IETF Logo Mail Archive

Re: [TLS] Possible deadlock when ACKing KeyUpdate messages?

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Tue, 31 March 2020 06:28 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 026B43A0D4A for <tls@ietfa.amsl.com>; Mon, 30 Mar 2020 23:28:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=5tUlL6pm; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=5tUlL6pm
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VehnUZBiHu45 for <tls@ietfa.amsl.com>; Mon, 30 Mar 2020 23:28:23 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130071.outbound.protection.outlook.com [40.107.13.71]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 085993A0FBC for <tls@ietf.org>; Mon, 30 Mar 2020 23:28:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OLBOS1YYfXCzFjPbZchM6cZoenXmXvS+yW/EXq841RQ=; b=5tUlL6pmJiKWop6D3t2yAGjahxhneioKcuifT7uR5OlxWIEdRRQ/dWB0+55sM7sxNJEPFQZOXCMog+KvNHqpzh+7ofPGWQTsS1kLqtKPabYNzEV3hOVWbMOZT5c09RwX6UN1TJd4JiQBfBwGueGN2ddCtaSF/M9tzwlNCAXaA0A=
Received: from AM5PR0201CA0018.eurprd02.prod.outlook.com (2603:10a6:203:3d::28) by VI1PR08MB5294.eurprd08.prod.outlook.com (2603:10a6:803:de::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2856.20; Tue, 31 Mar 2020 06:28:20 +0000
Received: from VE1EUR03FT046.eop-EUR03.prod.protection.outlook.com (2603:10a6:203:3d:cafe::ae) by AM5PR0201CA0018.outlook.office365.com (2603:10a6:203:3d::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2856.20 via Frontend Transport; Tue, 31 Mar 2020 06:28:19 +0000
Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by VE1EUR03FT046.mail.protection.outlook.com (10.152.19.226) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2856.17 via Frontend Transport; Tue, 31 Mar 2020 06:28:19 +0000
Received: ("Tessian outbound 4b84da486446:v50"); Tue, 31 Mar 2020 06:28:19 +0000
X-CR-MTA-TID: 64aa7808
Received: from 749fcad29b68.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 313253EC-589F-4A40-B0A9-52E4EF12D14F.1; Tue, 31 Mar 2020 06:28:14 +0000
Received: from EUR05-DB8-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 749fcad29b68.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Tue, 31 Mar 2020 06:28:14 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XgBJYi6C3TUAhtHC8Bn/UNlXwUcbcYrPleYv7wyux0AEB/34HMgDhckpi2zA2WW1F0Pl4caK0RnU7aabyMDAFlaOK+K8dBTYZhWgNIT4klCJ37xsh6Hso4bIenPtRBUKyoQkdTsFYul5QD1Z2pxd3yxcCUb1OM/uJHbeJOyEI3sejOmQaUQjSGqI/KvUUpMLC5cLw5vXKsEvbgmAKMYn66YP/OQOfUTDxZMmnuGzv/SjbX5zmFiiBPzoV9v5/dPxiqPUOFvh8kwNv+0iTrD0ArpTb1p0Wqkju32dfVVWEEOFwmpFATJ1bSeFrQ9YDWKlwM8VKzNUORoZTPAybIIR2A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OLBOS1YYfXCzFjPbZchM6cZoenXmXvS+yW/EXq841RQ=; b=eC9lndUFRWVcLf/WwHzwbeD0JqDUJLVDQKKP9pb41H9e8PTh4HX7DQAIhWipjvulxaPLW6lQIbpA/D/2TJAqzLTQFM09Nr91pQhpatfeZi2gTHEHFyFbtkcGFdJw/rptNybh64A6f8w8Vy871aok/pCQVrP32phsPlvoWKG6CG/kI66yliHtVChzrc2Fw2HPxEo1cqhqt2Mv0pYSgolJJTmF4TA4v5B7JkLIRiI05gOfRyqvCkt1RcbEUJX6MH0j9l59BQSzLJ5wpFZ9kkfnnskE1Ct4nySpVzoFjEcQraBN9xxu8kD0vCYzTA7CvPMQHQl2VbqwN4XAmgJDYTCz4w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OLBOS1YYfXCzFjPbZchM6cZoenXmXvS+yW/EXq841RQ=; b=5tUlL6pmJiKWop6D3t2yAGjahxhneioKcuifT7uR5OlxWIEdRRQ/dWB0+55sM7sxNJEPFQZOXCMog+KvNHqpzh+7ofPGWQTsS1kLqtKPabYNzEV3hOVWbMOZT5c09RwX6UN1TJd4JiQBfBwGueGN2ddCtaSF/M9tzwlNCAXaA0A=
Received: from AM0PR08MB3716.eurprd08.prod.outlook.com (20.178.23.205) by AM0PR08MB3236.eurprd08.prod.outlook.com (52.134.91.161) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2856.20; Tue, 31 Mar 2020 06:28:13 +0000
Received: from AM0PR08MB3716.eurprd08.prod.outlook.com ([fe80::2159:870b:25df:e612]) by AM0PR08MB3716.eurprd08.prod.outlook.com ([fe80::2159:870b:25df:e612%5]) with mapi id 15.20.2856.019; Tue, 31 Mar 2020 06:28:13 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Hanno Becker <Hanno.Becker@arm.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Possible deadlock when ACKing KeyUpdate messages?
Thread-Index: AQHWBUxJ8anoCpmsBUC57Xe/3C4BZ6hg8CNggAB+9VqAANAfcA==
Date: Tue, 31 Mar 2020 06:28:12 +0000
Message-ID: <AM0PR08MB371664C0317053358F3F48FAFAC80@AM0PR08MB3716.eurprd08.prod.outlook.com>
References: <AM6PR08MB3318966B8BEE7B818D6AB0409BCD0@AM6PR08MB3318.eurprd08.prod.outlook.com>, <AM0PR08MB3716FDD9BA467A7D597DD689FACB0@AM0PR08MB3716.eurprd08.prod.outlook.com> <AM6PR08MB33181249201D9E9E43F107229BCB0@AM6PR08MB3318.eurprd08.prod.outlook.com>
In-Reply-To: <AM6PR08MB33181249201D9E9E43F107229BCB0@AM6PR08MB3318.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: 73d7bb21-eb44-4ac8-ae18-70dd65944bd5.1
x-checkrecipientchecked: true
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [80.92.116.70]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: a6f903b7-3720-4ee8-19a9-08d7d53cb46b
x-ms-traffictypediagnostic: AM0PR08MB3236:|AM0PR08MB3236:|VI1PR08MB5294:
x-ms-exchange-transport-forked: True
X-Microsoft-Antispam-PRVS: <VI1PR08MB52946ED4A203977819154E19FAC80@VI1PR08MB5294.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
x-forefront-prvs: 0359162B6D
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR08MB3716.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(10009020)(4636009)(366004)(346002)(136003)(376002)(396003)(39860400002)(8676002)(55016002)(6506007)(81156014)(71200400001)(81166006)(316002)(53546011)(2906002)(33656002)(478600001)(86362001)(9686003)(66476007)(64756008)(66946007)(5660300002)(110136005)(76116006)(7696005)(66446008)(966005)(66556008)(9326002)(8936002)(26005)(15650500001)(52536014)(186003); DIR:OUT; SFP:1101;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: 63yD3d/qshMN3k1xhtaSyDXR0HVI36HnHR4YmkiUx18woXe/K5NZmyvDU5YZDJLkBTmrihlRbiDOJnqvqG2vN0impSsI19Qf30IDOHuQuD4KB4Q2j+381ZwuDmCXnUt0qxGQI+v0V9/J8jMV0Z/J6kL+VPNc2BjCQBwpTekmrixIyMZFxAL5qOT415V8qMQ983E4F+aOsK0XHbTyOsfH7MG8+QZoR27VuhA0b3zIepXQxhp/rhWMlWrwuyBV/1ZIIgxRoz6gjqgC9IYPQUKtJ/t27kLvFDgfwPtiB+Zywisp8uEFo9mFEZgLhTKhqwZiKwIrWjg0F/XZGfzP+Bc9LKSQHFN6pmj1ZTc60ZYEyL1mmIgfX7HUM3c2hj3mHZV0w1uwM17y8Takeu8nFcw+w60VCd/lMFAObsM6oNPzvAPwkeN7RoI5DTqUIIArIThuppD/DejNLHti6tzRaIAysKxoWbpRae0Esxwdavg0l9S81l1Nap06AaTV1Jw52rAusw8JFBrU/aaGQ+hM6HsNUQ==
x-ms-exchange-antispam-messagedata: eNyxFqOPXJZbHd5IPJFavyXiF3VvKTYgSxxNZufCN4lt6R1xVEUg7nq4qsz2p3bgPAsV77NEMkUt9G/mOJ1IyIp2E/9G7GY7ZxBO/2+z1IDEMxqdPByc0ETbMErPU4dVlE1LfDLWTPRu5h6QhCcsYQ==
Content-Type: multipart/alternative; boundary="_000_AM0PR08MB371664C0317053358F3F48FAFAC80AM0PR08MB3716eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB3236
Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: VE1EUR03FT046.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFTY:; SFS:(10009020)(4636009)(376002)(396003)(136003)(346002)(39860400002)(46966005)(81166006)(81156014)(2906002)(86362001)(26826003)(70206006)(30864003)(33656002)(356004)(7696005)(8676002)(9326002)(966005)(52536014)(5660300002)(15650500001)(26005)(336012)(478600001)(186003)(36906005)(8936002)(316002)(82740400003)(47076004)(9686003)(53546011)(55016002)(110136005)(6506007)(70586007); DIR:OUT; SFP:1101;
X-MS-Office365-Filtering-Correlation-Id-Prvs: 9105d7d6-5484-49e3-d83b-08d7d53cb068
X-Forefront-PRVS: 0359162B6D
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: YUia1dfx3B2VwExufYHBEPNUIH6qX6UqR4ASQCZxozCNcl8DDYklomV0oPUqf9grfcr18Q4gGE4fifeoI6ESYUxy8vvkvQwf9rHUHnUtAJPtBsTTb0KFKh5wdHELLX0vYGGeEmGt62c5/3ubl1SzPUwpCumN2jP4lt51VFKZUSPGfXSamV+bInZoM8+hQqrGBJLxoS67y+TUZ4rfD0rJQPs/4BpQnWOJoESHAYmxx2oArT5BWwXc+Wf3baLIJuY+5f8jBjbTteAlV/48/q95P0CVRHnh2T/vaQN3D65wypMcA6XoFR1bh1uCpbj85wqe5Y5s73YQdrw76Yzb5+dnknBelqOJd4pKH9oPmFPqZsE7cS9k9jZHqONrxgVoYXZDI+GWJeNqeezg+fmzA4jOaegQnZlLfuHykoZ1ARyCOlM3xbU4sRplmxrTCpWbYXbAXye+HQMzgWdroxg3qDm7mUnnl8eW+s2Qaw3+B3eGLDljIkBL7cK+EkH0TWZGr7i9MbzH6+P93DJecl7Pz0eVaZulADomenY15/LqmdAfKClueikT9kcDQgUpywoGEZiFlpFE/5n0lJj3U9wig0yEMg==
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 31 Mar 2020 06:28:19.6174 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: a6f903b7-3720-4ee8-19a9-08d7d53cb46b
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR08MB5294
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/IPJHJJg1co-dT_IyPbXQXfTrnYM>
Subject: Re: [TLS] Possible deadlock when ACKing KeyUpdate messages?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Mar 2020 06:28:28 -0000

Hi Hanno,


I believe the part of the paragraph that talks about "canned ACKs" needs to be clarified.


In https://github.com/tlswg/dtls13-spec/pull/135 I changed the text  from



"

   Although KeyUpdate MUST be acknowledged, it is possible for the ACK

   to be lost, in which case the sender of the KeyUpdate will retransmit

   it.  Implementations MUST retain the ability to ACK the KeyUpdate for

   up to 2MSL.  It is RECOMMENDED that they do so by retaining the pre-

   update keying material, but they MAY do so by responding to messages

   which appear to be out-of-epoch with a canned ACK message; in this

   case, implementations SHOULD rate limit how often they send such

   ACKs.

"



To:


"
Although KeyUpdates MUST be acknowledged, it is possible for the ACK to be
lost, in which case the sender of the KeyUpdate will retransmit it.
The receiver of the KeyUpdate MUST retain the ability to ACK the KeyUpdate for
up to 2MSL. It is RECOMMENDED that they do so by retaining the
pre-update keying material, but they MAY remove the pre-update
keying material only upon receipt and successful decryption of a message
using the new keys.
"

Ciao
Hannes


From: Hanno Becker <Hanno.Becker@arm.com>
Sent: Monday, March 30, 2020 8:02 PM
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>; tls@ietf.org
Subject: Re: [TLS] Possible deadlock when ACKing KeyUpdate messages?

Hi Hannes,

>  In your example below, the sender of the initial KeyUpdate has to re-send it because of the lost ACK. In order to resubmit it, it has to use the old keying material (or cache the message). The receiver cannot immediately delete keying material after processing the initial KeyUpdate message because it does not know whether the ACK will subsequently get lost.

My point is that the paragraph cited at the top of my post appears to say that receivers MAY immediately delete keying material after
receiving a KeyUpdate IF they blindly ACK retransmissions of the KeyUpdate (even though they can't decrypt it anymore). The example
shows that this doesn't work, unless I've made a mistake.

Best,
Hanno
________________________________
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes.Tschofenig@arm.com>>
Sent: Monday, March 30, 2020 11:57 AM
To: Hanno Becker <Hanno.Becker@arm.com<mailto:Hanno.Becker@arm.com>>; tls@ietf.org<mailto:tls@ietf.org> <tls@ietf.org<mailto:tls@ietf.org>>
Subject: RE: [TLS] Possible deadlock when ACKing KeyUpdate messages?


Hi Hanno, Hi all,



I believe it would be useful to add some extra sentences to the draft to retaining the old key material.



In your example below, the sender of the initial KeyUpdate has to re-send it because of the lost ACK. In order to resubmit it, it has to use the old keying material (or cache the message). The receiver cannot immediately delete keying material after processing the initial KeyUpdate message because it does not know whether the ACK will subsequently get lost.



Ciao

Hannes



From: TLS <tls-bounces@ietf.org<mailto:tls-bounces@ietf.org>> On Behalf Of Hanno Becker
Sent: Saturday, March 28, 2020 11:31 PM
To: tls@ietf.org<mailto:tls@ietf.org>
Subject: [TLS] Possible deadlock when ACKing KeyUpdate messages?



In relation to ACKs for KeyUpdate messages, DTLS 1.3 Draft 37 states:



   Although KeyUpdate MUST be acknowledged, it is possible for the ACK

   to be lost, in which case the sender of the KeyUpdate will retransmit

   it.  Implementations MUST retain the ability to ACK the KeyUpdate for

   up to 2MSL.  It is RECOMMENDED that they do so by retaining the pre-

   update keying material, but they MAY do so by responding to messages

   which appear to be out-of-epoch with a canned ACK message; in this

   case, implementations SHOULD rate limit how often they send such

   ACKs.



This seems to allow implementations to remove old incoming keys immediately

after ACKing the KeyUpdate, which appears to open the door for the following

situation leading to deadlock:





  +-------------------------+

  |   KeyUpdate, epoch N    |-------------> received

  +-------------------------+

                                          +------------------------+

                               lost x-----|     ACK,   epoch M     |

                                          +------------------------+



                                          [ new incoming epoch N+1,

                                            remove keys for epoch N ]



-                                         +------------------------+

                  received  <-------------|   KeyUpdate, epoch M   |

                                          +------------------------+

  +-------------------------+

  |       ACK, epoch N      |-------[ irrelevant whether it goes through - see below ]

  +-------------------------+



  [ new incoming epoch M+1,

    remove keys for epoch M ]



Note: This isn't an entirely unlikely situation, since a KeyUpdate with update_requested flag

will result in a subsequent KeyUpdate from the other side, and the only unlucky thing that

needs to happen is for the original ACK to be lost while both KeyUpdate messages go through.



At this point, both sides have updated their incoming key material but

not their outgoing key material, since they're still awaiting the ACK -

however, it turns out that they can't actually read those ACKs anymore:



After some time, the peers resend the KeyUpdate messages, which will be

blindly ACKed by the peer according to the recommendation in the spec;

however, the ACKs will be encrypted with the wrong keys and cannot

be parsed on either side:



  +---------------------------+

  | resent KeyUpdate, epoch N |-------------> received, but can't be read

  +---------------------------+               because incoming epoch N+1



                                                send 'blind' ACK



  received, but can't be read                +------------------------+

  because incoming epoch M+1  <--------------|     ACK,   epoch M     |

                                             +------------------------+



The same will happen to KeyUpdate retransmission from the other side.



It seems that this results in a deadlock. Am I missing / misunderstanding something?



A possible mitigation would be to force retaining the old key material for 2MSL,

or alternatively, to mandate that old key material must only be removed upon

receipt and successful decryption of a message using the new keys.

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email