You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I think it would be good to have some additional clarifications and considerations regarding forward secrecy. TLS 1.3 (RFC 8446) uses the term "forward secrecy" for both the asymmetric (EC)DHE and the symmetric KeyUpdate. EAP-TLS 1.3 proudly states that is always gives forward secrecy but EAP-TLS 1.3 differs from TLS 1.3 as EAP-TLS 1.3 uses (EC)DHE but does not use KeyUpdate. To get similar protection as offered by TLS KeyUpdate, the application using the MSK or EMSK would need to implement something similar to KeyUpdate. KeyUpdate types of mechanisms limits the effects of key leakage in one direction but an attacker can still do so called static key exfiltration [RFC 7624]. To mitigate static key exfiltration, the application would need to regularly rerun EAP-TLS 1.3, this forces attackers to dynamic key exfiltration [RFC 7624].
The text was updated successfully, but these errors were encountered:
@ms-s @jsalowey @kaduk
https://mailarchive.ietf.org/arch/msg/saag/6ImeENhteXGdLsnaJHRoN6LW1zk/
I think it would be good to have some additional clarifications and considerations regarding forward secrecy. TLS 1.3 (RFC 8446) uses the term "forward secrecy" for both the asymmetric (EC)DHE and the symmetric KeyUpdate. EAP-TLS 1.3 proudly states that is always gives forward secrecy but EAP-TLS 1.3 differs from TLS 1.3 as EAP-TLS 1.3 uses (EC)DHE but does not use KeyUpdate. To get similar protection as offered by TLS KeyUpdate, the application using the MSK or EMSK would need to implement something similar to KeyUpdate. KeyUpdate types of mechanisms limits the effects of key leakage in one direction but an attacker can still do so called static key exfiltration [RFC 7624]. To mitigate static key exfiltration, the application would need to regularly rerun EAP-TLS 1.3, this forces attackers to dynamic key exfiltration [RFC 7624].
The text was updated successfully, but these errors were encountered: