Re: [TLS] Frequent ephemeral Diffie-Hellman in long-term (D)TLS 1.3 connections replacing IPsec

Watson Ladd <> Thu, 18 February 2021 06:24 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7CF6C3A0B56 for <>; Wed, 17 Feb 2021 22:24:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Eaz-fbun9iMz for <>; Wed, 17 Feb 2021 22:24:11 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4864:20::636]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C8C8D3A0B58 for <>; Wed, 17 Feb 2021 22:24:10 -0800 (PST)
Received: by with SMTP id do6so2712558ejc.3 for <>; Wed, 17 Feb 2021 22:24:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=7zfAqCiv+RE7XmKVqiUg3zi4sc0N9uisjlDxXIQ9XFk=; b=nD+F+NLBlIUY/qtqw6QouboxCkQY2oKtbWGOyILCx343X8Hm/BI3m6eqfiKcaPl8kM LiVBo6Agz8znGYvtN4Jshcg/jIq2OX3v0wJkf3NgO08CcthGvWDPCb126o3lxINbcbvu CljiMID0xQ7Tl1vtIfUtl2KJ+eC+bLCImFVkdew2TiUleI9R/NaeUkBQcD9VE347j1dc +kGElopMkocKI4J/47mMztfnn3TAbJ5Eta0+gTPK62oagOaUfSzYJ5pz1mZfsNVBo/qu emLgEkWLgIFiqA/lhwfC4OR/BPQuCf1X9CLvs+cLze+O+g0BSygntBJtQD0t0yk0HCem 4rEw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=7zfAqCiv+RE7XmKVqiUg3zi4sc0N9uisjlDxXIQ9XFk=; b=bfaHsR/HtZghkjrX0OxvYc/iR8ccPO3C3Ty8hRAWYA6DVKX3tffyi8ZMN6H4Si2TbY Hz2COJkX/RWeALjQpbPFeDOz2BNpYbJi0CdfGOpJJWejyMDC0ba19BKpkWLxAu/b8wQo hZUO6gI5r2cYEyClmGKU13+ybazBRJ2KF/1vUiSpi/t6V5xVGHZ2Qf0VI0WXKi3iNhn/ p6XUpZ1qSQfLqr5VLZx98BJf2moi0dnNS5ecr2uclhHIvH81xme4XxwoD+ir39s9m/4N BJVENxa6DViSVXBqWV04JLIIB2E2+df0dEJ2HaCkM098ey1ZVlpPVpZyzFfT5Fk81RBn SwAA==
X-Gm-Message-State: AOAM532xqjncApAzXQSqmOQKSogMvNoX7OHzHawf46ra54NBEKZB5ATV hataGeFLQkxn1Ryf0Cgy8pcFiDb+Xz3KDgRSQUx++7xY
X-Google-Smtp-Source: ABdhPJz6Ur7dDsQy/yNR+DTMyhb7MXsN4YXR782giIx4YVbD8ZsiNZCtb8AAYfw2+bpOoLCKnpAZmW7DTeanB2e3BBI=
X-Received: by 2002:a17:906:3c13:: with SMTP id h19mr2547087ejg.232.1613629449147; Wed, 17 Feb 2021 22:24:09 -0800 (PST)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Watson Ladd <>
Date: Wed, 17 Feb 2021 22:23:57 -0800
Message-ID: <>
To: John Mattsson <>
Cc: "" <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [TLS] Frequent ephemeral Diffie-Hellman in long-term (D)TLS 1.3 connections replacing IPsec
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 18 Feb 2021 06:24:12 -0000

On Fri, Jan 29, 2021 at 7:52 AM John Mattsson
<> wrote:
> Hi,
> 3GPP has historically to a large degree used IPsec to protect interfaces in the core and radio access networks. Recently, 3GPP has more and more been specifying use of (D)TLS to replace or complement IPsec. Most 3GPP usage of (D)TLS are long-term connections.
> Current best practice for long-term connections is to rerun Ephemeral Diffie-Hellman frequently to limit the impact of a key compromise. For IPsec, ANSSI (France) recommends to rerun Ephemeral Diffie-Hellman every hour and every 100 GB, BSI (Germany) recommend at least every 4 h, and NIST (USA) recommends at least every 8 h. These recommendations are formally for IPsec but makes equal sense for any long-term connection such as (D)TLS.
> If I understand correctly, the KeyUpdate handshake message only provides Forward Secrecy (compromise of the current key does not compromise old keys). To ensure that compromise of the current key does not compromise future keys (post-compromise security, backward secrecy, future secrecy) my understanding is that one would have to frequently terminate the connection and do resumption with psk_dh_ke. Seems like this would cause a noticeable interruption in the connection, or? Are there any best practice for how to do frequent ephemeral Diffie-Hellman for long-term (D)TLS connections? Seems to me that frequent ephemeral Diffie-Hellman should be the recommendation for any long-term (D)TLS connection as it is for IPsec.

What's the threat model here?

> Cheers,
> John
> _______________________________________________
> TLS mailing list

Astra mortemque praestare gradatim