IETF Logo Mail Archive

[TLS] Re: Disallowing reuse of ephemeral keys

Eric Rescorla <ekr@rtfm.com> Fri, 13 December 2024 00:18 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34A94C1CAE9F for <tls@ietfa.amsl.com>; Thu, 12 Dec 2024 16:18:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dWaYXvm5h4w0 for <tls@ietfa.amsl.com>; Thu, 12 Dec 2024 16:18:25 -0800 (PST)
Received: from mail-yw1-x1136.google.com (mail-yw1-x1136.google.com [IPv6:2607:f8b0:4864:20::1136]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 996D8C1840D9 for <tls@ietf.org>; Thu, 12 Dec 2024 16:18:25 -0800 (PST)
Received: by mail-yw1-x1136.google.com with SMTP id 00721157ae682-6efe4e3d698so9774987b3.0 for <tls@ietf.org>; Thu, 12 Dec 2024 16:18:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1734049104; x=1734653904; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=paoql+vQOhxX0QmG8OuSKqWkIoQMb9e8m6TdlHWPTpg=; b=djxzp8IhRDQ++hxInpIAu5czpBTyzJKePF+xL70vmQaQD+8AhUEc9pBfp+oh7R0Ajz UrkX9eO6xBnQ1wx/CGYGBqNhXH7QzA+iIAtvhDYq6nUurbnKYVL87+Pex7GfKEYGSl9W rsR3sAfIsJvFKC/63jUSTtcYgpGOMK44/0PNpgYXC4Yi+ACm5cx48xPPEiVSBi0UVq2I C3cJdFmvVfStSeabE442KaSOLZXirKGULeCYqx1ywbnkWr8kCR7e/0RbhsjcWEcPeomN wSl1/CAUQ4994ukfm0nM66fViBMuKXgpoRqMaLdNM4IGBGCNVEJybIwcXwusIxIklv73 H6Ag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1734049104; x=1734653904; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=paoql+vQOhxX0QmG8OuSKqWkIoQMb9e8m6TdlHWPTpg=; b=Clz7dD3X719S132wtvIo2lanL2FHa/HXLPsriB1u7K3ZY5JW9TfIRH5hzANU+W41lG f63K2ri/3xUTfcJ41Iq4+Psl5R/Pjet94irVbPg7721kxJt0+gKZy3FoCtlTFI26+V32 2hBB+6i1INJkexm18eccNox1oLQN2mfCiaHPXqPFwF7fqOWrJGVIreW1o4uOhUtauQYS QmhXUKQj47WS3VAV1nuVVPk1hZ2arhZrDJEzeUTaOEm9Li9T+YY/gyd11MWFd0YmPRfL +3A6sYzOyR5FgN+lFAWlEdlAYW9WmxHx52CD5C5cFXnS0esg46IaIaMZwD/5d/1afpRL n5Ig==
X-Forwarded-Encrypted: i=1; AJvYcCV8ptJOof5+AZ3xQZNQuxOo9U7LySpBMh7uE5ftHGzcSDmCWiVJmdjGsWxAVx2Cc692et8=@ietf.org
X-Gm-Message-State: AOJu0YyNPtvEbZOZOakk2dsi5uu8VjrsqqzBAEfNJFFvP0ZArhQqlg+U NOgA2hENslmdjUZn5yD18zytaaEoyHOeNT4BLQxXR2tfFPlCmCPCar2Ih6CPLbLYsRNGcsrs5tY pjkawuB5g32VApvIvfSIlZ9UUYuBzumquPUjFpj5gaeUnioULu+Y=
X-Gm-Gg: ASbGncuLONID0GeJk78ojTT8sUjh6SnDLuknvBXsTVhwEwB/MsKKqi0/BHKpM751LZY 8UeGV+NGITf2CFLNZXnQWmZeIuoVzYDffUu2dkQ==
X-Google-Smtp-Source: AGHT+IFwrCqpRb/keNGUWt/EeuNZo12xoUZ47RL6FtbQg+S67Fq+BLVrhpGEzf19DEjGonyh4touyVOba0IouoLzeYQ=
X-Received: by 2002:a05:690c:f11:b0:6e2:43ea:552 with SMTP id 00721157ae682-6f279af3b89mr7397537b3.16.1734049104421; Thu, 12 Dec 2024 16:18:24 -0800 (PST)
MIME-Version: 1.0
References: <CAOgPGoCHnXZzzoAFT8GGmByr=7y1j5wM3ptPc4_JBF3FhtVNmQ@mail.gmail.com> <bf28dd19-0534-4403-8e20-50bcbbc0fcdd@app.fastmail.com> <CAL02cgQ9610CzMfcJEPcfpDRemyvAh3-AEH=GZbmV4QdWtQCXA@mail.gmail.com>
In-Reply-To: <CAL02cgQ9610CzMfcJEPcfpDRemyvAh3-AEH=GZbmV4QdWtQCXA@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 12 Dec 2024 16:17:48 -0800
Message-ID: <CABcZeBNCbm0vUBA0c6i_7DzqwynbUj-SyDHEomHn0WCv4w3ZnQ@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
Content-Type: multipart/alternative; boundary="000000000000e47e8a06291bc4a3"
Message-ID-Hash: OMSUSE5GBISBHBEPFH673HIE2VMMDSSZ
X-Message-ID-Hash: OMSUSE5GBISBHBEPFH673HIE2VMMDSSZ
X-MailFrom: ekr@rtfm.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: tls@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Disallowing reuse of ephemeral keys
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ARubSqtdg9gJf0sPI7B9-6lTZOk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

I agree with Richard about the ordering.

I think validation presents a distinct question: I don't think we should
require validation, as it is extra work for the peer and may not be
practical. If there are significant implementations which do reuse, then we
should discourage or forbid validation for now [0] to avoid breakage and
then later we can allow it. If there are no such implementations, then I
think we can allow and/or encourage validation.

-Ekr


[0] This might be a reason to distinguish between existing and new cipher
suites.

On Thu, Dec 12, 2024 at 10:01 AM Richard Barnes <rlb@ipv.sx> wrote:

> My preference order would be 3 > 1 >> 2.
>
> 3 seems like it encodes the expectation of most people for what the
> protocol means.  If you're using a cipher suite labeled something like
> "ECDHE", it's reasonable to expect that it's actually ephemeral, i.e., that
> there's not key material hanging around afterward that could compromise the
> session.  Allowing key reuse (even tacitly) allows one side to silently
> violate that invariant.  I'm not worried about backward compat, since (a)
> it's wire compatible, and (b) any change here will be a separate RFC, so
> people who care about validating can ask specifically "do you comply with
> RFC XXXX"?
>
> 1 would be the next most plausible fallback, on the general principle that
> IETF specifications define externally visible behavior, and this is not.
>
> We should not do 2 because as Filippo says, there's no technical reason
> for it.
>
>
>
> On Thu, Dec 12, 2024 at 12:54 PM Filippo Valsorda <filippo@ml.filippo.io>
> wrote:
>
>> I support some variation of 2 or 3, depending on what encounters the most
>> resistance. I agree there is no technical reason to disallow it for e.g.
>> X25519MLKEM768 and not X25519, but in practice it might be easier to set a
>> new rule for something that's still being rolled out and still a draft.
>>
>> Both ECDH and KEMs support key share (or public key) reuse *in theory*
>> but in practice it makes implementation issues much more likely to be
>> practically exploitable, and the hypothetical performance gain of reuse is
>> marginal. The spec should defend against that and point implementations
>> towards the safer course of action.
>>
>> As always, there is no protocol police, so implementations that want to
>> risk shooting their foot off will be able to do so, but they will be
>> off-spec, which is a useful signal.
>> _______________________________________________
>> TLS mailing list -- tls@ietf.org
>> To unsubscribe send an email to tls-leave@ietf.org
>>
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org
>

v2.30.2 | Report a Bug | By Email | System Status