Re: [TLS] ETSI releases standards for enterprise security and data centre management

Daniel Kahn Gillmor <> Thu, 06 December 2018 21:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 698A3130EDA for <>; Thu, 6 Dec 2018 13:06:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.19
X-Spam-Status: No, score=-4.19 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id kK6BQxPKo_86 for <>; Thu, 6 Dec 2018 13:06:05 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3BC9E130ED7 for <>; Thu, 6 Dec 2018 13:06:05 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 5CB9BF99A; Thu, 6 Dec 2018 16:05:51 -0500 (EST)
Received: by (Postfix, from userid 1000) id 16D4B2041D; Fri, 7 Dec 2018 00:04:53 +0300 (EAT)
From: Daniel Kahn Gillmor <>
To: Andrei Popov <>, "tls\" <>
In-Reply-To: <>
References: <> <> <20181202233553.GD15561@localhost> <> <> <> <> <> <> <> <> <>
Date: Fri, 07 Dec 2018 00:04:50 +0300
Message-ID: <>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature"
Archived-At: <>
Subject: Re: [TLS] ETSI releases standards for enterprise security and data centre management
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 06 Dec 2018 21:06:06 -0000

On Thu 2018-12-06 02:10:06 +0000, Andrei Popov wrote:
> In our tests, we see significant drop in handshakes/sec on a busy TLS
> server with ephemeral DH share reuse time < 1 sec.

hm, thinking about this optimization approach, i would really like to
know what implementations are doing this.  It occurs to me that client
implementations as well as server implementations could be doing this
"for efficiency reasons".

If both sides do it, and two connections are established within the
window before the "ephemeral" keys are disposed of, then you could end
up in a scenario where you actually have a "Handshake Secret" and
"Master Secret" that are reused across a connection, and this would be
entirely observable by a passive monitor.

That leaves the only defense against direct key reuse for encryption on
the wire the entropy in:

 * ClientHello and ServerHello (for

 * ClientHello and server Finished (for
   {client,server}_application_traffic_secret_0 and

 * ClientHello and client Finished (for

Seems like risky business... we're leaning heavily on HKDF-Expand-Label
to keep a passive observer from being able to identify how the actual
traffic keys across sessions are related to one another.  Or am i
missing something?  I'd love for someone to correct me here.

Maybe i'll add a section to the draft explicitly forbidding clients from
ever taking this "optimization" step as well.