Re: [TLS] Frequent ephemeral Diffie-Hellman in long-term (D)TLS 1.3 connections replacing IPsec

John Mattsson <john.mattsson@ericsson.com> Thu, 18 February 2021 16:06 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC06B3A11FA for <tls@ietfa.amsl.com>; Thu, 18 Feb 2021 08:06:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.671
X-Spam-Level:
X-Spam-Status: No, score=-2.671 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.57, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hReeMdfTLfpq for <tls@ietfa.amsl.com>; Thu, 18 Feb 2021 08:06:09 -0800 (PST)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2063.outbound.protection.outlook.com [40.107.21.63]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6BD63A107E for <TLS@ietf.org>; Thu, 18 Feb 2021 08:06:08 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=M+JNBUHi0g4n1REX/rcQptTxnaNpcL5VpvxSvgrtE6dXVgkAkB6JUjDkJGqGS7ge7/0FdUO7KClk0PlD1P9uLHhVWXXOYP7QBlkLNJnoha54AC9kPScNxKdj2ITcGAvDhWeeAbwT6h32PAv0uXAyPWlHiVPqwA/6OARukEBgkQ2gm+48WyZMSmdl2riRN9aVQlj6cwwQDY37j8EaDZy9YSUAWhK+Pemi7pAHAlX2AGUuN1PQdItS6OhWX228bBot2Rzqz/VrUbM6eq0IhgIGB3IvctRDrIFA2SxWG6d35HCavERYHkbKhT5iAp0NmRd2FHkv4/QFRopHSEoP3YjBMQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yACy2b6Ek77mYxdcR0pt9P4AIGqQWUBizOQoZJQXPGI=; b=N4Ad5yp2IEuUOjx1mCOxNTQVZSd/6JGNWXGijjwp2Wm6hEVcHQF5ZqiOZJ5Qisyzz+nyg20tbMgaHBAfc1YOmEdufUb1MgnYbExZclyhGAsMwAu/uTzgxj17idIAXT9jYSzGNk8thFLL/V3ank2lITtSdcXriXBfW5wwvKUDc1hfovg5dyHCUe2HQyy1SspegYHr9IzXZ5O6Hqq1PjTdTheYS8/vdj9uqv80Y1B1Ea4bk761GkyIg10YvhyHrzdphNuUZ1KIM6krSlHkpsuApNYF9YXxBTjxYPPNHcIopg+2ChUdiRtQOmsMs0Ln4eVil8L9GxW7DgRcFjvAiCEYDQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yACy2b6Ek77mYxdcR0pt9P4AIGqQWUBizOQoZJQXPGI=; b=e4/74if6Qokl/smaySiXzYdAy2AUFixNMYPaqppU7yG+1MOEIsFqXjTvgzdJPAlwMdMCMEMSMasIlmi+6C6WDH/HxRl8n2JV05kGIs7kWo5IFX6mjmydllkfqD3oRqiMH/CT7nYntmhDe18BsZUbGDaWpdsbYNVFLXO3KtVOXiE=
Received: from (2603:10a6:3:4b::8) by HE1PR0702MB3610.eurprd07.prod.outlook.com (2603:10a6:7:7f::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3825.8; Thu, 18 Feb 2021 16:04:48 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::c555:6e47:970c:1268]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::c555:6e47:970c:1268%11]) with mapi id 15.20.3868.025; Thu, 18 Feb 2021 16:04:48 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Watson Ladd <watsonbladd@gmail.com>
CC: "TLS@ietf.org" <TLS@ietf.org>
Thread-Topic: [TLS] Frequent ephemeral Diffie-Hellman in long-term (D)TLS 1.3 connections replacing IPsec
Thread-Index: AQHW9latXxWCVa9XoUWGPfn8TWupiapdkJiAgACzDIA=
Date: Thu, 18 Feb 2021 16:04:48 +0000
Message-ID: <AFD2C1D2-2EE1-4AA0-AAFB-A57E8B316474@ericsson.com>
References: <B6D23BB0-0E53-40FA-ADCB-CF9D0C402020@ericsson.com> <CACsn0c=EJOMRkTER8kbuf_Xf5yZziG0fawU3xiHwePthA_K-Lg@mail.gmail.com>
In-Reply-To: <CACsn0c=EJOMRkTER8kbuf_Xf5yZziG0fawU3xiHwePthA_K-Lg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.46.21021202
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [81.225.97.222]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f1a5c6e4-88d0-4232-7f56-08d8d426eacb
x-ms-traffictypediagnostic: HE1PR0702MB3610:
x-microsoft-antispam-prvs: <HE1PR0702MB361052F1A077B6C7B5FB852889859@HE1PR0702MB3610.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: wR43ElS8oeEnSKJA58lnIglFe3LSihhUnczkAUWdKdJy9WDGd9nmvehTJJV1SMARHrn6mMLi+cCuSWaxIeyTC+piUullMP9M3V+HrxDiXZ8NvPDMrJ6V/9nWyMEc6wSk2husuiLcqrbP/0nXgx7tXk65K9rRUuwj7UQTkysByLSsca3BasOFL8vDOHx0mhL2FvyA5or3s4CyejQYBCTaZTUCRVxVs3VAZpSOrBY6nb5TVtiZ41ahgVZIek+4vZkGrTmxoSTJXxBMud7Cd50dJPubupj8o0nMSlqLA2bDVcEw9WLW6MWpQG2/DUIcjkaz/Lhrxc04CfosYUi81F70CjmtrRvuAcmjfUvweMF8eWUFs09C5C1UJaCLn7yazOC/2w7OpeB7+hBkhkALev5kY587mn1LuNbucf4vntCxpZckbV24RsYxPkpNRCZbd6qTMaUeNXsB83MkBO7TJqbAhUrpPVgdqeWOhkSS2hoShGKpJUPL74D72GSd6wVEFdUrraXswtjkjexCMjrb+KvoUPH35IPLgR5aNgiiXncbsfC3teu1mFttDRAQJH0h5xA52+cwv6n4fw6KbOElqK6b0g==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39860400002)(136003)(366004)(396003)(376002)(346002)(6506007)(8936002)(6486002)(6916009)(26005)(186003)(478600001)(66556008)(44832011)(71200400001)(53546011)(86362001)(33656002)(64756008)(66946007)(66476007)(66446008)(6512007)(5660300002)(83380400001)(36756003)(4326008)(8676002)(2906002)(76116006)(316002)(2616005)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?Tm5EdDExMVFPVExWcHBCWERLZXBsYmtRK2ZZRS9JN0F1ZUdDNXFzNlJ1TGJE?= =?utf-8?B?bXV3dFlmdDM0dUtNTVJjOWh3eWtoajIvTWloWWxRamdYMXpTWXh1YUFBTVl6?= =?utf-8?B?WU9PQU1iMWJUWVV6Z2NodUlBdXpSa2srU2dsRTBJbUVBcHdXL3Z4OFRnT3ls?= =?utf-8?B?RjlKdEtnUFd3OEtqOXNTVkUyNndhWkUxSnN1c0tENFlHdXIxRmx2T0NzZnpk?= =?utf-8?B?YWgxYWVxMVVSaTdFWkpGcllUU0NOcm9kTmx5U1JmREZwMUlkaTcrOVZMK0pV?= =?utf-8?B?QUU3TWVNMWw4eDhJQS9zZk40ZDc2RGwvTnNvZkZCazZMQ2t4c1g2SU52L0JP?= =?utf-8?B?Rk9QRit1MFArZFZYNlFFNHFOSTA1Y2hUaEdPOFZvK3lIOEFTRFVtN2tySzJo?= =?utf-8?B?STJFenNVN1hmZGxNeEtNTS8wOTdwa0hmVGk3RlR4dkZjeFh6NGMvZ3VSeUUv?= =?utf-8?B?Skg1L0l6bW9Ubk5uNFN3OGs1SS9mTmxqaHVNbzZ5alkyai9XQjU0NEl3RE4z?= =?utf-8?B?UXJDc2k3S2drcFRwM1E5NUdndWRQM3h0MUZMQnFKMFhOb1d6WFgrcDNkZXlv?= =?utf-8?B?Y2NjMUF5azUybW5sTkZTQTFGR3hPWGZUSTZqY1pYZE12cmZ3RFR2Q1RjSFBX?= =?utf-8?B?ZythSi8rR3VSVXFjOUFnMlpVNlpNaFR3NVdtT2dxZlE1eC8yV3krNUVadnhv?= =?utf-8?B?SnoxVG4rZkZNUWZuZ2hTdE5oQnFHL1J4OHRkSFdUcFRWUmVxRjBnNHdtY0JD?= =?utf-8?B?TitMODhqTjhJMXVsMXNZVXhGTC9HeHpjanZ1SExTODFoVEVUdXd0b24xakdJ?= =?utf-8?B?TTR4OU85VHFWc1FCSjN4RU1QWnlnYk00eCtWNnV6WU5zaUZ5MW1scGdtbEE0?= =?utf-8?B?aVFsZEFOMkFsNkVGTWlrUCt4bHRRMlI5UzVzc1ozdFRSTWxlc3FYeUV0OHpq?= =?utf-8?B?WjZOZHUvd3JsQkIxc1pPamczeXVoLzk0Yzk1Nnd2VEx4SlgxVjJxclRNNWl6?= =?utf-8?B?b2hUQTF6T1hTY2JObVpid0YwMTl6cXk5SE52SjY4T3Z4d3oyMGdZRDhZK3Nl?= =?utf-8?B?OGJiZjNOUkZRVW5Oa3NIaHFRdzZmb002RFA2aEVYRzJLTTZ6bWtMM1hZb25X?= =?utf-8?B?dzVEeDg2b1FYRzFyQzBjZk5xemFkR3Aza3crMjA4RC9FNW5HVzNNWSsrMU1E?= =?utf-8?B?VHQ5Z242cGRrQUkzd0FLVVpxZHdSRzhCOVdBSnZiOXZjVFZmRmlyMjlUK1JH?= =?utf-8?B?YU9vRUtYd1VNN0gvYU50WUViSnBlVHZPamVqWXFLYmhOMENzNlFsUnBNWndV?= =?utf-8?B?YkxhVkp2MmZWeWVzcURmR1pxdTJiT3pBZGppL0NiRUVCQkpSKy9MYTlqVDNx?= =?utf-8?B?UjB6UlJsSGUwa2RzSmQ1ZFZXVU1hMi9PdEhHK1h6KzcrME1heitlcjVXNW1S?= =?utf-8?B?aHFmR0pHa0pmd3ZTbHA2Z3BzZFBtR3MvdkdGaVVQdWxoL3VTQUpqTjFWWFZW?= =?utf-8?B?WHV0NjkrdXp6SFNnMzFwVHVGamtpVHhLVURJdVZhb1lmUFl3MmtQZ0wvaUJ4?= =?utf-8?B?YUpYV3M1ZmpRaklYZ3kwU29NbDdPdmJTbXNiNllvRlZ2emxnK1dqc0tqaWNV?= =?utf-8?B?MTJ5Nm1sYkx3aHVUdExkcVN5ZlNadnZFRTErQUhHb08xVHpZUTI4dWgxT3d2?= =?utf-8?B?bkF2cUJpR3c0S0U4QjFEeElEak1jSWxXVmdJR0hBQmNNdklnMjRVOVB3emN6?= =?utf-8?B?REh5bWxjQ2ZSTGNQY2FmZWc4T0JmaDhtd0cxcDNPRmNrTEt4aEY4ZndvNVZC?= =?utf-8?B?NUxJejR1UmNBZFBrdDNkZz09?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <CDFF5E385778164F85C1F49CB35F471C@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f1a5c6e4-88d0-4232-7f56-08d8d426eacb
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Feb 2021 16:04:48.3826 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: UQlYc+Pe3sGTYwWMxlArRFvc6kQs9ShRDJ3CislE3KVm7JNIh0yRqHHgZNWKVf/cS0thR1ScaBeWy+LwSTjosUssEHvPoQZzLZwL6Q2UIQQ=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0702MB3610
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/TzFnAO08xXYqLbKzV6KuOiLU6LM>
Subject: Re: [TLS] Frequent ephemeral Diffie-Hellman in long-term (D)TLS 1.3 connections replacing IPsec
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Feb 2021 16:06:12 -0000


-----Original Message-----
From: Watson Ladd <watsonbladd@gmail.com>
Date: Thursday, 18 February 2021 at 07:24
To: John Mattsson <john.mattsson@ericsson.com>
Cc: "TLS@ietf.org" <TLS@ietf.org>
Subject: Re: [TLS] Frequent ephemeral Diffie-Hellman in long-term (D)TLS 1.3 connections replacing IPsec

On Fri, Jan 29, 2021 at 7:52 AM John Mattsson
<john.mattsson=40ericsson.com@dmarc.ietf.org> wrote:
>
> Hi,
>
> 3GPP has historically to a large degree used IPsec to protect interfaces in the core and radio access networks. Recently, 3GPP has more and more been specifying use of (D)TLS to replace or complement IPsec. Most 3GPP usage of (D)TLS are long-term connections.
>
> Current best practice for long-term connections is to rerun Ephemeral Diffie-Hellman frequently to limit the impact of a key compromise. For IPsec, ANSSI (France) recommends to rerun Ephemeral Diffie-Hellman every hour and every 100 GB, BSI (Germany) recommend at least every 4 h, and NIST (USA) recommends at least every 8 h. These recommendations are formally for IPsec but makes equal sense for any long-term connection such as (D)TLS.
>
> If I understand correctly, the KeyUpdate handshake message only provides Forward Secrecy (compromise of the current key does not compromise old keys). To ensure that compromise of the current key does not compromise future keys (post-compromise security, backward secrecy, future secrecy) my understanding is that one would have to frequently terminate the connection and do resumption with psk_dh_ke. Seems like this would cause a noticeable interruption in the connection, or? Are there any best practice for how to do frequent ephemeral Diffie-Hellman for long-term (D)TLS connections? Seems to me that frequent ephemeral Diffie-Hellman should be the recommendation for any long-term (D)TLS connection as it is for IPsec.

What's the threat model here?

[John] The threat model is leakage of application_traffic_secret_N. A passive attacker can then passively eavesdrop on all future application data sent on the connection including application data encrypted with application_traffic_secret_N+1, application_traffic_secret_N+2, application_traffic_secret_N+3, etc.

That the attacker cannot eavesdrop of application data encrypted with application_traffic_secret_N-1, application_traffic_secret_N-2, etc. is already pretty sweet, but below government requirements for IPsec.