Re: [TLS] Feedback on draft-tschofenig-tls-extended-key-update-01
John Mattsson <john.mattsson@ericsson.com> Mon, 18 March 2024 18:46 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF1B2C1D5C4A for <tls@ietfa.amsl.com>; Mon, 18 Mar 2024 11:46:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.008
X-Spam-Level:
X-Spam-Status: No, score=-2.008 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1hthqG9UTtQs for <tls@ietfa.amsl.com>; Mon, 18 Mar 2024 11:46:55 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-vi1eur04on2098.outbound.protection.outlook.com [40.107.8.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 897CBC1519B8 for <tls@ietf.org>; Mon, 18 Mar 2024 11:46:55 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iuLYOx65kv1EOiYMDgzAa9MAXl++xFfMbqre0n4f7JymgVh6eAXOe5/yHyBrX1nerJ+lU0b25y2PrR/WconvkvKFsG1Sgjx1XZsWYOhP1huU/26crGKCkdWb8xxgECrDbGefbe8YQ5m9QSx9a9Weatvz0+BJXwm54YgEAGSfxmHzxn4qFR17mJRj0Y5gohzBxhDAAs1l2FyVQWgQhl5hKZAcW+Kv0CNtgK+PkH7wA1XgxHCSarjJmWoKoJcH9mjT4pYflNjwIOtQLVfU8gxCtYV2b8XGG0OtW4KN0YogdPT2WeYOV/IreYTVacInc4TTr/2HAiAjKExyaad7nRo+2w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=XRCz8VQMFM1mTMy5vueU54BeTGjd5jW9T7W8lAa+Q48=; b=SraseScNfVwISuGt0Y4hHCAznFTGDJAORTkjVfNNwKrEGgP29va0y0g81qlKk6cEUELgjGIN7cNZBvJH0Tg6GYFqe4TAZQmmR/QQ3vb1FAuiwnDSUnNxJ32MYQbaWOpdvlBBsOaWgj/jwfj3E2WTFI9a7CxXm7orT5Oe73o7wdytlXouEq0CFt0jl2cplWlCVMZ7293zC3NBoVIuQ93X2nfos3RENtbcoWHkaRuxtH5vf7Azv5uuiYt1lkZ039r3gR4WZfD1VJ4gj+IccpuX1BnJrzo6lSIMb2ZiepvcIrrTYMVaK6lqyCSJtPaMxPvQdfXBhjeV1hveGKpa/G0nQg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XRCz8VQMFM1mTMy5vueU54BeTGjd5jW9T7W8lAa+Q48=; b=enQDOTo9Fy8g3hXAA1GkxxrF7oPoRty7f9palJ+RMm6cfoSii5YB4MkhTFG3djD6ZIibf+qmtUqKIuQ0H5md8nhMYEclO6Rk/yDA+isGKz5Q1cbGhJnyAa3+66VB+BFI5Acb8T3r4OP4rU6opAt55dO/07PDHWp/hRFVutenu9yt+j42a6B6AR8IsI+ngxPagmf483wvoIjmIl48RwJe8sz3zVy26RAc2ESeK5sdMeWRPFtVBAuyayhhHisRwz567wn/UdwM6TnK4TpufVpFyAWTPm8pE8TBHl8Tads5yQQ4PJ9MEyeBLH0qcx8GTRuBSySWYcUmrRyrCVaazvkfmQ==
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by PA4PR07MB7086.eurprd07.prod.outlook.com (2603:10a6:102:fb::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7386.26; Mon, 18 Mar 2024 18:46:51 +0000
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::b0d0:9785:585a:9568]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::b0d0:9785:585a:9568%4]) with mapi id 15.20.7386.025; Mon, 18 Mar 2024 18:46:51 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Dennis Jackson <ietf=40dennis-jackson.uk@dmarc.ietf.org>, TLS List <tls@ietf.org>
Thread-Topic: [TLS] Feedback on draft-tschofenig-tls-extended-key-update-01
Thread-Index: AQHaeVKqOz6qiLW00UKokM8Zy9WBA7E91E9D
Date: Mon, 18 Mar 2024 18:46:51 +0000
Message-ID: <GVXPR07MB9678312222CA59A62DE1BBE5892D2@GVXPR07MB9678.eurprd07.prod.outlook.com>
References: <309fed03-fd3b-4ebc-ac92-054c2d195aff@dennis-jackson.uk>
In-Reply-To: <309fed03-fd3b-4ebc-ac92-054c2d195aff@dennis-jackson.uk>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|PA4PR07MB7086:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 3s53m2L71BEqZyiza2u+dQdqs0usy1w3iSx3lfzzNPOmeNsuScMBYWvWab+USeyTIxb0EqNJBsCFZ6UB5cPLxUrke1fGJOnaKEWPswLxsE3Do3ldRwS7e79qmPT98bxN2jAqlw1odWNw05Hld46yZ+kdxRyouz8EWtK0k5cGzi0iDuRkC4kgwOC0AfvX7MU1a5UiMNxcDQ0WfUzNB11HLjsaTz2/9uDSQMy11LDjp117ggFQec8kRsoY35g6b4oD/6cNpccQnV0KRL1C2oVojMYmj9E4CvRhFEiyy6hv4jb74u2jP/HquHG3BtpkXD0Tep86NQWNjzgtBrv+Q1mIq87xg68lgwCxJbeWLMJUwKFw1dbfuT3AHn7B5eVQQ9mv9snHaCfA+t1QL1Y/KZpIqGzdcNvzu2qz2z/Y1NHAwkwnhWfRWyh5iDfLS2Lc3QZX/D72uwif/ItBma3jM2aIUcMXYJGx3kXsRaGygGpxufwSuSnk/HB3PsymW9ZfC//YuBpT00DF+z4vSdrqVSzFNPtV6EIZ4hsIPUbkZ6Ya2R3ZHwuMPsICopFvWxxJuE0lKROJIIxDdfxjGpVUkwqoobloV51PbhkkqlX+FollcJY=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GVXPR07MB9678.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(1800799015)(366007)(376005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: jfBlIHrXATx6GtHLD+73Gczi2TGAfC43VuYVKJKHxgmfsuj13FvAUtW/S91+4BvXZcCaoGvXaZCUXfdACX4zcb66ogemxyYSfw0/O8dosOMXTB4/kiDhrf28lOn9il9qdBuITjlhjeFHBYvQ/z+f7bAl7cc61A/87yu/rhxWBzyYzXS7uq1e2ZANafdAG3x787DfmOekAryTvfZkJtKBJ7OiXaboZFAeBRJe62r0FDscF88DG8yPSkaUMKRdrCDk8yfdLxDaAV8SLiHPrr+8V7GQMu4hTNQy3M+GORUzRjCA4BUy5Eg8ALsIPJ3BKz7Dvy7mkp3fJU1Emf5JzycI3G6TRLNhzQdg1zlpox1yJmWWwXWQi3/P1ryyRSpWW6efSk8Hm6x+P6NxhhYxX87v4pQQjbfbYy0MvatJsNfSWtsRZQo7q8gRnQQiCQSv9A6EfOBxRWiTzOTsZf3sFAqY4zmWAXumk3fk3/2jEoATEPiXs5QwLHiMxwWuIGjuIKR4qsZXxWY4NOoly1jDOLv2T6iWxDWy5k1HswpZ1oPsGTYVBuypzbguWO87CxNcm7dC5hrp/Al++BJn/XrgJOUbyarqZvWY644J5b8Y2vq6RRxq3ZI0D4iqgR1YLWYQWN2nigXvEW7E/XEOADrlV2hGLT80nO4twGxLOgS2deN6sZKIi+AInTs2J8Jh2dbXvO7CMZGPuKR/RapCw6bTwz72VaiDpoCqQHy+sQvRt1Za8BlTmGN0sqmOdthkz6E8ZDvW0LcGPqQi72+iz8P4g4+n19E65vX491khmSrlrQGe8dLyM2KxTr7pi+S9NYl2AAj8AjCvpAm3c5MhLSxc79aesgdD84GJDfKaV8ncJbpIwbXx6+8ZRu/7G5Yo+z9fh6y9JpDTUVLiXYEcxvqtbSOXRdd/y+Tr63mOAKF0eV8PzrbtxBHpo1fbjKDuxDOsxZox4UponNoB3kVA6VYkcHx57TKedtGHGmPL2cwHqZXzGPs0bwNgZPRcE1fwHOD3o6lqTW/+LrratTZtTVyp7LnTnqOwvyWPPz2p2h9BX6VfrbH01rxL0ON3B9/i02+syyRAo1KP8WhtRQfsL39b03Fz1JOrLMirvUGsC9vcArj2zEppuuKMa9s19HZUEO08tE+d+Y/JiSs0Cfwa8vctzkzGlXElMdBRAH3kR+YnUnMPC2g0jbzUDK4d32rutGWf4woqcj4ltvYRdzpb51C5YOfamp9eX+aZ3SQOAGDdlRnQg+UNQjBiBR/cC589x2QnCkHk+GB28qP4dU4yXlXKYP1PBNN9Bsh38rbqUxta0AgkJOoUDlpKaQHXUB3VdTm3QOkLTwYDR2HYc5RADpSF+pJuPfyjTrMLF0fyRiPOj72UHjOP0r5VtCpq2ejq02mH3+5Em51RkE4nXjNtvMFGxjoLk8g2nGE4q0HzLKrISZd2uuG/UOjp6GNRLG4gaPBJFZWgEhm1LPGfS6hyz0T+Kjo64OJLvjKA9gwh8Mt2t4ZxAGEjB6zMjz/8aGTmbSGFmFuFJwo4tKSa3LwyWnqZGu72kkDnWNTUJtBoHalAtEof7hSxyArHHAzUu+jJ+kGsgNgUMHVpxBanU72Fv8q5kgjicX8IjSoG8/3TUg/QGesq+zM=
Content-Type: multipart/alternative; boundary="_000_GVXPR07MB9678312222CA59A62DE1BBE5892D2GVXPR07MB9678eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 65542664-3ef4-48a1-b892-08dc477bc63c
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Mar 2024 18:46:51.2070 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ohF4fyFvfmTC+6unHHCNaBxlrTPePXRu+aGAYY6PpemjL8OBMye9IfIl/7GsgCSZ7eT2J/AkNHOwLZSXa4AdVNgbrb56/aQOesb4z+CIH0M=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PA4PR07MB7086
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ldK0buecnrmR83Dm6PDHe_-1NUI>
Subject: Re: [TLS] Feedback on draft-tschofenig-tls-extended-key-update-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2024 18:46:59 -0000
Hi,
I thought the old version was a quite good starting point. This new version seems significantly worse. I think it has three major problems:
1. It uses the application layer and therefore requires changes in the application layer. For many uses of TLS, it is not acceptable to change the application layer. I also don't think it makes sense to do the TLS key exchange on the application layer. As Dennis Jacksson writes: " This seems rather complex and likely to go wrong. The original version of this draft where the key exchange was carried in the extended key update message seems much simpler to implement and easier to analyse". I would add that I would not want my keys to leave the TLS library. Authentication on the application layer makes sense for web applications using HTTP/2 and QUIC where the endpoints might need to correlate the certificate request with the application-level event that triggered it. For infrastructure use of TLS/DTLS/QUIC I think reauthentication on the transport layer is a must.
2. As pointed out by Dennis Jacksson, it uses static-ephemeral key exchange instead of ephemeral-ephemeral key exchange, which does not at all give the same security properties. I think all requests have been for ephemeral-ephemeral key exchange.
3. I don't see the need for HPKE. All discussions, specifications, and deployments of PQC KEMs in TLS 1.3 and DTLS 1.3 uses the ordinary "KeyShareEntry". Replacing the existing key exchange mechanism in TLS with the public key encryption mechanism HPKE. This seems to add a lot of code to an TLS implementation already doing quantum-resistant key exchange in the initial handshake.
I think a solution to do post-handshake ephemeral-ephemeral key exchange as well as mutual post-handshake authentication on the TLS/DTLS/QUIC layer would be very welcome. I think ephemeral-ephemeral key exchange as well as not using the application layer should be requirements.
I think frequent rekeying with ephemeral-ephemeral key exchange is a must for long-lived interfaces. This has for a long time been an established requirement. Typical requirements are 1 hour of 100 GB in IPsec and 1 hour or 1 GB in SSH. Note that there is no problem with TLS 1.3 when you can frequently setup new connection with psk_dhe_ke. Discussing with Eric Rescorla and Martin Thomson in the past, they suggested that this was the way forward. It would be interesting to hear if there are more use cases than RFC 6083 where frequently setting up a new connection with psk_dhe_ke is problematic. I expect there is.
Long-term, I think QUIC is much more important than TLS and DTLS. The telecom sector work in 10-year generation (4G, 5G, 6G). In 6G, expected to be standardized in 2029, I expect most use of TCP, SCTP, TLS, and DTLS to be replaced by QUIC.
The citation (R13) from ANSSI only talks about rekeying. Equally important is R12 which says that
"If available, one shall activate the PFS property in IKEv2 second phase" (a.k.a “quick mode”) using a Diffie-Hellman key exchange or its elliptic curve variant."
Cheers,
John Preuß Mattsson
From: TLS <tls-bounces@ietf.org> on behalf of Dennis Jackson <ietf=40dennis-jackson.uk@dmarc.ietf.org>
Date: Tuesday, 19 March 2024 at 02:38
To: TLS List <tls@ietf.org>
Subject: [TLS] Feedback on draft-tschofenig-tls-extended-key-update-01
A new version of this draft was published a few weeks ago with an
entirely new design. Unless I missed it, the new version hasn't yet been
discussed on the TLS list and I was unaware of the changes until I came
to prepare for the meeting. I have quite a few concerns - I'm sorry to
bring them up so close to the meeting.
Firstly, the draft as specified does not achieve the claimed security goal:
> Security Considerations:
>
> To perform public key encryption the sender needs to have access to
> the public key of the recipient. This document makes the assumption
> that the public key in the exchanged end-entity certificate can be
> used with the HPKE KEM. The use of HPKE, and the recipients long-term
> public key, in the ephemeral-static Diffie-Hellman exchange provides
> perfect forward secrecy of the ongoing connection and demonstrates
> possession of the long-term secret key.
An ephemeral-static Diffie-Hellman exchange does not provide forward
secrecy. If the attacker can compromise the endpoint with the static
public key, they can decrypt all previously transmitted ciphertexts to
this peer and so recover all past keys, violating forward secrecy. This
wasn't an issue in the old draft where ephemeral-ephemeral DH exchanges
were used.
Secondly, I think there is some confusion about what forward secrecy is.
Forward secrecy means that compromise in the future will not enable the
decryption of past messages. The existing KeyUpdate mechanism in TLS1.3
achieves forward secrecy by ratcheting forwards the used keys and
throwing away the old ones. So no changes are required to TLS1.3 to
enjoy forward secrecy in long-lived connections, just do the existing
key update and be sure to throw away the old keys correctly.
> Introduction:
>
> If a traffic secret (referred as application_traffic_secret_N) has
> been compromised, an attacker can passively eavesdrop on all future
> data sent on the connection, including data encrypted with
> application_traffic_secret_N+1, application_traffic_secret_N+2, etc.
This is not forward secrecy but post-compromise security (PCS) [1]
(sometimes called Backwards Secrecy as it is the complement of Forward
Secrecy). As the draft identifies, a fresh key exchange is needed to
ensure PCS. However, as mentioned earlier in the PFS case, this key
exchange needs to be with freshly generated ephemeral keys. It does no
good to use an existing static key since the attacker might have already
compromised it.
Finally, I'm really not sure about the decision to mix the TLS and
Application layers by having the application carry the HPKE ciphertexts.
This seems rather complex and likely to go wrong. The original version
of this draft where the key exchange was carried in the extended key
update message seems much simpler to implement and easier to analyse.
If the authors do want to go with some kind of application specific key
exchange, I would suggest rethinking this draft as purely a way to bring
entropy into the TLS1.3 key exchange, a TLS1.3 Key Importer if you will.
This would work by having the application to signal to the TLS1.3 layer
that a key was ready to be imported (with a particular key-id and key
material). The TLS library would communicate this to the peer with a
message similar to the one currently defined in the draft carrying the
key-id. The new key material would be mixed to the current secret in
when the peer confirmed it had also been passed the key id and material
by its application. The details about some kind of application layer key
exchange would then need to go in a different document and use
ephemeral-ephemeral exchange as highlighted.
Given the complexities around the use of middleboxes which may not be
available to the peers, it might be necessary to use an exported
authenticator so the applications could confirm they were sharing a
single TLS connection and not two duct-taped together (which would be
unable to successfully import new keys). This seems like a like of
complexity compared to the initial draft.
Best,
Dennis
[1] https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Feprint.iacr.org%2F2016%2F221.pdf&data=05%7C02%7Cjohn.mattsson%40ericsson.com%7Cd34fe02fd206413710bb08dc4769c3e5%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638463766908929331%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=wYsW%2FmGtBpzGYOi5InysvjXrnBDzoVgw%2Fxol5iGsXxI%3D&reserved=0<https://eprint.iacr.org/2016/221.pdf>
_______________________________________________
TLS mailing list
TLS@ietf.org
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Ftls&data=05%7C02%7Cjohn.mattsson%40ericsson.com%7Cd34fe02fd206413710bb08dc4769c3e5%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638463766908936322%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=Kp2B%2BSDnRYjO2bNFM0fLUL4o4NOazx0PaCYCMCKasY0%3D&reserved=0<https://www.ietf.org/mailman/listinfo/tls>
- [TLS] Feedback on draft-tschofenig-tls-extended-k… Dennis Jackson
- Re: [TLS] Feedback on draft-tschofenig-tls-extend… John Mattsson
- Re: [TLS] Feedback on draft-tschofenig-tls-extend… Ilari Liusvaara