[TLS] Re: Security Concern in TLS 1.3 and OpenSSL Implementation
"H.Rafiee" <ietf@rozanak.com> Thu, 20 November 2025 09:49 UTC
Return-Path: <ietf@rozanak.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id F3A478D1A2C3 for <tls@mail2.ietf.org>; Thu, 20 Nov 2025 01:49:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0JSp06KA6Im8 for <tls@mail2.ietf.org>; Thu, 20 Nov 2025 01:49:04 -0800 (PST)
Received: from mail.rozanak.com (mail.rozanak.com [85.214.234.50]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 588008D1A2BC for <tls@ietf.org>; Thu, 20 Nov 2025 01:49:04 -0800 (PST)
Received: from localhost (unknown [127.0.0.1]) by mail.rozanak.com (Postfix) with ESMTP id 0611A28A24D; Thu, 20 Nov 2025 09:48:57 +0000 (UTC)
X-Virus-Scanned: amavisd-new at rozanak.com
Received: from mail.rozanak.com ([127.0.0.1]) by localhost (mail.rozanak.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pn184wHM9Rpw; Thu, 20 Nov 2025 10:48:07 +0100 (CET)
Received: from [192.168.1.120] (p578f54e8.dip0.t-ipconnect.de [87.143.84.232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.rozanak.com (Postfix) with ESMTPSA id 7193E28A24C; Thu, 20 Nov 2025 10:48:07 +0100 (CET)
Content-Type: multipart/alternative; boundary="------------gC6QlZ0DYD0bcToEjnlya1aA"
Message-ID: <f7d9d248-99f2-4f2a-8abe-0210e7af1323@rozanak.com>
Date: Thu, 20 Nov 2025 10:48:07 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de>, Thom Wiggers <thom@thomwiggers.nl>
References: <7f563479-c1ac-4678-9d96-f8a0d8fb0e69@rozanak.com> <a649b086-9c38-4e06-bf06-0b5f57e0e9cb@tu-dresden.de> <b77d26df-0a68-423e-b4d7-651b1421e9a7@rozanak.com> <D2E3DD93-67F9-4A5D-B409-1483995AB27F@thomwiggers.nl> <99bbfbc8-673a-4e5f-ae8e-46008984e6c5@tu-dresden.de> <35FEF57D-52FE-484C-AB86-DCFDC676BEC3@thomwiggers.nl> <1c145c54-a006-48b7-9f97-3649305f5794@tu-dresden.de> <CE11817C-14AD-4121-B6AF-9C7BAEF721F6@thomwiggers.nl> <8a98a602-836e-419e-9647-fd8ed35d8035@tu-dresden.de>
Content-Language: en-US
From: "H.Rafiee" <ietf@rozanak.com>
In-Reply-To: <8a98a602-836e-419e-9647-fd8ed35d8035@tu-dresden.de>
Message-ID-Hash: MFAETTJU2LZO45UYKB4XICSX76OVY2GG
X-Message-ID-Hash: MFAETTJU2LZO45UYKB4XICSX76OVY2GG
X-MailFrom: ietf@rozanak.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: tls@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Security Concern in TLS 1.3 and OpenSSL Implementation
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/cn6xHkxtrohon4p4PUq3SSKMS4k>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
Usama, Before making any judgments, I kindly ask that you review my earlier messages where I shared the exact key names I was concerned about. My intention was only to raise a valid security concern regarding a possible attack. Unfortunately, instead of addressing it in detail, it was treated as if I were spamming. I regret that our communication has left me feeling disappointed. For this reason, I will not continue the discussion further. If you believe the protocol is secure enough, I respect your position. I apologize if my messages caused any inconvenience. I had hoped for more openness to different perspectives, but I understand your approach. Thank you for your time and understanding. I will step back from this conversation now. Hosnieh On 11/20/25 10:34 AM, Muhammad Usama Sardar wrote: > > Hi Thom, > > Thanks, we are on the same page. Some notes inline: > > On 20.11.25 01:55, Thom Wiggers wrote: >>> Op 19 nov 2025, om 21:32 heeft Muhammad Usama Sardar >>> <muhammad_usama.sardar@tu-dresden.de> het volgende geschreven: >>> >>> On 19.11.25 06:36, Thom Wiggers wrote: >>>> And indeed, what applies to the Main Secret applies to the other “internal” keys just as well. >>> >>> By "internal keys" you mean all the keys in the TLS 1.3 key schedule >>> except for "exporter value" as defined in Sec. 7.5 of RFC8446bis, right? >>> >>> In other words, the set of "/external/ keys" would have just two keys: >>> >>> 1. "early" exporter value (which takes only ClientHello from handshake) >>> 2. Exporter value (which takes up to ServerFinished from handshake) >>> >> >> That sounds about right. Maybe even more strictly, the values >> _derived from_ the exporter values when the API is called are >> “external”, as we have some semantics attached to their properties >> and use outside the handshake. > cool, thanks for confirmation. We are on the same page. >> See https://eprint.iacr.org/2020/1044.pdf > Thanks for this pointer. I see their distinction between internal and > external. >> I was not being super precise or formal here, anyway [1]. > Sure, I asked because I could not find "internal keys" in RFC8446bis. > I just wanted to be sure that we are saying the same thing. >> [1] Note that I think that most people are not always being formal or >> even very precise on this mailing list and in other discussions >> around the IETF. > > Well, I disagree: when Hosnieh is claiming a security concern related > to key schedule, she has to be precise about the keys. In particular, > the way she is equating PSK to Main Secret is just wrong. Doing it > repeatedly after being corrected a couple of times seems like > intentional spamming to me. > > Besides, making claims such as many systems are using PSK-only > handshakes without providing a single example is just illogical to me. > > -Usama >
- [TLS] Security Concern in TLS 1.3 and OpenSSL Imp… H.Rafiee
- [TLS] Re: Security Concern in TLS 1.3 and OpenSSL… Muhammad Usama Sardar
- [TLS] Re: Security Concern in TLS 1.3 and OpenSSL… H.Rafiee
- [TLS] Re: Security Concern in TLS 1.3 and OpenSSL… Thom Wiggers
- [TLS] Re: Security Concern in TLS 1.3 and OpenSSL… Thom Wiggers
- [TLS] Re: Security Concern in TLS 1.3 and OpenSSL… H.Rafiee
- [TLS] Re: Security Concern in TLS 1.3 and OpenSSL… H.Rafiee
- [TLS] Re: Security Concern in TLS 1.3 and OpenSSL… Muhammad Usama Sardar
- [TLS] Re: Security Concern in TLS 1.3 and OpenSSL… Muhammad Usama Sardar
- [TLS] Re: Security Concern in TLS 1.3 and OpenSSL… Muhammad Usama Sardar
- [TLS] Re: Security Concern in TLS 1.3 and OpenSSL… Thom Wiggers
- [TLS] Re: Security Concern in TLS 1.3 and OpenSSL… Muhammad Usama Sardar
- [TLS] Re: Security Concern in TLS 1.3 and OpenSSL… Muhammad Usama Sardar
- [TLS] Re: Security Concern in TLS 1.3 and OpenSSL… Thom Wiggers
- [TLS] Re: Security Concern in TLS 1.3 and OpenSSL… Muhammad Usama Sardar
- [TLS] Re: Security Concern in TLS 1.3 and OpenSSL… H.Rafiee
- [TLS] Re: Security Concern in TLS 1.3 and OpenSSL… Muhammad Usama Sardar
- [TLS] Re: Security Concern in TLS 1.3 and OpenSSL… H.Rafiee