IETF Logo Mail Archive

[TLS] Re: [EXTERNAL] Re: Disallowing reuse of ephemeral keys

Andrei Popov <Andrei.Popov@microsoft.com> Mon, 16 December 2024 19:45 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FFCFC14F738 for <tls@ietfa.amsl.com>; Mon, 16 Dec 2024 11:45:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.252
X-Spam-Level:
X-Spam-Status: No, score=-2.252 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ou3D6ntQH-iW for <tls@ietfa.amsl.com>; Mon, 16 Dec 2024 11:45:42 -0800 (PST)
Received: from CY7PR03CU001.outbound.protection.outlook.com (mail-westcentralusazon11022111.outbound.protection.outlook.com [40.93.200.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8BB81C14F6BA for <tls@ietf.org>; Mon, 16 Dec 2024 11:45:42 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=C3a9pa6Gq8Ooj/D7SIrbwUNF5DYq1U/AIdpusyN3iO5D4XJ5aA1ZEh2g2uQXok5gitraZzVXlZ6jVcf4q+bSMpSJa+qHbbgJkPnmSQttaaGJbr3A/CiG6/SLyvWxpaUtC6mZqNNq53dHuxQDMy/F2BlpqcPVOAQp1lar9QrN5DYeG7eLO6uSpxqC0PfCg2wJCf1K6J+FcnW4iFzSIEDZLspimbUr0TEvvaaKHPChsi6gkd88+owIXbgUMAGbJ0xZO6tw9yC50zET1cyAUWuXVUDoY872xJkXdAVZGvN9oooOxUidnocvKmmc72orZrgOoGFJPJH/o0YfGKwRAcbU1A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ICKFg16wQ+QSDAVhEFgQGNXx9O2eC9W+bj2tduqQKP4=; b=ivr+5XFSjPdJmiPublpgWj912P/Djy0StvpOhxh+olKyiUrUomPRQdh3J4QWrOrf65Ul4NwKpxevUFTCJGZqdyK/IMvxf22G4Kgf77rEHRNV4BHZzCz/zchFlE2XWCxNIBxDoV5MOtH846jbpetahuuFO1rW5I/Ns/YHX+UdnFoM41sXy9UG/5e7DU69fgrJ87zVVJ4oCoyJTjqTxPCFS+s7Uxg+gAurnQtv0gsl4pEqY5G6zIpLplhQWqMrom/oFaU6Q9OPkpsmHUMyH/NnGIEIzOTgonO5fvUO3I0uTc4qwjhLttmBfY5G6uTVZFBo+fwpYf6nJz3nAY5SF+Wnrg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ICKFg16wQ+QSDAVhEFgQGNXx9O2eC9W+bj2tduqQKP4=; b=HSXFbvRwy2pPDrmykBiuqJOltU1KD30MRqIhUsvOqirassXmVcPq4tZ1dpMTsjIb3AHH684O9EkflNIPJkHQNtuDQkUvSlbnGngBH9XNN8sTf0E+eiZd1NrBKW+zRp5j1AZiptUeQSSzV3KBuw/yGi/iX+DARmGgUeo8y0K4hB4=
Received: from LV8PR21MB4158.namprd21.prod.outlook.com (2603:10b6:408:268::11) by LV2PR21MB3157.namprd21.prod.outlook.com (2603:10b6:408:175::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8272.12; Mon, 16 Dec 2024 19:45:40 +0000
Received: from LV8PR21MB4158.namprd21.prod.outlook.com ([fe80::102d:8d6b:5022:9d9f]) by LV8PR21MB4158.namprd21.prod.outlook.com ([fe80::102d:8d6b:5022:9d9f%4]) with mapi id 15.20.8272.005; Mon, 16 Dec 2024 19:45:40 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Eric Rescorla <ekr@rtfm.com>
Thread-Topic: [EXTERNAL] [TLS] Re: Disallowing reuse of ephemeral keys
Thread-Index: AQHbTL7/Fb3V+Z3NBEexRdB2sBkoMbLi5c6AgABplACAAAFVAIAAAHPwgAWsdYCAAE4sQA==
Date: Mon, 16 Dec 2024 19:45:40 +0000
Message-ID: <LV8PR21MB4158D3290D1745901AFD7F468C3B2@LV8PR21MB4158.namprd21.prod.outlook.com>
References: <CAOgPGoCHnXZzzoAFT8GGmByr=7y1j5wM3ptPc4_JBF3FhtVNmQ@mail.gmail.com> <bf28dd19-0534-4403-8e20-50bcbbc0fcdd@app.fastmail.com> <CAL02cgQ9610CzMfcJEPcfpDRemyvAh3-AEH=GZbmV4QdWtQCXA@mail.gmail.com> <CABcZeBNCbm0vUBA0c6i_7DzqwynbUj-SyDHEomHn0WCv4w3ZnQ@mail.gmail.com> <CAL02cgQP24OSjQJuY7Hcx+CXdG_B7LpZD-g2HjV_oJZ0nNrU4w@mail.gmail.com> <LV8PR21MB41582033BDB237242E313C7C8C382@LV8PR21MB4158.namprd21.prod.outlook.com> <CABcZeBPLcVXk_xxRC8A1PsobEr69yL7NON0qWLc-kKGmP=LRJw@mail.gmail.com>
In-Reply-To: <CABcZeBPLcVXk_xxRC8A1PsobEr69yL7NON0qWLc-kKGmP=LRJw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=8a7fb9c3-c02c-4bcf-9cfa-1d261524ba9a;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2024-12-16T19:42:29Z;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: LV8PR21MB4158:EE_|LV2PR21MB3157:EE_
x-ms-office365-filtering-correlation-id: 796bfed2-553f-429b-bddc-08dd1e0a387b
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|4022899009|1800799024|376014|366016|8096899003|7053199007|38070700018;
x-microsoft-antispam-message-info: KDClzxgw66hg3hFXrF6t4d1aXx2oszHP2zfQ46ZO1JrXTaBRArehPHnTjeu6BfubHaYl75ryZDaUPDAtv984YFzuZ4dkkw5xR4Oa4Q8VH2+3Le3jYQpGUDCZ1Y2gqhr05x8xGCg0qCP5R+h3Le24lUYv0tdQCFdiCne0NLYK0dXsHzsZQtgR/V4k9xVMXKZji+r+LcBlNPCHIkfnQRx9BoY6GVaM6M9rNieZj5V5HvsmPcDLJqgO6UO7jJ0zHuUrOWgFkJwDIF4iWHMjTPTOZinE7LGVo0POhaCQVts/VBzTL86D04zemw5RPWglP0Zb/oeWvtxEo+pcPAQ5yI2l+SyNW5MTgXQa+nWiccQRkBLLxMJS7Z/uJDONnEsafQ8yViKMr/8nwLDKC+2+eVP1Y0Ci5FDSncdirdtA6Va6R/LhHAyHwaDWV781YNUDxBzHOPGaSt2gvRVg9bvpPtIyOUjFE5VgKIVFOCLcMIewttGdjcDGJhbvjZEBWnryXEB/8OjpSc4je6LvS6XJ8B8Di4u5TTCzamrqecD8LgZFxWPTa/5MLnAginCiW0OeJXwids/dt9KWsRQQmC9AcKhXBs8T/tRaB+508SEW5YhDQHUWOPeY+XvMI2BN4gGuUmv7KPhyX7gkrsHb+iLgUKWEprqOySFmmHz81JlRG8zsAKJ36rPXH4SAitLr+tsr015FmnbM4zGmMK9m9E8ntFqawfSO1HlU/nEAd8t59ZIhLGwywAqAMGq4GYBOc4/pdf+djqXvjH/zvmbYZ2Y7FNmkX14nDxjN0ZagSLu7tPwM2oumzJd2l5JYugh8NiuftJ++y11KtEZSj+Iq1ksgbdBMc7dVWYM+v/qL2WAHvJMDCiBMRE/Vg+BFzGqtxGxySjbz1RjS0EJZvWkyi/FLAfHxw7N2ayz8Vi7JPMX89owjff22h+ljejZlztKaVBFdcC1h1hsjHYNNhJnHCfIlO0hSRTnGaUJl5Phyu1ACVEB29/jbipHz9lc2pO3i8/771t5ub+72KrSyTSqyF8VYR7KHQYYpIW9yBBiQKnJd0suxC2EqWqW0LohD1HNG1FgVnHSEJseRoD39GmXbQJSz08v6j3aWw+vM+8hUqK9O3DzrH6PCJ3OP8w6hRA7BazdiSjlsq+7lKf1mKwFO8SlTjl/9RYzbxz4dNxiZB/e9R5Zvd4omlfTGTMTLtIr1hyOTCIXJ56z4oF2G+xl/qSvkwaO/O9DLXggyRc8kOG11UmUT0JSylHFdOr9ptt1f2o7835PVN4cfjkRbxHPAZ8DdZYNP196ERyXh52p7SwE4GBtx61CWMH/U4m80EfnLmIJ7Obdn6V5JNcLzbRsyBQjbaU2YizOb11ZAl712AO15vQsCKqB/gRdOFDxBAgQWltE4mw+Bxkde6Re0rKk5GINEAaJ7p/ol2mCWf54FTUyWZNtj4kY5wIHXY9SSaG1UwE26yun2
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:LV8PR21MB4158.namprd21.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(4022899009)(1800799024)(376014)(366016)(8096899003)(7053199007)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: VI8jSwWF85XWZfm7VMyYYr8FrWpu5DVtnXe3QOqn8SaosSG0fMnpVgMMzYXj+kwvJZP8OO5htEYWv4Fju7u65ExxjsSedRt98njYBM2NiFxuHE/qOVZOitWd6XCquHk8szO5YnHFWVOMPUVDzs2bkSX7pZ7RtA2Ql2nu8cpdJP0k1kT01RHqqJ8qUAKy0WZlcBGLctwCcPTybuVclShrCN1SbaEvId2a3XhApsaVxTWeGWl24stTbp2ePP9b3iGW2UcRxg9E8x+JtzRERE5ezwl4eWVJ6VRqTib1lhU8qhpMT+dTpQIJdfyyPvrAvr2jUgwDJX/QtBuUStaY4EdghDU/jrb4nKfcS0LL+1uNKgeJ+qKdKteItMXsVuPB2ZCURvidvDYyZdPZ1jX6wj0e1SqKTPD/fE7DZ56Jeoo+qZWhD6FFwzL92UROaMBYankiZfLfB0tNlDaa97Fvg9sgrOuBWVEvS+/SjlwPgBn/J0vEXvxf9mCmezgvD+4czmIxTUNnyFssIrouEDmvBa3SJOKChdHWeHfxQKf4ouW/n/IhoeT9ZbATCIgcB6F0iuLJAv9ZsOJwIbs6QCgXTOw8++TEo2QPcU0k6kWoXNh/w6kdAW4ktdQogkY7Ja51Usg3QL/2jUD90m8z//FilEq6pgQBCL4GF/ZNx4vCdRbu3nOEhFqHNOhoovk7SLdJhHSqhocFj2iTkOJq0Sh1BSs9lJJ1D4AN4GdYfwEh04hao5Fpf6h3Y5z1dsYJ8emUt+Z7G/Bbe2hb2uNtEcDI7oaAK1S3CRk1phoKcEl/LsVNBfsdfyqils+RUU6CGDyyYxJNsOBQJ7IjcE7duxi7/djXnRtHyK1v9spVuYJOC4zvaBVn6uUK9HWFwXHNpeXG0rSFWtCcmicCHcl0okjHjZLUbH4COL3YggKWNTUj2KMbj59t4dqI9Uuezxl/+adfoRHMRyT1C6NFK9c87JT5rMrz+k6820VuLC8J+BQEYOtlWfSbw/k0iHcW31oFaIJ9odYMjIo0/yTshZ/1h34j5id+rCA76dXeuXuNUov2X0srQxpt3AhI5fynlHV1PPFv5p6++5LxeizV91zhZobMBlGfB/oeDswOWONDACkLlPv078QCSJjnXCncA0A98bpKFLfV1YdxQxcaGAGAlSwWBHfOcwA8pTbT9CalRQ1guqWdro9dNcoKaAnPDQLIYxBUwvcm2VMyHCG4drhUQ0WpRuzGCqmSxbdmaiy7xNnW7WC6RP7QEQc5REhQR4tm4B/j3YjewmZDp6R/7lGjR8KbH6TGdUr2U4FlEZCFRvsqx19RuAKGu1XJzqNdq1VjPrTAOlPM1eRY/4Ym9KcF5VHgb0Jedy0BOOJqPVsemm2hSs5tBfY7F/SmuqbFzfZ5+IwGDDBk72rVTQ87Y14bSBHQsQJ+u4gASVTRJLss2y7Y/RmSOyK0XrRUgd4TJkjSXhg98thBvhAuzGX6HpW+uqozm+FSPLh+DrExLaoQ+VkrGp7DzApvO9aXvsA8TeGAVy+HIB+BXwEqVoaGxozfl+v8oE3b66W6it4rnVgUsxD7Jv8QBds4GIezOMyq7YuLVCnx6OWD
Content-Type: multipart/alternative; boundary="_000_LV8PR21MB4158D3290D1745901AFD7F468C3B2LV8PR21MB4158namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LV8PR21MB4158.namprd21.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 796bfed2-553f-429b-bddc-08dd1e0a387b
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Dec 2024 19:45:40.2247 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: jji5J2n+yNV3ZL4fKbD2BFRVFnDavyAcUSIxrLJF+7Np/TzskQH9byRzvNBA5+S7Bo4EsqYlFsWYI6K03MMaqA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LV2PR21MB3157
Message-ID-Hash: IIAGOSPNBRCEM2Q7SBWZ7OCGKXRSA4W4
X-Message-ID-Hash: IIAGOSPNBRCEM2Q7SBWZ7OCGKXRSA4W4
X-MailFrom: Andrei.Popov@microsoft.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "tls@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: [EXTERNAL] Re: Disallowing reuse of ephemeral keys
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/AusfqqJLA1oMmg7AIxtbZcSmPBY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Hi Eric,

Ephemeral key reuse in the Windows TLS stack is only done on the sever side, so it does not apply to ML-KEM.
(For hybrids, key reuse only applies to the ECDHE component.)

Cheers,

Andrei

From: Eric Rescorla <ekr@rtfm.com>
Sent: Monday, December 16, 2024 7:03 AM
To: Andrei Popov <Andrei.Popov@microsoft.com>
Cc: Richard Barnes <rlb@ipv.sx>; tls@ietf.org
Subject: Re: [EXTERNAL] [TLS] Re: Disallowing reuse of ephemeral keys

Thanks. It seems like that would imply that Web clients cannot safely enforce a non-reuse requirement even if we had one.

Do you plan to reuse ML-KEM keys as well?  The situation seems to be different because, as Scott observes, it's the client who reaps the benefit.

-Ekr


On Thu, Dec 12, 2024 at 4:29 PM Andrei Popov <Andrei.Popov@microsoft.com<mailto:Andrei.Popov@microsoft.com>> wrote:

  *   If there are significant implementations which do reuse…
By default, servers using Windows TLS stack reuse ECDHE keys for up to 30 sec. Reuse time can be configured or altogether disabled by the system admin. Disabling comes at a significant performance cost (for a busy TLS server).

Cheers,

Andrei

From: Richard Barnes <rlb@ipv.sx<mailto:rlb@ipv.sx>>
Sent: Thursday, December 12, 2024 4:23 PM
To: Eric Rescorla <ekr@rtfm.com<mailto:ekr@rtfm.com>>
Cc: tls@ietf.org<mailto:tls@ietf.org>
Subject: [EXTERNAL] [TLS] Re: Disallowing reuse of ephemeral keys

I concur with EKR re: validation.  There's plenty of precedent in IETF specs for requirements that cannot be validated by the remote party, especially when it comes to maintaining security properties.  See, e.g., the ticket deletion requirements in RFC 8446.

--RLB

On Thu, Dec 12, 2024 at 7:18 PM Eric Rescorla <ekr@rtfm.com<mailto:ekr@rtfm.com>> wrote:
I agree with Richard about the ordering.

I think validation presents a distinct question: I don't think we should require validation, as it is extra work for the peer and may not be practical. If there are significant implementations which do reuse, then we should discourage or forbid validation for now [0] to avoid breakage and then later we can allow it. If there are no such implementations, then I think we can allow and/or encourage validation.

-Ekr


[0] This might be a reason to distinguish between existing and new cipher suites.

On Thu, Dec 12, 2024 at 10:01 AM Richard Barnes <rlb@ipv.sx<mailto:rlb@ipv.sx>> wrote:
My preference order would be 3 > 1 >> 2.

3 seems like it encodes the expectation of most people for what the protocol means.  If you're using a cipher suite labeled something like "ECDHE", it's reasonable to expect that it's actually ephemeral, i.e., that there's not key material hanging around afterward that could compromise the session.  Allowing key reuse (even tacitly) allows one side to silently violate that invariant.  I'm not worried about backward compat, since (a) it's wire compatible, and (b) any change here will be a separate RFC, so people who care about validating can ask specifically "do you comply with RFC XXXX"?

1 would be the next most plausible fallback, on the general principle that IETF specifications define externally visible behavior, and this is not.

We should not do 2 because as Filippo says, there's no technical reason for it.



On Thu, Dec 12, 2024 at 12:54 PM Filippo Valsorda <filippo@ml.filippo.io<mailto:filippo@ml.filippo.io>> wrote:
I support some variation of 2 or 3, depending on what encounters the most resistance. I agree there is no technical reason to disallow it for e.g. X25519MLKEM768 and not X25519, but in practice it might be easier to set a new rule for something that's still being rolled out and still a draft.

Both ECDH and KEMs support key share (or public key) reuse in theory but in practice it makes implementation issues much more likely to be practically exploitable, and the hypothetical performance gain of reuse is marginal. The spec should defend against that and point implementations towards the safer course of action.

As always, there is no protocol police, so implementations that want to risk shooting their foot off will be able to do so, but they will be off-spec, which is a useful signal.
_______________________________________________
TLS mailing list -- tls@ietf.org<mailto:tls@ietf.org>
To unsubscribe send an email to tls-leave@ietf.org<mailto:tls-leave@ietf.org>
_______________________________________________
TLS mailing list -- tls@ietf.org<mailto:tls@ietf.org>
To unsubscribe send an email to tls-leave@ietf.org<mailto:tls-leave@ietf.org>

v2.29.0 | Report a Bug | By Email | System Status