Dear All, Our development team has identified a potential security issue related to TLS 1.3 and its OpenSSL implementation. In short, TLS 1.3 uses 0-RTT to improve performance. To achieve this, it derives a key from the pre-shared key (PSK or master key), called the early secret (in OpenSSL). This early secret is derived in a very simple way and is used for encrypting and authenticating the first communications. The main concern is that this early secret is neither randomized nor changed after system startup. For subsequent session keys, a static value is also used as input to the session key generation function, along with a few random values. As a result, the session key may not be sufficiently random. Questions to the community:
Is this an OpenSSL implementation issue, or a protocol-level security problem? Were there any tests conducted for the protocol before its release? Is this issue already known? Security risks: The early secret must be accessible to the TLS library for fast communication. If there is a bug in the system or the early secret is not well protected in memory (it cannot be stored in an HSM or trusted environment because it needs to be readily available to TLS library), an attacker could reproduce or decrypt communication in case of vulnerabilities in one of the communicating systems. Even if the TLS library uses isolated memory space, any bug in OpenSSL could expose the secret. Since the early secret lacks sufficient randomness, it seems necessary to change the PSK to prevent attackers from establishing secure communication. Generally speaking, the role of the PSK is weak here. Even if it is well protected, as long as the early secret is poorly protected, knowing the early secret compromises the entire system. I plan to report this issue to the OpenSSL community as well. Smile, Hosnieh(Sara)
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
