Re: [Cfrg] [TLS] 3DES diediedie

"denis bider \(Bitvise\)" <> Thu, 08 September 2016 21:10 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 385A412B25E for <>; Thu, 8 Sep 2016 14:10:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.07
X-Spam-Status: No, score=-3.07 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-1.508, SPF_PASS=-0.001, STOX_REPLY_TYPE=0.439] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1TqR4Db338yT for <>; Thu, 8 Sep 2016 14:10:30 -0700 (PDT)
Received: from ( []) (using TLSv1.1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C7B7312B157 for <>; Thu, 8 Sep 2016 14:10:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=mail; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=CJ4GA+EGvQE0umazZy+Fu3IeleMGKhMwa5XRnIgHD/g=; b=b8lfuZaB10fhfmCsS4HR6oOpQdJtcNd6b/KBdkTDxjQDbRgHetuiRzOklxI//KbI8rW6gKwEsM5UX Hn1AoZRv2Z2vjOJPUA9tTPYOs+z2rDsDyd/6B0o6ad480mekPDPE+THHqSkjsv7o7+5R8JTNcR0DFz 5FqSn3t4DyDznsJFaywXiKZ7ac2Wpnay3rELyxgKJ9n3twKeUMyiuhfi2kWmpBS3Qz6XT92dE9na+9 k0t3lYI0HIXXnsypFGSUEtkDl4CW6T4OHZjltpTCEMWS7bG3xVhredQegHWoK5lNte7A6qbBLmN8eb TFZaMYBlamPHWpCasN3d9JrU9sRbjrg==
X-Footer: ZGVuaXNiaWRlci5jb20=
Received: from localhost ([]) by (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)); Thu, 8 Sep 2016 22:10:15 +0100
Message-ID: <E87C2A301EC746BABFFD1F4B6838DCA2@Khan>
From: "denis bider \(Bitvise\)" <>
To: "Ilari Liusvaara" <>, "Derek Atkins" <>
References: <> <> <> <> <> <> <> <>
In-Reply-To: <>
Date: Thu, 8 Sep 2016 15:09:14 -0600
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331
Archived-At: <>
Cc:, Hilarie Orman <>, =?iso-8859-1?Q?JoachimStr=F6mbergson?= <>
Subject: Re: [Cfrg] [TLS] 3DES diediedie
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 08 Sep 2016 21:10:32 -0000

> Whitness the long litany of attacks against TLS
> that exploit stuff that should have been nuked
> a long time ago (but was kept for "compatiblity";
> and similarly for other protocols).

Many of these attacks are made possible by poor design of the TLS protocol 
in the first place, which for some reason did not protect the integrity of 
algorithm negotiation, allowing for downgrade attacks, and requiring 
otherwise potentially useful algorithms to be eliminated because the 
algorithm negotiation is insecure.

For comparison, the design of SSH has not had this problem since around the 
year 2000.


----- Original Message -----
From: Ilari Liusvaara
Sent: Thursday, September 8, 2016 10:38
To: Derek Atkins
Cc: Hilarie Orman ; ; JoachimStrömbergson
Subject: Re: [Cfrg] [TLS] 3DES diediedie

On Thu, Sep 08, 2016 at 11:18:47AM -0400, Derek Atkins wrote:
> My light bulb example that I keep returning to are really only designed
> to speak to the local controller(s).  They don't phone home.  Sure, they
> may have IPv6, and may be running (D)TLS, but their use case is rather
> limited.  They probably don't have a full OS, just an embedded
> firmware.
> So why does this device need to same level of security protection that I
> need when I'm communicating with my bank?  Wouldn't you rather it have a
> lower bar (e.g. 3DES) versus have zero security?  Honestly, that's the
> fight I'm fighting here with manufacturers.  They say encryption is too
> expensive, so they would rather do nothing.  I'm trying to give them
> something, anything, to get the bar raised.  Even single DES is better
> than nothing (although if they can do 1DES they can do 3DES).

Because having the "lower bar", especially with "standard" protocols
lowers security FOR EVERYONE ELSE. Whitness the long litany of attacks
against TLS that exploit stuff that should have been nuked a long time
ago (but was kept for "compatiblity"; and similarly for other protocols).

(And the bad crypto is just a tip of the iceberg when it comes to the
insecurity of IoT stuff, and the reasons why I really don't want to
deal with any IoT devices if I can help it at all).


Cfrg mailing list