IETF Logo Mail Archive

[TLS] Re: [EXTERNAL] Re: Disallowing reuse of ephemeral keys

Eric Rescorla <ekr@rtfm.com> Mon, 16 December 2024 15:03 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23731C151075 for <tls@ietfa.amsl.com>; Mon, 16 Dec 2024 07:03:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gkoQ-hZmcTAI for <tls@ietfa.amsl.com>; Mon, 16 Dec 2024 07:03:21 -0800 (PST)
Received: from mail-yb1-xb36.google.com (mail-yb1-xb36.google.com [IPv6:2607:f8b0:4864:20::b36]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D71BC14F71B for <tls@ietf.org>; Mon, 16 Dec 2024 07:03:21 -0800 (PST)
Received: by mail-yb1-xb36.google.com with SMTP id 3f1490d57ef6-e3a0acba5feso2993121276.2 for <tls@ietf.org>; Mon, 16 Dec 2024 07:03:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1734361400; x=1734966200; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=lrnbKMg+S2Z2boVEaEQT2Vq6qZpnDmzkhv9/RSQ62wk=; b=jBJfZUFoE2fZXRMPdIhQ35ONMlAYBViGB9CoUQVIoyxFwzGmLJwy0+5JGTfK56OYyD 0iitAfTqMgmuNBcfw3vBvhtKqHns09vdp+bWZBTdSYxmG2JMlF19hpkb52mg2v6n9Y7D Cp3QpAIONdjaERnXIwuj7luM/KKmEltdiqBOJV2vDxhsfvwmNv2CdIR1ScC1OKUi4he0 SO9MiJUG9YxlWAVd6i4RCO9mBLErdQOoNU2iEgtx1sIB2y3yO34LOjYkWsJrErgpo/SE D7uiSd/xzKNa818drEE5hkI+A10FXgD+5Cfc3zFJ7A2nbCe/B3pyfsxlE2xIuf14JSk6 pSBg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1734361400; x=1734966200; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=lrnbKMg+S2Z2boVEaEQT2Vq6qZpnDmzkhv9/RSQ62wk=; b=rpMts2QDV3x0eQkrRSNW+/w4I19I2mvIvctchjWKXeaMhbn8jdKmcBpi2G+01NbRVj OkDVOdNbkurXm20SasAS6/0vYokNn182tfsKFvOS7Yox21OMtnfIY1ddSkxuOlRtyAcs qevfp4ozSRfEKp11cDpOGfrmBvWmY2Iv2HxyPVH3YNEjlhCPpPIG0qEYsfNnS1OP3sfb 3IbaWO30BwFm8o0RzDbS/k7yNNeYEURBump+A44VibF4+Qeq+tvOVODUrLUOLbOTBZx9 V52JAFWfAefJ49tERbRwjlCPMiwL8MOwoh8KjHuM6beFUi5eMHTvz+cJ4JmJ37SIxyrX CEug==
X-Forwarded-Encrypted: i=1; AJvYcCWNsOr3lhe7ElyQqirgDYGW6sKCZ14NCFgfHHeq0dW61zRpik1rJuKYIHu0JOXbmdqKbXM=@ietf.org
X-Gm-Message-State: AOJu0Yyym3JIfoRi8VDW45DtU2xco0/kUQ5i4zZccSu0lV3b49SLfOAV cR+/ldG7m/OsBQLBBc0v19kCuwa6v4kxiPIR7zTlguGbrygjNO8DradJ6BFjNsvVOBrKmeYWx1E fm6sRkn1+24uSTlCgR2iOQnYAYJ0jqwWpexNVgrXatvq3hdpZ0eI=
X-Gm-Gg: ASbGncvmE+9zcYOhbwucN0yEeNU/5n2fi6L8LSWd49u4odXMAH56OcWPpAcdqnWXm35 +yKKK7Na77Iluxz3yC/l+e6uKAhgONwKv6CvkYpcC
X-Google-Smtp-Source: AGHT+IHT2SpqSN9/E0U/xDeEzj0AgPXMAKELLOXEEsdAQ6qYseVVnJHEbjFff0F0oCjPo+nlrdXZZK7t0kgkSjFKvls=
X-Received: by 2002:a05:6902:1ac5:b0:e4d:25c6:c3a5 with SMTP id 3f1490d57ef6-e4d25c6d1a9mr3621133276.2.1734361399977; Mon, 16 Dec 2024 07:03:19 -0800 (PST)
MIME-Version: 1.0
References: <CAOgPGoCHnXZzzoAFT8GGmByr=7y1j5wM3ptPc4_JBF3FhtVNmQ@mail.gmail.com> <bf28dd19-0534-4403-8e20-50bcbbc0fcdd@app.fastmail.com> <CAL02cgQ9610CzMfcJEPcfpDRemyvAh3-AEH=GZbmV4QdWtQCXA@mail.gmail.com> <CABcZeBNCbm0vUBA0c6i_7DzqwynbUj-SyDHEomHn0WCv4w3ZnQ@mail.gmail.com> <CAL02cgQP24OSjQJuY7Hcx+CXdG_B7LpZD-g2HjV_oJZ0nNrU4w@mail.gmail.com> <LV8PR21MB41582033BDB237242E313C7C8C382@LV8PR21MB4158.namprd21.prod.outlook.com>
In-Reply-To: <LV8PR21MB41582033BDB237242E313C7C8C382@LV8PR21MB4158.namprd21.prod.outlook.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 16 Dec 2024 07:02:43 -0800
Message-ID: <CABcZeBPLcVXk_xxRC8A1PsobEr69yL7NON0qWLc-kKGmP=LRJw@mail.gmail.com>
To: Andrei Popov <Andrei.Popov@microsoft.com>
Content-Type: multipart/alternative; boundary="00000000000028921f0629647b55"
Message-ID-Hash: GZZXGKFAWBHD2NNLA46TCSJTNNAX3K54
X-Message-ID-Hash: GZZXGKFAWBHD2NNLA46TCSJTNNAX3K54
X-MailFrom: ekr@rtfm.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "tls@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: [EXTERNAL] Re: Disallowing reuse of ephemeral keys
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/JTdi6skceCDFott3-nHCzJ2JRfY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Thanks. It seems like that would imply that Web clients cannot safely
enforce a non-reuse requirement even if we had one.

Do you plan to reuse ML-KEM keys as well?  The situation seems to be
different because, as Scott observes, it's the client who reaps the benefit.

-Ekr


On Thu, Dec 12, 2024 at 4:29 PM Andrei Popov <Andrei.Popov@microsoft.com>
wrote:

>
>    - If there are significant implementations which do reuse…
>
> By default, servers using Windows TLS stack reuse ECDHE keys for up to 30
> sec. Reuse time can be configured or altogether disabled by the system
> admin. Disabling comes at a significant performance cost (for a busy TLS
> server).
>
>
>
> Cheers,
>
>
>
> Andrei
>
>
>
> *From:* Richard Barnes <rlb@ipv.sx>
> *Sent:* Thursday, December 12, 2024 4:23 PM
> *To:* Eric Rescorla <ekr@rtfm.com>
> *Cc:* tls@ietf.org
> *Subject:* [EXTERNAL] [TLS] Re: Disallowing reuse of ephemeral keys
>
>
>
> I concur with EKR re: validation.  There's plenty of precedent in IETF
> specs for requirements that cannot be validated by the remote party,
> especially when it comes to maintaining security properties.  See, e.g.,
> the ticket deletion requirements in RFC 8446.
>
>
>
> --RLB
>
>
>
> On Thu, Dec 12, 2024 at 7:18 PM Eric Rescorla <ekr@rtfm.com> wrote:
>
> I agree with Richard about the ordering.
>
>
>
> I think validation presents a distinct question: I don't think we should
> require validation, as it is extra work for the peer and may not be
> practical. If there are significant implementations which do reuse, then we
> should discourage or forbid validation for now [0] to avoid breakage and
> then later we can allow it. If there are no such implementations, then I
> think we can allow and/or encourage validation.
>
>
>
> -Ekr
>
>
>
>
>
> [0] This might be a reason to distinguish between existing and new cipher
> suites.
>
>
>
> On Thu, Dec 12, 2024 at 10:01 AM Richard Barnes <rlb@ipv.sx> wrote:
>
> My preference order would be 3 > 1 >> 2.
>
>
>
> 3 seems like it encodes the expectation of most people for what the
> protocol means.  If you're using a cipher suite labeled something like
> "ECDHE", it's reasonable to expect that it's actually ephemeral, i.e., that
> there's not key material hanging around afterward that could compromise the
> session.  Allowing key reuse (even tacitly) allows one side to silently
> violate that invariant.  I'm not worried about backward compat, since (a)
> it's wire compatible, and (b) any change here will be a separate RFC, so
> people who care about validating can ask specifically "do you comply with
> RFC XXXX"?
>
>
>
> 1 would be the next most plausible fallback, on the general principle that
> IETF specifications define externally visible behavior, and this is not.
>
>
>
> We should not do 2 because as Filippo says, there's no technical reason
> for it.
>
>
>
>
>
>
>
> On Thu, Dec 12, 2024 at 12:54 PM Filippo Valsorda <filippo@ml.filippo.io>
> wrote:
>
> I support some variation of 2 or 3, depending on what encounters the most
> resistance. I agree there is no technical reason to disallow it for e.g.
> X25519MLKEM768 and not X25519, but in practice it might be easier to set a
> new rule for something that's still being rolled out and still a draft.
>
>
>
> Both ECDH and KEMs support key share (or public key) reuse *in theory*
> but in practice it makes implementation issues much more likely to be
> practically exploitable, and the hypothetical performance gain of reuse is
> marginal. The spec should defend against that and point implementations
> towards the safer course of action.
>
>
>
> As always, there is no protocol police, so implementations that want to
> risk shooting their foot off will be able to do so, but they will be
> off-spec, which is a useful signal.
>
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org
>
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org
>
>

v2.30.2 | Report a Bug | By Email | System Status