IETF Logo Mail Archive

[TLS] Re: Disallowing reuse of ephemeral keys

Russ Housley <housley@vigilsec.com> Thu, 12 December 2024 17:43 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68CADC14F6A5 for <tls@ietfa.amsl.com>; Thu, 12 Dec 2024 09:43:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=vigilsec.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wbwrydhUKIZb for <tls@ietfa.amsl.com>; Thu, 12 Dec 2024 09:43:17 -0800 (PST)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B450C14F69E for <tls@ietf.org>; Thu, 12 Dec 2024 09:43:17 -0800 (PST)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id A5CA611E05B; Thu, 12 Dec 2024 12:43:16 -0500 (EST)
Received: from smtpclient.apple (unknown [96.241.2.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id 8879211DFF4; Thu, 12 Dec 2024 12:43:16 -0500 (EST)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <58BD40A7-CDD1-4EFB-9914-1902A68C13EC@vigilsec.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_4823B070-BA0D-4B66-897A-2FD21AD363AA"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3826.200.121\))
Date: Thu, 12 Dec 2024 12:43:06 -0500
In-Reply-To: <CAOgPGoCHnXZzzoAFT8GGmByr=7y1j5wM3ptPc4_JBF3FhtVNmQ@mail.gmail.com>
To: Joe Salowey <joe@salowey.net>
References: <CAOgPGoCHnXZzzoAFT8GGmByr=7y1j5wM3ptPc4_JBF3FhtVNmQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3826.200.121)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vigilsec.com; h=from:message-id:content-type:mime-version:subject:date:in-reply-to:cc:to:references; s=pair-202402141609; bh=UPxlTg0jRRjNkZrxa1VTUKXaC1gGUjRnV7Cw8otxml4=; b=DoKvW6eujqWOESfAeqd/mz5XHucrvZq1BcCOGfv8AOFPR3FsDwLU8NPgI2g57EUziFHIzrsBnQ8faymCc0n7IOIK5Bb3wYBQIq+dq01+ucGl+REJay/Wdd9VndgyJ8gH1MGJyNg+8rmZa0TANzbL2mzNfnANJHD6gURR14hBQ4axP5i56F3Ywr4BdlkzbmT8MEI7RCEgjSTJZ6+XdhxRg7iGYIuIbXxAtsgsg1dx7elDskgP/Uuu0BSZiATeWKkZacJ9VxwjDwaUn1fr1vBiHlrNPeWDzTXq0PwEsib6l4pttR0g7pK2W03HhdumZ1JT+/2RLqp1T35LKgNJy8hPVA==
X-Scanned-By: mailmunge 3.11 on 66.39.134.11
Message-ID-Hash: GKMQQ6YPPES34NAMRTJKDM45IEFOSABY
X-Message-ID-Hash: GKMQQ6YPPES34NAMRTJKDM45IEFOSABY
X-MailFrom: housley@vigilsec.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: IETF TLS <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Disallowing reuse of ephemeral keys
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/_jc6HuJ4gHN5ZE6YDueitaplE7g>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

I prefer option 1.

Russ

> On Dec 12, 2024, at 12:35 PM, Joseph Salowey <joe@salowey.net> wrote:
> 
> Currently RFC 8446 (and RFC8446bis) do not forbid the reuse of ephemeral keys.  This was the consensus of the working group during the development of TLS 1.3.  There has been more recent discussion on the list to forbid reuse for ML-KEM/hybrid key exchange.  There are several possible options here:
> 
> Keep things as they are (ie. say nothing, as was done in previous TLS versions, to forbid the reuse of ephemeral keys) - this is the default action if there is no consensus
> Disallow reuse for specific ciphersuites.  It doesn’t appear that there is any real difference in this matter between MLKEM/hybrids and ECDH here except that there are many more ECDH implementations (some of which may reuse a keyshare)
> Update 8446 to disallow reuse of ephemeral keyshares in general.  This could be done by revising RFC 8446bis or with a separate document that updates RFC 8446/bis
> 
> We would like to know if there are folks who think the reuse of keyshares is important for HTTP or non-HTTP use cases.
> 
> Thanks,
> 
> Joe, Deirdre and Sean

v2.29.0 | Report a Bug | By Email | System Status