IETF Logo Mail Archive

Re: [perpass] TLS/SSL Perfect Forward Secrecy and Key Rotation

Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 03 September 2013 09:31 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A90711E81B0 for <perpass@ietfa.amsl.com>; Tue, 3 Sep 2013 02:31:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fTo4vRtsie6k for <perpass@ietfa.amsl.com>; Tue, 3 Sep 2013 02:31:50 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id 6F66521F8D90 for <perpass@ietf.org>; Tue, 3 Sep 2013 02:31:49 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id B7BEEBE76; Tue, 3 Sep 2013 10:31:46 +0100 (IST)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I6ETl3kr0sD3; Tue, 3 Sep 2013 10:31:46 +0100 (IST)
Received: from [134.226.36.180] (stephen-think.dsg.cs.tcd.ie [134.226.36.180]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 923D5BE75; Tue, 3 Sep 2013 10:31:46 +0100 (IST)
Message-ID: <5225AC82.20006@cs.tcd.ie>
Date: Tue, 03 Sep 2013 10:31:46 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130803 Thunderbird/17.0.8
MIME-Version: 1.0
To: Patrick Pelletier <code@funwithsoftware.org>, yakov-ietf@shaftek.org
References: <mailman.904.1378168674.3384.perpass@ietf.org> <66BFDF4E-52DE-407B-8BF7-928F848CB149@funwithsoftware.org>
In-Reply-To: <66BFDF4E-52DE-407B-8BF7-928F848CB149@funwithsoftware.org>
X-Enigmail-Version: 1.5.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: perpass@ietf.org
Subject: Re: [perpass] TLS/SSL Perfect Forward Secrecy and Key Rotation
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The perpass list is for discussion of the privacy properties of IETF protocols and concrete ways in which those could be improved. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Sep 2013 09:31:54 -0000

Patrick, Yakov,

The TLS PFS stuff sounds to me like a fine internet draft.
Why don't you two go write it up as one?

Then when the -00 version is out, ask if the TLS wg want
to adopt it as a work item. If they don't want to do the
work within the wg, but don't object to it being done,
then I'd take a look at AD sponsoring it. But either way,
I'd expect that if it had reasonable content then we
should be able to turn it into an RFC without too much
pain.

As to content, it'd maybe be better to keep the BCP like
bits separate from any new TLS extension definition but
if you think they belong together just do that for the
-00 version and it can be sorted out later if need be.

Feel free to ask me off-list if you need any help with
how to go about getting that done.

And assuming Patrick and Yakov can take this on, I'm
sure they'd be interested in hearing from anyone else
who'd like to help do the work.

Cheers,
S.

PS: If this works out, it'd nicely fit what Sean and
I hoped would be the modus operandi for this list - find
a concrete thing that can be improved, (plus some
victims willing to do the work:-), get that turned into
an internet-draft, and then Sean and I can help figure out
how to fit it into some IETF WG or get it AD sponsored.
More examples are very welcome.

On 09/03/2013 07:41 AM, Patrick Pelletier wrote:
> I'd definitely like to see such a thing.  I feel like PFS in TLS is a
> bit fragmented since not everyone is ready to jump on the ECDHE bandwagon:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=319901
> 
> but the situation with plain old DHE is not that great, since server
> software often uses ridiculously small prime sizes, and makes it hard
> for the user to configure larger ones:
> 
> http://blog.ivanristic.com/2013/08/increasing-dhe-strength-on-apache.html
> 
> and even if the server is willing to use a larger Diffie-Hellman prime,
> the problem is that clients often don't support larger primes either,
> and the server has no way to know what the client is willing to accept. 
> Older (but still in use) versions of Java, and apparently also Windows,
> only support 1024 bit Diffie-Hellman (see above ivanristic URL for
> references on these), which of course is generally considered too small
> to be secure today.  And until recently, NSS only supported prime sizes
> up to 2236 bits:
> 
> https://bugzilla.mozilla.org/show_bug.cgi?id=636802
> 
> If the server chooses a prime size larger than the client can handle,
> the handshake will fail.  I still think we need a TLS extension so that
> the client can tell the server what prime sizes it will accept (perhaps
> in the form of min/max/multiple), with the server assuming something
> conservative like 1024 (even though that is sadly inadequate) if the
> client doesn't send the extension:
> 
> http://lists.gnutls.org/pipermail/gnutls-help/2012-May/002748.html
> 
> But besides a TLS extension, I think what you suggest is good, some sort
> of informational RFC that would recommend "best practices" for PFS, e.
> g. something along the lines of "put ECDHE cipher suites first (for
> performance and so Java won't choke on DHE), make sure you support at
> least secp256r1 and secp384r1, put DHE cipher suites second, use a prime
> size of 2176 bits (largest multiple of 64 less than 2236)" or whatever.
> 
> Also perhaps some recommendations (and maybe this is what you're getting
> at with key rotation) about how (and whether) to make use of session
> resumption, and especially session tickets, when PFS is desired, since
> these can weaken it.
> 
> --Patrick
> 
> 
> On Sep 2, 2013, at 5:37 PM, perpass-request@ietf.org wrote:
> 
>> From: Yakov Shafranovich <yakov-ietf@shaftek.org>
>> Date: September 2, 2013 1:02:52 PM PDT
>> To: perpass@ietf.org
>> Subject: [perpass] TLS/SSL Perfect Forward Secrecy and Key Rotation
>>
>>
>> There has been some chatter about Perfect Forward Secrecy (PFS) and
>> insufficient key rotation for SSL/TLS. Is this something that should
>> merit discussion and perhaps an information draft with
>> recommendations?
>>
>> Thanks,
>> Yakov
> 
> 
> 
> 
> _______________________________________________
> perpass mailing list
> perpass@ietf.org
> https://www.ietf.org/mailman/listinfo/perpass
>

v2.23.0 | Report a Bug | By Email