Re: [perpass] TLS/SSL Perfect Forward Secrecy and Key Rotation
Yakov Shafranovich <yakov-ietf@shaftek.org> Tue, 03 September 2013 12:12 UTC
Return-Path: <yakov@shaftek.org>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5961C21E8128 for <perpass@ietfa.amsl.com>; Tue, 3 Sep 2013 05:12:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.872
X-Spam-Level:
X-Spam-Status: No, score=-2.872 tagged_above=-999 required=5 tests=[AWL=0.105, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xZrTLeR0v70t for <perpass@ietfa.amsl.com>; Tue, 3 Sep 2013 05:12:14 -0700 (PDT)
Received: from mail-vb0-f53.google.com (mail-vb0-f53.google.com [209.85.212.53]) by ietfa.amsl.com (Postfix) with ESMTP id 8CD1121E8123 for <perpass@ietf.org>; Tue, 3 Sep 2013 05:12:11 -0700 (PDT)
Received: by mail-vb0-f53.google.com with SMTP id i3so3720983vbh.26 for <perpass@ietf.org>; Tue, 03 Sep 2013 05:12:09 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-type; bh=zfGEpGyo7nf6JuhBr0l9nlc7s+39ABysRzj3lRf+wF8=; b=CpSnO/eN5qMm+ukRZyjruvLxF4gKum6dZxwqXY3HP8QNoPR3cMwI5fjI4aEYi4aKeJ RIwrnqoI/79DemacrJPXGR280ndJ9BdTMjHmfOQak5ackqmizj3k15Bdo1fNV/ESMU3F dBGvTmb6NaHausksKa5SR0mNdtsVi3qwg2q72fHOClugNN784Hc7bD3mcRqDEqNLBQM5 LGhcGEdbjd++Qt6pURI5la4HfftIjMZkyK3HG8mV1W2X4LI2r9ziZzTSkiOXy4O96HoJ o0lqR9/m41TyAst44f5L/aVlX/w0A9gI0dsOKdtpMMZtQCHp34+OVx7fqK4yz70RORVZ HA6A==
X-Gm-Message-State: ALoCoQlhT4Ms6JaI5GxWI0KwMlrj/BnCJiMETcp3hUn8XMO+h9jlOORJXaivz+K3Itp7ccfLZKE6
X-Received: by 10.220.10.194 with SMTP id q2mr27726685vcq.2.1378210329716; Tue, 03 Sep 2013 05:12:09 -0700 (PDT)
MIME-Version: 1.0
Sender: yakov@shaftek.org
Received: by 10.52.183.4 with HTTP; Tue, 3 Sep 2013 05:11:39 -0700 (PDT)
X-Originating-IP: [96.244.132.139]
In-Reply-To: <66BFDF4E-52DE-407B-8BF7-928F848CB149@funwithsoftware.org>
References: <mailman.904.1378168674.3384.perpass@ietf.org> <66BFDF4E-52DE-407B-8BF7-928F848CB149@funwithsoftware.org>
From: Yakov Shafranovich <yakov-ietf@shaftek.org>
Date: Tue, 03 Sep 2013 08:11:39 -0400
X-Google-Sender-Auth: MXMKV3HkKbbrvcwBrdqnQAdJvKU
Message-ID: <CAPQd5oT=2SFwkZOv5AvGg5FbmZaqMefTy1BKJhZ2dZC8DjjHDg@mail.gmail.com>
To: Patrick Pelletier <code@funwithsoftware.org>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: perpass@ietf.org
Subject: Re: [perpass] TLS/SSL Perfect Forward Secrecy and Key Rotation
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The perpass list is for discussion of the privacy properties of IETF protocols and concrete ways in which those could be improved. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Sep 2013 12:12:19 -0000
In addition to PFS, there is also a larger issue of SSL key rotation. PFS is really a means to get to a session key that gets generated every time. We have a separate issue with those not using PFS like plain RSA, etc. where they key is not rotated often enough. Assuming an attacker has access to the server's key, they can decrypt everyone's traffic. The CA/browser forum has begun some steps in this direction by lowering validity of SSL server certificates to 18 months. Is there a place for a discussion on recommending a lower time period for key rotation with the ensuing implications for those who do not want/can not use PFS? Thanks On Tue, Sep 3, 2013 at 2:41 AM, Patrick Pelletier <code@funwithsoftware.org> wrote: > I'd definitely like to see such a thing. I feel like PFS in TLS is a bit > fragmented since not everyone is ready to jump on the ECDHE bandwagon: > > https://bugzilla.redhat.com/show_bug.cgi?id=319901 > > but the situation with plain old DHE is not that great, since server > software often uses ridiculously small prime sizes, and makes it hard for > the user to configure larger ones: > > http://blog.ivanristic.com/2013/08/increasing-dhe-strength-on-apache.html > > and even if the server is willing to use a larger Diffie-Hellman prime, the > problem is that clients often don't support larger primes either, and the > server has no way to know what the client is willing to accept. Older (but > still in use) versions of Java, and apparently also Windows, only support > 1024 bit Diffie-Hellman (see above ivanristic URL for references on these), > which of course is generally considered too small to be secure today. And > until recently, NSS only supported prime sizes up to 2236 bits: > > https://bugzilla.mozilla.org/show_bug.cgi?id=636802 > > If the server chooses a prime size larger than the client can handle, the > handshake will fail. I still think we need a TLS extension so that the > client can tell the server what prime sizes it will accept (perhaps in the > form of min/max/multiple), with the server assuming something conservative > like 1024 (even though that is sadly inadequate) if the client doesn't send > the extension: > > http://lists.gnutls.org/pipermail/gnutls-help/2012-May/002748.html > > But besides a TLS extension, I think what you suggest is good, some sort of > informational RFC that would recommend "best practices" for PFS, e. g. > something along the lines of "put ECDHE cipher suites first (for performance > and so Java won't choke on DHE), make sure you support at least secp256r1 > and secp384r1, put DHE cipher suites second, use a prime size of 2176 bits > (largest multiple of 64 less than 2236)" or whatever. > > Also perhaps some recommendations (and maybe this is what you're getting at > with key rotation) about how (and whether) to make use of session > resumption, and especially session tickets, when PFS is desired, since these > can weaken it. > > --Patrick > > > On Sep 2, 2013, at 5:37 PM, perpass-request@ietf.org wrote: > > From: Yakov Shafranovich <yakov-ietf@shaftek.org> > Date: September 2, 2013 1:02:52 PM PDT > To: perpass@ietf.org > Subject: [perpass] TLS/SSL Perfect Forward Secrecy and Key Rotation > > > There has been some chatter about Perfect Forward Secrecy (PFS) and > insufficient key rotation for SSL/TLS. Is this something that should > merit discussion and perhaps an information draft with > recommendations? > > Thanks, > Yakov > > > > _______________________________________________ > perpass mailing list > perpass@ietf.org > https://www.ietf.org/mailman/listinfo/perpass >
- [perpass] TLS/SSL Perfect Forward Secrecy and Key… Yakov Shafranovich
- Re: [perpass] TLS/SSL Perfect Forward Secrecy and… Patrick Pelletier
- Re: [perpass] TLS/SSL Perfect Forward Secrecy and… Stephen Farrell
- Re: [perpass] TLS/SSL Perfect Forward Secrecy and… Yakov Shafranovich
- Re: [perpass] TLS/SSL Perfect Forward Secrecy and… Stephen Farrell
- Re: [perpass] TLS/SSL Perfect Forward Secrecy and… Patrick Pelletier