[TLS] Re: [EXTERNAL] Re: Disallowing reuse of ephemeral keys
John Mattsson <john.mattsson@ericsson.com> Sat, 08 March 2025 11:11 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 2DE18919617 for <tls@mail2.ietf.org>; Sat, 8 Mar 2025 03:11:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.435
X-Spam-Level:
X-Spam-Status: No, score=-2.435 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.442, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_SBL_A=0.1] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=ericsson.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EBNuKaaB8-6n for <tls@mail2.ietf.org>; Sat, 8 Mar 2025 03:11:35 -0800 (PST)
Received: from PA4PR04CU001.outbound.protection.outlook.com (mail-francecentralazon11013016.outbound.protection.outlook.com [40.107.162.16]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 8465791960D for <tls@ietf.org>; Sat, 8 Mar 2025 03:11:35 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=Xiko4je88+gXmgkclFgS0eHkjfDvulgqiXEErRs4fOqlLfGRIg0RL9wHhsxpgzymeu/sUsDa/jdRNrPseQNygIFFbVb/5T6XvSQPczTTK4j6WiEcASx0cdv/kgi2u0Yq9EVjiMW81raSucF186SovE7R2NLERijaZ7oBDc/hTrGHLcmruASiY843UQgGNbOvT2SRl5XgrDwRd8NRu6e9R0mKm/3txP/6u39ksz/BEEOefSIbIgvYyKLtXi8hx/OO9J9PuLhYCuRAXTU/Jz9z3wsOUDQLCU6pEzZyP8hQFCZhvRV6QOb4Mtv+7iesp7i2oSoYelt8rBSIA0UqUr27AQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=R2SpJqXJdDSrWHRHS49HBpUOnuEPzlRx+G5jgLJYGg8=; b=CkE5kTH81DcJ+wKNytHIO/vObYACkMqnfjOtKrvi+PqiTt5i5/w45YJHiCY2Fpk9dz6OiQ9LgunqlHOZuDdZXm7u8yz6LmiRScwUXWt9D9yIltePUl+GKn0yrY1NdPpsPd//GWAzHYr83UdRZA1NPNGNkjyKBprZbSDxYPKvJh81uUXbfX6t8cFk52Uq75kIBtRls9ydX6vftuAEL9H1l3kK/1xTiyxlFCm3+X6MtV/hoOTfF40HaMFo3DpTt3JQZJPZkyB0jdv1cuyyp6UMdDJ/E2pOPN+ZtinBoCINYsJ+WrjmowS0AN9rk3eYt4CoYBd1eH4fxbFcuQ6LNA1IqQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=R2SpJqXJdDSrWHRHS49HBpUOnuEPzlRx+G5jgLJYGg8=; b=SvXOKuX8bj06p5zFC9PVji+QmS5ZpZPpoJH1oWDfGAUEsOBJds9A25aJm4HnM6fDDEQx1gUtdhtv5rpvxhSLG210bwqj63L/bcU0pWJ1ezObfKmR0XVWQJGxfOu1lHfaMjgBklJ8DIE3A+U7q+O+dFgPgYD6t+Ez7P9nire2HM0eilsANQBiRpWTZyM2HJtSQL1bh+jcBzFu1WGPD06psM+oh/SqQ+jMBwrJJ49L91YErMWWP740d5r6f2uTjIP2rTcewkQ2CMPxcouG9Oe5FJkvRv7wSfT2xuQZUh5MzrzBHqwJeKva1Z94k/iWkZRcfWNzYu9jfA3UXZ1oFfyszA==
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by GV1PR07MB9046.eurprd07.prod.outlook.com (2603:10a6:150:a4::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8489.28; Sat, 8 Mar 2025 11:11:32 +0000
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8%7]) with mapi id 15.20.8511.017; Sat, 8 Mar 2025 11:11:31 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Re: [EXTERNAL] Re: Disallowing reuse of ephemeral keys
Thread-Index: AQHbkBoultSqChW1q02Y6uLj4ffk/g==
Date: Sat, 08 Mar 2025 11:11:31 +0000
Message-ID: <GVXPR07MB9678402D5B251F4BF3A01CA289D42@GVXPR07MB9678.eurprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-reactions: allow
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|GV1PR07MB9046:EE_
x-ms-office365-filtering-correlation-id: 3f43c94b-286d-45c5-5b8d-08dd5e31fb46
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|4022899009|376014|366016|1800799024|13003099007|8096899003|7053199007|38070700018;
x-microsoft-antispam-message-info: kBfaRXZi+joynP4S8S3friq8tpSoayQRbpRurlAwAgLLgQtSUCgn4Wc1W2zSjBBxKRZ8/PVx9W68yye8836FHbrvrsR8CGY18DdmRGvqr46oAU5oKIP3ypmyaTYLePvDK1oS0kUm/ptm0nCDCN1v0hTeDSiavvbq9Hw+NxqHUubKgAK9dSDKZC3aRYEMrSPiUDawsvXU7mjffBGNYS18rLQPB0qHvkAJrxC+oeRvyAYLQIEXB4/XPoPCWFNWbUdot1oq+sx00EPJ4ZytHtSlrRbL6Mu3vAgXfW36PDT9QYV8iAFhT0O1IWQbPyWyBRAxulBQwfTLeo5sZl06OnCj8vUP1Nvxi/q9XHAeJ3qVWI9+OCDhMpAS9eo8t1JiMKodLs44dLT7GoU7X7TMOXQFedPKRloglNZoYhLSCHEOez3sLqf2AUn+jLufTCWYbdYnp/jR9D6MXX4sU/TbeKyLa6ZMxfjxlvYRsg9eCBtGFI2O5EXxYhmOnNW385hB2zbBPGeam2AuBuQAWpkKpYYPn1pFRatCO7LtMg0mVImwWLMgvXEn6ouYqTa2OWt5vaNZzzURq8uxwigV+tzjLvCB/BAAQLWoz9zrwNhpU+eNOew3gFHy4ZtYRAHGwPvjaTB8foRvg+KaqXSlmNmw20FGNQM5wsBKvsPLG7ciN5Lz8ZHwmeC41DYbTZLR/hNw2ondLGDGEE38dtPs0EQnkhh52li/Gj7gUysK01ChZzA67h8m+TqfF9YZ/poFDyKNs74YZ5NjvafSXmn8s9OGLP9fgpDtwjTfAYfXqE0Qj9Ud5LM99hsatWm5YR7lPrvBbJ9owJ3MM04cgcjbDq3jUbOlr3En1GZGGRDmlq2HOSCpn0J+9HkEf25kQtgPKMjfKo1D0qoP5Y24OnxFXdf1l/QcyXaYqQA1/7dBvLCST42CzzxQeeFUP1RFkrtZYeBxFAC5JnDnSyYSyKBic8lV6iDUodjO8tG/GPP7xFwD1Q+DTTkIJ0mLb77YyWOoRYIH3A/KTA0LuCqyTiKYBKXhJVfXw4kHQQT1lmj23djF1wQh5LKWGNDtXS/xh+NT0Mid4qYRPlHg6EtkFAFE3xCtclGaHPOQOCUXvua3Mo2bGsZEHTEjgQH7H2VTMRXJxRnmzU54/BSvZXJDBtWHNpfv6hqjAEwXmdh3gtEGMy5jOue9CXlN4CoCLV5/ZnKmm8M3xsf5E35PgLSEy3pJ6K9i5Ebc7b+uWve4QBcd6f+HcF2+bjRge+9gnG9N6q88AlHhSri12e+eG9TdWxxuLkmfdIkKQoKgsSyQ+V7dRqL617XfC8ltcbDNDNRBZ0PJkB+LDtWL2qtDrqvgM2gjUi8ijhyIqWfT2z6H1HKnXwJnWMVVA0gjKiBaUvTjkfH2snV9WdcH
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GVXPR07MB9678.eurprd07.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(4022899009)(376014)(366016)(1800799024)(13003099007)(8096899003)(7053199007)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: g/XoQWtbrAHSpD75BUddIOHy8sVjxkYvhS+tSf8TXIKpyUucYAJufNAGUaB1shFB8FDSM8dQ4ffewNQGjgvMG28cg20WyZinDlm/mSfcBTu91GMf1WEpfl2TaVVH6/0BGv6u0rjH/0wdz8vgH8Q4zbz7ao/orvn5uxf6vvahQrdTxrU978Lcialk+mQyo8Q04aBJyaOOI+es1Bj+9/vnm+bNfqKqA1HtGaQ7FLccEOMlTke1l4Hb+QtUWVgZFzaHhWHKzDZTyRMyu/cW7vHBE/Gdwqg41ked97MeZUBQrDkb6xRVrInaWSKjsNGYQ/U1wv8wmj7bYPHV5EoRBlEIqNtOhq8ZsPAXVSVGhkYQre9kyEfTrR4oUE86O3ht7l4O1q6bP/6H1dR7N81YS/JtDIu1BS1dTkUpKSt1iPix0/f9q/H9cfcwtEuczSrThAWG3/2RBU70A/Z1BQG7tGeBXxbo0uKcaKtAeIPqnibtPLTka6MSKAEeQ5EkeyCgOJVDQbp9YMNg9zE9gVHRJV4oW4h1asaBvFwsV2LAClFo7PyujiRSTCo75wNAaAIzQznIPrHTkBECH1zNnpvD0NpZogN42KSwfl/FGwrfk+AzoKyA2EK73FWuKWPK1HB2vTx4UjG0H+sqtxVIaIdJ89bYwFDWq0Zg13zC4chSZdKdp4Ee0nxsrlvmwVehMRyniWD/I1SYrzn+QO7cHKI9vJN+1kbwOD5a7JBFqBygCecjr+wntGZ+Rkdb53DMEhPmt6MG7uSyxDp/JShtw302n3yzBqm4A/EMRlpLainJwy2OPds0wDrTipAfjF0MyzT28TFs91YS/F/rSSc/DX7IxPRL8oj36KtarvrzOZ0MOxE264nmh/seNCymI/Mn+N8lFhEsJjDhwYCSGwCpxLpJyIZ8GkRd0O8+CEjAOVTjGwinfZoomttKofOF3uCeeAsTmClXiY3oFWZbXXI595KkZsH1LyUDes/XZD6WPTOY4PExeUlAcH++qyZGOAXTuG6Kl8CQpS/ymOhUdUBQT/9//4QeQGBOCry0QD70P9dbjZsjdrfdY9MHyCFiRehTX10DVEQNQFtzHp1yNa5mcG5nCq7KdAnRivQtO0m61UY5jvUweRAbVIjKZkv1l+TBvaeYBsXPJkGsZvfsyGRoF8QGAIt/JJK9i72rIm0f+U9nfs+/bvhmfRcGJ55NKeJ03JEM2Rk8gdzpKI3QbuhzMBeiS77HAWkByZWaF1ah2YbBj7N/g6vmZJLBolYpr0xDKnumGmdwZLac642bHGZa56MdTTXni0YLQG/H3NNEPovVOHmZo5VasfY/pIhqv2OLAcT59CS9X919qtPoBnDbQjxHxzgDB3JlcYPEgZenFC0DhETCUm5DPOgX7I/vM22WqGxCSjHT1m4GCrzUPFM3jvNDrExmoqwzPGZkgTnpT5QzrNBOOQjhIgYsKcJhcc5Cf+zjEngD9DpF87MTdKr83EDxoONff6oHuYA3db7+dQWzyrQKOvds0wjF00amBECYLQtUbe1ZyFIr+thkaFcbulmDpCeU1hV5hpkrVgsgp2xq1T+gF5MlmrLgxmUrouKLk2ucR6vNKkSuT5wuVn5SR/X8s15Gm/yVezrPxZ+ifqRlAoaK7Zg=
Content-Type: multipart/alternative; boundary="_000_GVXPR07MB9678402D5B251F4BF3A01CA289D42GVXPR07MB9678eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3f43c94b-286d-45c5-5b8d-08dd5e31fb46
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Mar 2025 11:11:31.8378 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: FBjwZaXDP2x9tfTER9N07lRD5zIdMIYMlHHxbd+kGjfvYXwzxxTDXNOZgzv3dpOGvybgC7Ft6WmU3E8C9MhHgWxc6hYe72NqDfmQNk7OkPQ=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: GV1PR07MB9046
Message-ID-Hash: VJ64ASH2AQ4542TFHUN5Q4HYDJOF7OJX
X-Message-ID-Hash: VJ64ASH2AQ4542TFHUN5Q4HYDJOF7OJX
X-MailFrom: john.mattsson@ericsson.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: [EXTERNAL] Re: Disallowing reuse of ephemeral keys
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/rBbld01LhQ1EHa4FxCv8FbmYlDg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
Hi, I missed this thread, but Ericsson put a lot of effort on this topic in our recent comments to NIST, which might be of interest for people in TLS WG: https://emanjon.github.io/NIST-comments/2025%20-%20SP%20800-227.pdf https://csrc.nist.gov/csrc/media/Events/2025/workshop-on-guidance-for-kems/documents/papers/ml-kem-is-great-paper.pdf https://csrc.nist.gov/csrc/media/Presentations/2025/ml-kem-is-great/images-media/ml-kem-is-great.pdf * Reuse of (EC)DHE key shares _very_ clearly violates NIST requirements. I hope no implementation claiming compliance with NIST is reusing (EC)DHE key shares, and I hope NIST checks this. * Reuse of key shares also goes against zero trust principles. Implementation bugs that allow attackers to recover ECDHE private keys have been common and should be expected. Reuse of "ephemeral" keys transforms such bugs from relatively benign to very serious vulnerabilities. Many governments are pushing very hard for zero trust. Cheers, John From: Sophie Schmieg <sschmieg@google.com> Date: Tuesday, 14 January 2025 at 20:19 To: tls@ietf.org <tls@ietf.org> Subject: [TLS] Re: [EXTERNAL] Re: Disallowing reuse of ephemeral keys I strongly prefer 3. In the ML-KEM spec, the consistency checks on the public keys are marked as optional, so I think it would be a fair interpretation of FIPS 140-3 that the required consistency checks consist of the optionally allowed empty set in the case of ML-KEM. On Mon, Jan 13, 2025 at 7:11 PM Viktor Dukhovni <ietf-dane@dukhovni.org<mailto:ietf-dane@dukhovni.org>> wrote: On Mon, Dec 16, 2024 at 07:02:43AM -0800, Eric Rescorla wrote: > Thanks. It seems like that would imply that Web clients cannot safely > enforce a non-reuse requirement even if we had one. > > Do you plan to reuse ML-KEM keys as well? The situation seems to be > different because, as Scott observes, it's the client who reaps the benefit. It may be worth noting that FIPS 140-3 requires pairwise consistency tests (PCTs) on generated (and imported) KEM keys before first use, with no exception carved out for single-use keys. This factor of 2 or so performance hit[1] on single-use keys does create a temptation to amortise the cost by reusing the key a number of times (for a short time). Haven't taken any steps in that direction at this time. -- Viktor. [1] Instead of keygen + decap, the single use cost becomes keygen + encap + decap + decap. Whether this is more or less than a 2x performance hit depends on implementation details. _______________________________________________ TLS mailing list -- tls@ietf.org<mailto:tls@ietf.org> To unsubscribe send an email to tls-leave@ietf.org<mailto:tls-leave@ietf.org> -- Sophie Schmieg | Information Security Engineer | ISE Crypto | sschmieg@google.com<mailto:sschmieg@google.com>
- [TLS] Re: Disallowing reuse of ephemeral keys Richard Barnes
- [TLS] Re: Disallowing reuse of ephemeral keys Russ Housley
- [TLS] Re: Disallowing reuse of ephemeral keys Filippo Valsorda
- [TLS] Re: Disallowing reuse of ephemeral keys Richard Barnes
- [TLS] Re: [EXTERNAL] Re: Disallowing reuse of eph… Andrei Popov
- [TLS] Re: [EXTERNAL] Re: Disallowing reuse of eph… Christian Huitema
- [TLS] Re: Disallowing reuse of ephemeral keys Eric Rescorla
- [TLS] Re: [EXTERNAL] Re: Disallowing reuse of eph… Andrei Popov
- [TLS] Re: Disallowing reuse of ephemeral keys Peter Gutmann
- [TLS] Re: Disallowing reuse of ephemeral keys Thom Wiggers
- [TLS] Re: Disallowing reuse of ephemeral keys Bas Westerbaan
- [TLS] Re: Disallowing reuse of ephemeral keys Loganaden Velvindron
- [TLS] Re: [EXTERNAL] Disallowing reuse of ephemer… Alicja Kario
- [TLS] Re: Disallowing reuse of ephemeral keys Martin Thomson
- [TLS] Re: [EXTERNAL] Disallowing reuse of ephemer… Scott Fluhrer (sfluhrer)
- [TLS] Re: [EXTERNAL] Disallowing reuse of ephemer… Richard Barnes
- [TLS] Re: [EXTERNAL] Disallowing reuse of ephemer… Scott Fluhrer (sfluhrer)
- [TLS] Re: Disallowing reuse of ephemeral keys Scott Fluhrer (sfluhrer)
- [TLS] Re: [EXTERNAL] Disallowing reuse of ephemer… Dang, Quynh H. (Fed)
- [TLS] Re: [EXTERNAL] Re: Disallowing reuse of eph… Andrei Popov
- [TLS] Re: Disallowing reuse of ephemeral keys Stephen Farrell
- [TLS] Re: [EXTERNAL] Re: Disallowing reuse of eph… Viktor Dukhovni
- [TLS] Re: [EXTERNAL] Re: Disallowing reuse of eph… Sophie Schmieg
- [TLS] Re: Disallowing reuse of ephemeral keys Joseph Salowey
- [TLS] Re: [EXTERNAL] Re: Disallowing reuse of eph… John Mattsson
- [TLS] Disallowing reuse of ephemeral keys Joseph Salowey
- [TLS] Re: [EXTERNAL] Disallowing reuse of ephemer… Richard Barnes
- [TLS] Re: [EXTERNAL] Re: Disallowing reuse of eph… Joseph Birr-Pixton
- [TLS] Re: [EXTERNAL] Re: Disallowing reuse of eph… Eric Rescorla
- [TLS] Re: Disallowing reuse of ephemeral keys D. J. Bernstein