[TLS] Re: [TLS]Working Group Last Call for "Hybrid key exchange in TLS 1.3"

Eric Rescorla <ekr@rtfm.com> Sun, 01 September 2024 22:07 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAFF9C14F609 for <tls@ietfa.amsl.com>; Sun, 1 Sep 2024 15:07:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hl8ves3I5dv6 for <tls@ietfa.amsl.com>; Sun, 1 Sep 2024 15:07:44 -0700 (PDT)
Received: from mail-yw1-x1132.google.com (mail-yw1-x1132.google.com [IPv6:2607:f8b0:4864:20::1132]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 524C5C14E515 for <tls@ietf.org>; Sun, 1 Sep 2024 15:07:44 -0700 (PDT)
Received: by mail-yw1-x1132.google.com with SMTP id 00721157ae682-6d5893cd721so11239967b3.0 for <tls@ietf.org>; Sun, 01 Sep 2024 15:07:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1725228463; x=1725833263; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=LVZDycFHLNAr9yI9Pn+L8v5OuYyfA8/3hARMqAaPtdI=; b=djvd+q+Q4EqxzuLpac0eDhxTLEF+GAU035CuzLZ1oackBXGGYL9eORwI49zx3s+iI7 GjpdV7mnl08nQG7qTbkU9OWvv0df4GKTkJUKRA9Wahoq+VZvav81bnAdijzWasl/IeyL lDYgkiHJPoupaBAWmsWApTFkfmXTR8hXZm9QVA+7KSBJbeyvVdTAtTtCxPc0091RWzRx MayDmM1yek3m2vfLQzilJ6LNoS0bIRSHL8VvtZLyugO1roxdhTnfHVUllrh7LyUIb6ie kRHzKn+8G6JPmw2jK9K+7H8cA6DcEwdjfwEiBk2bgtiE9snnSIeUDgJM2QuORMDNeb5z bo2w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725228463; x=1725833263; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=LVZDycFHLNAr9yI9Pn+L8v5OuYyfA8/3hARMqAaPtdI=; b=WwF5MKOfqC6s/c1czPNbjQ0jse8kemXy4DRJfsqoFPxeYhOAJBOlGbv//Me3cJSjgX aiv1hacCP0Hv9CZ+GPHGrlJBRwGV5R5sTxrXbbVQRqtGiufCLp3HQqE7kIHbOT0UzXiO jcWCSrKbiBsIa5nxLYsQ5XVhnmPe4kdvrwKaKZdi9FGK5sdrlw27uB/3dKf7H1HRLEuM ZnQO0PtOFDG0WiLOgNiW+txcKDgr5ABG4eguwgku90au11KzJhNIRCUpLCdka4gjrc1z yXVPxMM/n3GSGYkjrwHIf9YsK6cXa3tqecJpjTNNU0NrmcLdTLYKc33l8JMx0RmXXP3Q qm3A==
X-Forwarded-Encrypted: i=1; AJvYcCXLGHu+2j4R63Gs6o1YNiCvOOvyzYjFpKQapMpQcAQVQnOgbkWwVW5zHYENnuoRGDBscjg=@ietf.org
X-Gm-Message-State: AOJu0YwEbxtexVQWdnUtlI+YWe2o+CC9eZeMPSkKKKATmHARZtQsib4O FLBJyhbDJE3FSCGpWlH9MmKGmp8z3DebSYarcNf3zh1zKwp+Vynuk6OM0YfDG3gf4eP10k0bdyT 1VzJxWiLuY5bp4MbiPUHfNcSVg9XTVtyVRwZ2JPgBDiQTf5Uqr2k=
X-Google-Smtp-Source: AGHT+IFiogvHAyY66Z9prQQ1DXwmcclI5aR9KUWOFxGxHUs78sjzwnRt8KzLxivJNSy2WaPQ10sg7wzK8q5kmKztXjQ=
X-Received: by 2002:a05:690c:2e08:b0:6b0:ea82:9760 with SMTP id 00721157ae682-6d40eb68123mr66418987b3.27.1725228463360; Sun, 01 Sep 2024 15:07:43 -0700 (PDT)
MIME-Version: 1.0
References: <CAFR824wCMcyF1szc76P+4i8LKv2-d1ciHWRMFFmZ8hpi=1PHtA@mail.gmail.com> <ffb33944-00e8-46e2-93d5-e5dd14d457af@cs.tcd.ie> <6F7D3FC5-1875-4C7B-AEB8-5FBFAAA6B41C@gmail.com>
In-Reply-To: <6F7D3FC5-1875-4C7B-AEB8-5FBFAAA6B41C@gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 01 Sep 2024 15:07:06 -0700
Message-ID: <CABcZeBNzPqcXRtW67PgsdRcBE9OR5cvxhLG434rPU60Gx1B0Ng@mail.gmail.com>
To: Douglas Stebila <dstebila@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000b730ba0621160d61"
Message-ID-Hash: YAHE5IVM4IVQPSPWJINDSVWWKYLQKXJP
X-Message-ID-Hash: YAHE5IVM4IVQPSPWJINDSVWWKYLQKXJP
X-MailFrom: ekr@rtfm.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "TLS@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS] Re: [TLS]Working Group Last Call for "Hybrid key exchange in TLS 1.3"
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/pvalg3La32eS0FOGTURVGi9Ap6k>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

It's not specified one way or the other in ECH but HPKE S 4.1 strongly
suggests you should not be reusing these values:

Namely:
   def Encap(pkR):
     skE, pkE = GenerateKeyPair()

And skE means you are generating a key of type E:
   Ephemeral (E):  Role of a fresh random value meant for one-time use.

-Ekr


On Sun, Sep 1, 2024 at 2:04 PM Douglas Stebila <dstebila@gmail.com> wrote:

> > On Sep 1, 2024, at 10:47 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie>
> wrote:
> >
> > Section 3.2 says there are two allowed ways to handle the same
> > component algs being used in multiple key shares. However,
> > doesn't ECH mean that additional possibilities exist? What
> > should a client do in terms of re-use when using ECH?
>
> That's a good question.  I'm not very familiar with subtleties around
> ECH.  Is there any re-use allowed between ECH and the main handshake?
>
> Douglas
>
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org
>