Re: [Cfrg] MAY use specified curves
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 09 September 2014 21:36 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE1A61A035E for <cfrg@ietfa.amsl.com>; Tue, 9 Sep 2014 14:36:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gm2GGUGskDy1 for <cfrg@ietfa.amsl.com>; Tue, 9 Sep 2014 14:35:59 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 79DA51A0337 for <cfrg@irtf.org>; Tue, 9 Sep 2014 14:35:59 -0700 (PDT)
Received: from [10.70.10.54] (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id B665AF984; Tue, 9 Sep 2014 17:35:54 -0400 (EDT)
Message-ID: <540F72AC.2050502@fifthhorseman.net>
Date: Tue, 09 Sep 2014 17:35:40 -0400
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101 Icedove/32.0
MIME-Version: 1.0
To: Dan Brown <dbrown@certicom.com>, "'stephen.farrell@cs.tcd.ie'" <stephen.farrell@cs.tcd.ie>, "'cfrg@irtf.org'" <cfrg@irtf.org>
References: <810C31990B57ED40B2062BA10D43FBF5CD8CE5@XMB116CNC.rim.net> <540F48B4.1090600@cs.tcd.ie> <810C31990B57ED40B2062BA10D43FBF5CD8FC8@XMB116CNC.rim.net>
In-Reply-To: <810C31990B57ED40B2062BA10D43FBF5CD8FC8@XMB116CNC.rim.net>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="BG4d9WxmWuGoWFQCf51vnB65jOpLpKgDr"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/-1MmXxjQOEx_p9a9L3FwYyeB-bo
Subject: Re: [Cfrg] MAY use specified curves
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Sep 2014 21:36:02 -0000
On 09/09/2014 03:38 PM, Dan Brown wrote: > I vaguely recall some TLS WG list emails agreeing to move towards named DHE > parameters, and perhaps dropping DHE parameters. Perhaps the TLS WG plans on > doing the same for ECDHE? If so, then my proposal is for CFRG to ask to > retain the option of specified curves. Yes, TLS is moving toward supporting a known set of named finite-field DHE groups (though i don't think anyone has proposed eliminating custom DHE groups for the full handshake yet). https://tools.ietf.org/html/draft-ietf-tls-negotiated-ff-dhe No TLS implementation supports custom ECC curves that i've seen. The advantage of using named groups/curves is that the groups/curves can be evaluated in detail (for both cryptographic strength and implementation optimization) by the community once, and then used everywhere without any additional per-connection cost. Custom groups/curves are far more expensive to use in practice. With custom groups/curves, the recipient of the group/curve has a difficult challenge -- they need to review the group/curve offered and determine whether it meets their intended security level. for finite field DHE, evaluating a group for security requires at least (a) checking the length of the modulus p, (b) testing the p for primality, (c) testing q=(p-1)/2 for primality (to ensure a safe prime), and (d) verify the order of the generator g and peer's share X (for safe primes, this is an easy check, since group sizes are either 1, 2, p-1, or q, and we know where the generators of order 2 are). Very few implementations actually do all these tests, and some common implementations do not even verify (a), which is relatively cheap. You can point your preferred TLS client at https://demo.cmrg.net/, which uses finite-field DHE with the 16-bit "safe" prime 0x8C7B. OpenSSL currently connects to this server without complaint :/ [0] What advantage there might be in offering custom groups seems outweighed by the implausibility of effective endpoint verification. I can see a private organization deciding to all use a novel curve/group in their internal communication because they don't like the existing named groups/curves. One option for them that wouldn't would be to all agree to use a specific custom group/curve and then just verify that the offered group/curve matches that one (and reject otherwise). But for this use case, a declared experimental code point (or private OID, depending on where the group/curve is in use) would be sufficient, and cheaper in terms of bandwidth. Consider how long it has taken this group of very clever people to decide whether any given curve is reasonable to use. Do we expect a TLS implementation confronted with a novel curve or group to be able to make any sane representation to the user of the security level represented by the offered curve? i'd say that custom groups or curves are at best a SHOULD NOT, unless there are some very clear guidelines on how to evaluate them at connection time to determine what approximate security level they provide. --dkg [0] https://rt.openssl.org/Ticket/Display.html?id=3120
- [Cfrg] MAY use specified curves Dan Brown
- Re: [Cfrg] MAY use specified curves Stephen Farrell
- Re: [Cfrg] MAY use specified curves Manuel Pégourié-Gonnard
- Re: [Cfrg] MAY use specified curves Dan Brown
- Re: [Cfrg] MAY use specified curves Stephen Farrell
- Re: [Cfrg] MAY use specified curves Daniel Kahn Gillmor
- Re: [Cfrg] MAY use specified curves David Leon Gil
- Re: [Cfrg] MAY use specified curves Watson Ladd