Hi Hosnieh,It seems to me that you are completely mistaken in your understanding of the TLS 1.3 key schedule. As I have pointed out a couple of times (e.g., [1]), PSK and Main Secret are *two completely different* keys. So I will really appreciate if you would try to understand TLS 1.3 key schedule (e.g., Section 1.3 in [0]) first before making any further claims. If you disagree with something, please say explicitly the exact name of key as in TLS 1.3 specs. Talking in general without precise keys is completely useless!
Please take your time to read [1] in full, because all your questions have been answered there.
If you have better proposals for the key schedule, please compose your ideas in the form of an Internet-Draft and publish it for the TLS WG to evaluate your proposal.
Also please see inline: On 19.11.25 10:14, H.Rafiee wrote:
If you agree on that, then that's the end of the story. Your concern is not a security concern in TLS 1.3.On 11/18/25 10:43 AM, Muhammad Usama Sardar wrote:Please understand that once the early secret for PSK-only mode or the main secret for ECDHE-mode is compromised, the system is compromised already and no randomness can prevent you in such a case.I have no doubt about that
Just because you haven't seen it is insufficient of a reason to say that it is impossible. I would argue that if the TLS keys are not protected by the TEE, then the TEE is doing nothing except for marketing, i.e., giving a false sense of security.but I do not know it is implementation problem by Openssl or it is the problem of algorithm, the early secret needs to be available to the TLS library. The TLS library i have never seen in any system runs in TEE!
Also, please familiarize yourself with the ongoing work in the SEAT working group, e.g., see [2], where network stack is a part of the confidential VM (TEE).
Because running in TEE or HSM or such environment usually causes extra delay which is not acceptable in 90% of situation.Did you mean 90% of /your/ situations? If not, where is this figure of 90% coming from? Please provide me an authentic reference for it.
Despite being pointed out a couple of times that they are different, may I ask why you keep writing PSK and Main Secret together?I do not agree with you here that the randomness cannot help. Of course the randomness here can help as long as PSK key (main secret)
Yes, please do take your time to check all of that because all of your questions have already been answered there. If you disagree, show me exactly which of my statement you disagree with.for rest of your discussion, I still did not have time to check all your statement and will answer you later.
-Usama
[0] https://www.researchgate.net/publication/396245726_Perspicuity_of_Attestation_Mechanisms_in_Confidential_Computing_Validation_of_TLS_13_Key_Schedule
[1] https://mailarchive.ietf.org/arch/msg/tls/17zIQeq9mE0TUXQip1OSTg_l_pg/[2] https://datatracker.ietf.org/meeting/124/materials/slides-124-seat-insights-from-formal-analysis-01.pdf#page=9
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
