IETF Logo Mail Archive

[TLS] Re: [EXTERNAL] Disallowing reuse of ephemeral keys

Richard Barnes <rlb@ipv.sx> Mon, 16 December 2024 14:11 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 355D5C151075 for <tls@ietfa.amsl.com>; Mon, 16 Dec 2024 06:11:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eXg8gfAoWX3v for <tls@ietfa.amsl.com>; Mon, 16 Dec 2024 06:11:33 -0800 (PST)
Received: from mail-il1-x12c.google.com (mail-il1-x12c.google.com [IPv6:2607:f8b0:4864:20::12c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 191D1C14F6FF for <tls@ietf.org>; Mon, 16 Dec 2024 06:11:32 -0800 (PST)
Received: by mail-il1-x12c.google.com with SMTP id e9e14a558f8ab-3a78b39034dso11787155ab.3 for <tls@ietf.org>; Mon, 16 Dec 2024 06:11:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20230601.gappssmtp.com; s=20230601; t=1734358292; x=1734963092; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=6Fx09+50SOfui0i4PSI7KfVONAtsOEga48XC0bvIslI=; b=XaFCa6kb0EdanjAGX4UvZLVEssrWnfD418TwR9kzTiQ2vAuJ587C3bCgtc9H2bOnX/ njkjjiycRMzvXaHkoVc1njOcncRJ+6NYB3bGTxeXU+9FJSk9O5AHjhJWRdfrRmm5nFqj oS2/iOfgQLBZ8jHnKhryDANrSBskLqCh6T0DjOSwNPjAPMh4td4OZiNUG00GspGeopT0 70heCjiuGBIYrzKMg8ZW3xcdZaqZIQLV44SmJcMTeo/r2GO9SEWxBn09NwmsPAA/ytVN IRDvZ9dDYl20uwTLySYQ6k6TKTzp2iyEnBxvfMgyBexRZc6hWaQNpt2i5KRKyj1pH4nP BK9Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1734358292; x=1734963092; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=6Fx09+50SOfui0i4PSI7KfVONAtsOEga48XC0bvIslI=; b=IeMJu3p3pYsjCcpYTvsKTcc1PEIaTzQkI1e/qAJ9hqvuT9QT6elJr19a0+/QGJd3MA C7226piSEr4V9j6kpdh+1cc39Wscn0d5Xm6jN3Zp1ojknF7eL+VkJmY9XFyyMdhiHqWI 0Hmp8fdjc4/7LopjAuOAAkCr0zeOWK+4pRsUJ/ROiiLxupFBow6lqiBEV4cYE4hfF8Bw I9tN0j5Fol9Kzs37aE3yLUciJ6lWkMIlGR/B2AVOQISKwNVThIN5aOOhxt3Vn9qkzQfN HqiY/1LDeHQCMgPTqxDxBt3QKIXqnDBiRCT+W7ZWH9lqL3zF2Intk4/GzeUXP40tcCnn AL6w==
X-Forwarded-Encrypted: i=1; AJvYcCW43WgMDBpWjtjX+AET7YTQbtPHfJ0z3Yj6uSJu+oIR3O0n2POPhOIqouGHINuTTC3dgrs=@ietf.org
X-Gm-Message-State: AOJu0YyFcXE3r4J+eAuFQYcl5uB0eCsRXHkqz4jlCRyC0EsRFldx7kTw pgqwtmcplmLHAzTbia//U6Y6+ES14mcDF0rAP4i7uco+SvaBlkgzHC+rnzwzrgM7i+oTxWAMTMG 0YwXHZC9dUeQc3O7yJN6J76EWMoiUrEoH0tMgLg==
X-Gm-Gg: ASbGncsb+9UkVLs5H3cL5hv//sCgFzlY8tETStrtYmMZTAHK5p31Tggsr4Jxe9Gzmkq 6B9NzDhYwYhUcZS3cC7+P0QF2sBZo7lKpJMRm7Bc=
X-Google-Smtp-Source: AGHT+IGOmJRveOfELK/xP8cBjtPpybHYZJjSQaREgaEBpBjJJWaHTCeCQJsys+bbCt5S3BA9NgPyn0ANxXM9LQ6ZiLg=
X-Received: by 2002:a92:cda6:0:b0:3ab:a274:d68 with SMTP id e9e14a558f8ab-3aff50b359fmr133940495ab.8.1734358292068; Mon, 16 Dec 2024 06:11:32 -0800 (PST)
MIME-Version: 1.0
References: <LV8PR21MB4158CEABE28A5068931F32788C3F2@LV8PR21MB4158.namprd21.prod.outlook.com> <F215DE9E-D11B-47BC-A3AB-14CA38481ADF@huitema.net> <50935d5a-3072-4db5-ab38-244b2d97cfeb@redhat.com> <CH0PR11MB5444194BDB61738FA5219E2EC13B2@CH0PR11MB5444.namprd11.prod.outlook.com>
In-Reply-To: <CH0PR11MB5444194BDB61738FA5219E2EC13B2@CH0PR11MB5444.namprd11.prod.outlook.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Mon, 16 Dec 2024 09:11:21 -0500
Message-ID: <CAL02cgSJ29p57tAvgnOiisZbaCGL-e8ng8mq0XfcMqy5VPOSEg@mail.gmail.com>
To: "Scott Fluhrer (sfluhrer)" <sfluhrer=40cisco.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e995fb062963c12a"
Message-ID-Hash: 6D5SRHC3JDRLGLYWAOWEYMT2EQNEIHZE
X-Message-ID-Hash: 6D5SRHC3JDRLGLYWAOWEYMT2EQNEIHZE
X-MailFrom: rlb@ipv.sx
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Andrei Popov <Andrei.Popov=40microsoft.com@dmarc.ietf.org>, IETF TLS <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: [EXTERNAL] Disallowing reuse of ephemeral keys
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/excN48IsTr18_xWaCqclham5Gtk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

You’re technically correct, but if you look at how TLS stacks work in
practice, the amount of state they keep across connections is tiny,
basically just what is needed to support resumption, if that. So tracking
which public keys have been seen would be a big lift.

On the other hand, if a couple of widespread clients started enforcing
uniqueness, it could be enough to make the ecosystem inimical to reuse.

On the third hand, enforcing means failing connections that would otherwise
work, so you would need a substantial security benefit to get a critical
mass to enforce.  Which I’m not sure is there.

—Richard



On Mon, Dec 16, 2024 at 09:03 Scott Fluhrer (sfluhrer) <sfluhrer=
40cisco.com@dmarc.ietf.org> wrote:

> Might I remind people the ML-KEM public key reuse is detectable?
>
> The ML-KEM public key is in the client hello, which is either in the
> clear, or (in the case of ECH) is readable by the server.  Hence, if the
> same ML-KEM is reused, then (in the worse case) the server can detect that.
>
> And, if it is externally visible, I believe that the TLS WG can forbid
> it.  Whether it should or not is what we are debating, but I believe the
> debate can't be closed on that basis.
>
> Has anyone considered the open questions I gave a few days ago?
>
> > -----Original Message-----
> > From: Alicja Kario <hkario@redhat.com>
> > Sent: Monday, December 16, 2024 8:42 AM
> > To: Christian Huitema <huitema@huitema.net>
> > Cc: Andrei Popov <Andrei.Popov=40microsoft.com@dmarc.ietf.org>; IETF TLS
> > <tls@ietf.org>
> > Subject: [TLS] Re: [EXTERNAL] Disallowing reuse of ephemeral keys
> >
> > No, the specification definitely can, and should, specify behaviours
> that are
> > unenforcable.
> >
> > When there are preferred or recommended ways of doing something, we
> > should absolutely put that in writing.
> >
> > On Thursday, 12 December 2024 21:07:03 CET, Christian Huitema wrote:
> > > I like keeping as they are. Disallowing only makes sense if that
> > > prohibition can be enforced, and one of the peer refuses the
> > > connection if it detects key reuse. Would we want to do that? And,
> > > even if we wanted to accept the cost of refusing connections, could
> > > individual nodes actually detect reuse by a peer?
> > >
> > > -- Christian Huitema
> > >
> > > On Dec 12, 2024, at 10:11 AM, Andrei Popov
> > > <Andrei.Popov=40microsoft.com@dmarc.ietf.org> wrote:
> > >
> > >
> > > +1 in favor of option1.
> > >
> > > Cheers,
> > >
> > > Andrei
> > >
> > > From: Russ Housley <housley@vigilsec.com>
> > > Sent: Thursday, December 12, 2024 9:43 AM
> > > To: Joe Salowey <joe@salowey.net>
> > > Cc: IETF TLS <tls@ietf.org>
> > > Subject: [EXTERNAL] [TLS] Re: Disallowing reuse of ephemeral keys
> > >
> > > I prefer option 1.
> > >
> > > Russ
> > >
> > >
> > > On Dec 12, 2024, at 12:35 PM, Joseph Salowey <joe@salowey.net> wrote:
> > >
> > > Currently RFC 8446 (and RFC8446bis) do not forbid the reuse of
> > > ephemeral keys.  This was the consensus of the working group during
> > > the development of TLS 1.3.  There has been more recent discussion on
> > > the list to forbid reuse for ML-KEM/hybrid key exchange.  There are
> > > several possible options here:
> > >
> > > Keep things as they are (ie. say nothing, as was done in previous TLS
> > > versions, to forbid the reuse of ephemeral keys) - this is the default
> > > action if there is no consensus Disallow reuse for specific
> > > ciphersuites.  It doesn’t appear that there is any real difference in
> > > this matter between MLKEM/hybrids and ECDH here except that there are
> > > many more ECDH implementations (some of which may reuse a keyshare)
> > > Update 8446 to disallow reuse of ephemeral keyshares in general.  This
> > > could be done by revising RFC 8446bis or with a separate document that
> > > updates RFC 8446/bis
> > >
> > > We would like to know if there are folks who think the reuse of
> > > keyshares is important for HTTP or non-HTTP use cases.
> > >
> > >
> > > Thanks,
> > >
> > >
> > > Joe, Deirdre and Sean
> > >
> >
> > --
> > Regards,
> > Alicja (nee Hubert) Kario
> > Principal Quality Engineer, RHEL Crypto team
> > Web: www.cz.redhat.com
> > Red Hat Czech s.r.o., Purkyňova 115, 612 00, Brno, Czech Republic
> >
> > _______________________________________________
> > TLS mailing list -- tls@ietf.org
> > To unsubscribe send an email to tls-leave@ietf.org
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org
>

v2.30.2 | Report a Bug | By Email | System Status