IETF Logo Mail Archive

[TLS] Re: [EXTERNAL] Re: Disallowing reuse of ephemeral keys

Sophie Schmieg <sschmieg@google.com> Tue, 14 January 2025 19:20 UTC

Return-Path: <sschmieg@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A2E1C1CAF2D for <tls@ietfa.amsl.com>; Tue, 14 Jan 2025 11:20:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.609
X-Spam-Level:
X-Spam-Status: No, score=-17.609 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z4xlSv6EB8HZ for <tls@ietfa.amsl.com>; Tue, 14 Jan 2025 11:20:10 -0800 (PST)
Received: from mail-qt1-x831.google.com (mail-qt1-x831.google.com [IPv6:2607:f8b0:4864:20::831]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3A6FC151066 for <tls@ietf.org>; Tue, 14 Jan 2025 11:20:09 -0800 (PST)
Received: by mail-qt1-x831.google.com with SMTP id d75a77b69052e-467896541e1so334561cf.0 for <tls@ietf.org>; Tue, 14 Jan 2025 11:20:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1736882408; x=1737487208; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=NadCswUlMFhs+96TsKuOP384ahysvY10VbqQcXvDz/c=; b=BiUttYcVzst2WL0+s8QN+DeFBPOpQjCGeyab2GxwB9rbMjOGW+rHQ5R9AT2mkGGEKv vUc52WSmslvPo7TSW+LxxyQz03Lf0wdYUyMfD2U0Z9OpOmSHxcOH8pcB7eNrslWtxHEm G/oxUBgVuiPUlhPQxh0521nzXmbePSFztcFhFAckhYEUcIkYhJkIE4O+hZFM8NQujDEN avnllOrNmzWku6Jrn6+t1PmuFKB2SW8N4wMmF2fLE5jB9hKl0JQf+sMQkzDyoxCEb4tm P5vx1MwXOa6hJIZtyE8HClIDgUQDToguqz4nrAKqTZ1XX7Sg4bXo2wOuw2ppTylEZE4V aEZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736882408; x=1737487208; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=NadCswUlMFhs+96TsKuOP384ahysvY10VbqQcXvDz/c=; b=IxtvVn+e3bfmk2pbuQ7Q/e9WjejTu+XIPbfB3ItgAZ18N8+apCPVzU8njl1jZvidAr fC1Ft7jS8p/06wFRa+9AwY5EK+oo/qStdk7dtymSZGBkWBhbDqF9bI7kSoV4HewOg/LB 7KFSgvcsGSDTnwmvBNcBsE22+eFZ/IQcWpm/J+qDOKNVpERVGrpCQHKXbNWc2ZPz/p/Q GmYDevrY2CRhAO017ur65BDElwlMOrFvpEdrM41XYmj9Ma9nztFnVCRNHbGJBwJ4kAh5 aReedw+88MOFnSI0JotAvAAR5fKb9jjGX+69B4RhUt0+8Pjp7gDuI9f6Ubthke257AJS YmpA==
X-Gm-Message-State: AOJu0YwR9VFybyznv2ckPt09Eg+fcYZ/a+qsKXszxUrdt1ZYBsQdVpvX Bm2/iWr5l55jD/oHfQUhj1XOOZ4FTJylpCmxovjtC0tjrewEJNmACjlQooFJFUL+sqIUa+wu46M XwVp2teykssSum5RqW9rOYhhLa3KeuzHPhIZx9VTuXxdGTOsIAdus
X-Gm-Gg: ASbGncvSh/G8VZsDeSzQfvrDVHzbs0taxW3cTD4TZk1DhwkPV74Ql8xuQAh+8QaAfgW ZKlPvsYl/0J3I0hBAUY0vXbPeIYx02AuLQ3vjjS1L5tMBe+4COs/UZTLCTcZvQJMZfa9Y
X-Google-Smtp-Source: AGHT+IFuVR7bww5+ULGodMJbXapbiHXxHDfNVMaQVmZ6Tn50RfBw1IXjXHdpXS64TJWVRfpy/kkA4KTeKN8HFUebHJU=
X-Received: by 2002:a05:622a:14c6:b0:460:4620:232b with SMTP id d75a77b69052e-46df57d576amr138171cf.28.1736882408231; Tue, 14 Jan 2025 11:20:08 -0800 (PST)
MIME-Version: 1.0
References: <CAOgPGoCHnXZzzoAFT8GGmByr=7y1j5wM3ptPc4_JBF3FhtVNmQ@mail.gmail.com> <bf28dd19-0534-4403-8e20-50bcbbc0fcdd@app.fastmail.com> <CAL02cgQ9610CzMfcJEPcfpDRemyvAh3-AEH=GZbmV4QdWtQCXA@mail.gmail.com> <CABcZeBNCbm0vUBA0c6i_7DzqwynbUj-SyDHEomHn0WCv4w3ZnQ@mail.gmail.com> <CAL02cgQP24OSjQJuY7Hcx+CXdG_B7LpZD-g2HjV_oJZ0nNrU4w@mail.gmail.com> <LV8PR21MB41582033BDB237242E313C7C8C382@LV8PR21MB4158.namprd21.prod.outlook.com> <CABcZeBPLcVXk_xxRC8A1PsobEr69yL7NON0qWLc-kKGmP=LRJw@mail.gmail.com> <Z4XVhnfh3gTWo0hv@chardros.imrryr.org>
In-Reply-To: <Z4XVhnfh3gTWo0hv@chardros.imrryr.org>
From: Sophie Schmieg <sschmieg@google.com>
Date: Tue, 14 Jan 2025 11:19:57 -0800
X-Gm-Features: AbW1kvajEeshouhqd19Xowh1WAbOcJfPuI6N6lpnxT2zILDx51OS_cYO_pDCWuM
Message-ID: <CAEEbLAbSgqJ+cQmk=fDpk=D4+GxEca43DAekTQNe-DLdF4btmw@mail.gmail.com>
To: tls@ietf.org
Content-Type: multipart/alternative; boundary="000000000000f60992062baf7230"
Message-ID-Hash: OIYVPNUSECXNIEBM2NM2HZKHP4C76RP7
X-Message-ID-Hash: OIYVPNUSECXNIEBM2NM2HZKHP4C76RP7
X-MailFrom: sschmieg@google.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: [EXTERNAL] Re: Disallowing reuse of ephemeral keys
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/dsNX7OaPYibTegm8_vtHqiO0MFU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

I strongly prefer 3.

In the ML-KEM spec, the consistency checks on the public keys are marked as
optional, so I think it would be a fair interpretation of FIPS 140-3 that
the required consistency checks consist of the optionally allowed empty set
in the case of ML-KEM.

On Mon, Jan 13, 2025 at 7:11 PM Viktor Dukhovni <ietf-dane@dukhovni.org>
wrote:

> On Mon, Dec 16, 2024 at 07:02:43AM -0800, Eric Rescorla wrote:
>
> > Thanks. It seems like that would imply that Web clients cannot safely
> > enforce a non-reuse requirement even if we had one.
> >
> > Do you plan to reuse ML-KEM keys as well?  The situation seems to be
> > different because, as Scott observes, it's the client who reaps the
> benefit.
>
> It may be worth noting that FIPS 140-3 requires pairwise consistency
> tests (PCTs) on generated (and imported) KEM keys before first use, with
> no exception carved out for single-use keys.  This factor of 2 or so
> performance hit[1] on single-use keys does create a temptation to amortise
> the cost by reusing the key a number of times (for a short time).
>
> Haven't taken any steps in that direction at this time.
>
> --
>     Viktor.
>
> [1]  Instead of keygen + decap, the single use cost becomes keygen +
>      encap + decap + decap.  Whether this is more or less than a 2x
>      performance hit depends on implementation details.
>
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org
>


-- 

Sophie Schmieg | Information Security Engineer | ISE Crypto |
sschmieg@google.com

v2.30.2 | Report a Bug | By Email | System Status