/EOzm1tr4g+O5WFhAe9fjv5/1nTHFtCHp8BW+PEoQ20aZS7Agi5+SpQE61GZe3F6v6GdRYy1p3ZrWAzrJtzobVKnMYhxAXqdjiotMXpU+/yQVsOnMRJBqdVmoArxpS0I6sox3yGtoGNAk2ZShH7u35FDDLridmXBpvzXFOoRS3XrNPYrfmXxdONd9pZBoARjAAtD9Qm8hHh8cAfR82TNe2Xis3t4A5LPNKLJ5TuetthUQAqAqfbbfbeftR4VYgVX8LXSdmlhrxXQ79W
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GVXPR07MB9678.eurprd07.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(4022899009)(376014)(366016)(1800799024)(8096899003)(7053199007)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: l+1m2IyR96AQj3b3zXrS1T4VQ+D7iWNeHHrqffnxmGUcR92QliBOweUi1p4lXYnKHc6l8iTzEd0gYANnc9A2cyj+U8ijNinXXTHelPCpW9fAmFhzYx/Vx9Hkdfy3di+/2qmjVUHoBZgmHnaAyTCoX7GEYDpR1XIqLSKKPV39i8re2Z2/URTIeZWDVS0Ptng8gQPEXcc5psAHCh1eHwtC+CljzEZBsSerJny7a1CZat1D3gSt4DyxVfLVmAT/DAboYQuMfsjLveASwAKlyASFsBhT3erGxE/sWv79ghfp2vrJqYH19an9MGbV4FPPkCFyfrXdDcsXV34KeiNCqOn6xdwm6EWJlJHjSFbV2vJlLo4plBBJhalVe3RtWtbE1U/mx9aL3cC3u+EPDvPmA7ZcPtj+fLGNlFov5b7tDx+zj3UlDxRkaqqYeaMKrfeaT86u5FMSLjyIa9oYx8tiEBwVdkTwd42EvHoFp5mWoTQBLb+jaaOMLvVjuAHkWwPJGeA46qWfB7fvgjXc2LrUSLI2O0cyaZmWTvIBlVvqyRdhzDcsFre7FF/2AKeu2Ngt5cFa7Nv40DpbpK+aEWL85sQveSwcxlOO8fMZG2lVOo0GU9hVDpwxHGw5qOEnSPsKO3RSgsd+gUCq8rd048MHsbya9SsczMwPfohEqA+LUmJlLldggzjIeyNhFPN8Q7rRcMh8MYBd9jYP/7UaFKmz7c57BNx4Py8E82Ew8t0lJllE6M6nHO98vISRGXFgwqBmPWtdQr+/Q7IIBV8b1//LyyYae8h3csqobUGcSJd9dRsufKyMW8ekZ//wotX3ch+3viDYlFCokzZb5f5Blf3X7qdbrAxLBkQFUyRdQMZa8Ryj4pHt8sH//5TbaZ6adHyU5Mz7cDshWkcqikrtKdXBoy+l4syPBwVfvZIlO90aArH68PWwy1uJP7PO+FIscoci/KU3PvHQAmAk/ADj8TyXlmVbLoPvaHCeWi9IenznDkJi1ez6bwKh5O+mLyRreWzuzhRhFwZ0Av/Uj955z3tMdd4PNI5bC+pPIJg0pq/N/rqKFCpg08oIp/ocxKXYo/4Cp88OA8zF/X2Fi7uoEUrZeH/jcrF4JK9iCfgwuTJdONBC+hHWcdW+iwNrQWtLZb1a+y52Q4abjn9IhPRbI1AQjoKQ9mWk4B75xmQdLQjXEmhv4v54/S1OkKdUyRPION27CgECMnFr0vYDtXRUJplc0oA8x1MRynzVVBqVeETcIZBxtGLcQ9cEtchH+TcKiSzTFPyxjZnvjIQujKGSnBpDDiAfxJ074icxbNXEm+O6WDIpiBV8Xql5oY8gVJEOC98QeY7SWWxQtsVpAXL1e+ktXdu6nxl7U8VFSPOk8+d6jPzhCUVpfQOheO40oe9cScuph9u6ceLteludrwdfnfv0R5jKmzPiSSZQDSi/9RsUpxqNiVmU/o1cfSfVf+70wRAKlGdnIrlSXGOeml7W3D2Ds8n4uEq1UkRLo+mlvidWut1epEkDYACqnwb7RXMhdafte/PRQr2hrxXN10SrEBu01kQNCK+HIHRHbtHgalo5xIbUT7i5KNlt4tZQiLuAvZqGf7DV2BKtsqm2IrSVIsdJxDl0uSGoNecvwb9ADxkg7VgX0vQ=
Content-Type: multipart/alternative; boundary="_000_GVXPR07MB9678BFF2F2284DEDCC6B6AF989D72GVXPR07MB9678eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 56ea5b49-5fe4-412c-bf2d-08dd5f131748
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Mar 2025 14:02:55.6064 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: OIdaHK+E3VtIqnJKbGw0FbvJ3b0EVu7xTfzFNEluWf6YZKGgNgH/1FoQL9dOSnio2YNu/a1jnJEUHOpcS09vWxTEThprZ+4wZT3udjeiN6c=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR07MB7722
Message-ID-Hash: 26TG5N6LOSJOUNRQBNGYWMNV4ZHXJQWT
X-Message-ID-Hash: 26TG5N6LOSJOUNRQBNGYWMNV4ZHXJQWT
X-MailFrom: john.mattsson@ericsson.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: FW: I-D Action: draft-kwiatkowski-tls-ecdhe-mlkem-03.txt
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/5GFoykUYXk8uMIDxe_Z-3x7H4Gc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Salz, Rich wrote:
>I am curious why this is worse than, say, knowing that the server reports SSLKEYLOGFILE into a public
>S3 bucket or similar? And do you think a real adversary would self-report that they are using
>ephemeral keys?

I was comparing these three options:

A. Key shares being reused without any signaling to the other peer.
B. Signaling that the key share is reused (similar to draft-rhrd-tls-tls13-visibility).
C. Two different code point. One forbidding reuse and one allowing reuse (similar to TLS_ECDHE_ECDSA vs. TLS_ECDH_ECDSA).

Of these three, I think A is the worst. Of course making all session key public would be worse, but SSLKEYLOGFILE forbids any use in production systems.

Viktor Dukhivni wrote:
>However, you'll be thrilled to learn that it is not possible for a TLS
>server to reuse its ML-KEM keyshare when a client uses a fresh ephemeral
>ML-KEM keyshare.

Yes, that solves half the problem, but I would also like my servers to not talk to clients reusing key shares with other servers.

Cheers,
John


From: Viktor Dukhovni <ietf-dane@dukhovni.org>
Date: Sunday, 9 March 2025 at 14:39
To: tls@ietf.org <tls@ietf.org>
Subject: [TLS] Re: FW: I-D Action: draft-kwiatkowski-tls-ecdhe-mlkem-03.txt
On Sun, Mar 09, 2025 at 12:33:38PM +0000, John Mattsson wrote:

> I find the current situation of key shares being reused without the
> other peer knowing inacceptable and frankly the worst possible option.

In general terms, your expectations are unrealistic, the best you can
do, if you think you're in a position to influence remote server
behaviour, rather than just take an ineffective principled stand, is
detect a duplicate keyshare from a previous connection and abort.

However, you'll be thrilled to learn that it is not possible for a TLS
server to reuse its ML-KEM keyshare when a client uses a fresh ephemeral
ML-KEM keyshare.  TLS servers don't have ML-KEM keys, they just perform
encapsulation against the client's public key, so there's nothing for
the server to reuse (KEMs aren't (EC)DH key exchange).

So while the X25519 portion of the server's key could be reused, the
ML-KEM portion will not be.

--
    Viktor.

_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-leave@ietf.org

v2.29.0 | Report a Bug | By Email | System Status