Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-00.txt

Daniel Kahn Gillmor <> Fri, 25 July 2014 05:13 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 4861D1A0306 for <>; Thu, 24 Jul 2014 22:13:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id tWf02KWcBXdN for <>; Thu, 24 Jul 2014 22:13:29 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id B43531A0AD6 for <>; Thu, 24 Jul 2014 22:13:29 -0700 (PDT)
Received: from [] ( []) by (Postfix) with ESMTPSA id 61476F984; Fri, 25 Jul 2014 01:13:26 -0400 (EDT)
Message-ID: <>
Date: Fri, 25 Jul 2014 01:13:26 -0400
From: Daniel Kahn Gillmor <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:30.0) Gecko/20100101 Icedove/30.0
MIME-Version: 1.0
To: Peter Gutmann <>, "<>" <>
References: <>
In-Reply-To: <>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="cRNcwohmdvTLgj3jFDRjNNWGAQhMfSdaV"
Subject: Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-00.txt
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 25 Jul 2014 05:13:31 -0000

On 07/24/2014 10:53 AM, Peter Gutmann wrote:
> - Why not just use the well-known and -accepted IKE groups from RFC 3526 for
> this?  In fact why invent entirely new groups (that don't even cover the
> existing range in RFC 3526) when there's already well-established ones
> available?

There's a possibility that a very expensive (e.g. precomputation) attack
exists that can be mounted against any given group.  If we reuse the
same group used by other mechanisms (e.g. ipsec) then the value for
mounting such an expensive attack goes up.

Selecting a different group forces an attacker to choose which group to

> - What's the thinking behind a 2432-bit group?  2048-bit I could understand,
> 2560 bits perhaps, but 2432?

This was based on the 112-bit symmetric equivalence published by ECRYPT
II.  The ECRYPT document is referenced in the draft.

> - Publishing the values of q (rather than just telling people how to calculate
> them) would be good, since it'd provide known-correct values for them.

by q i think you mean (p-1)/2 -- i'm happy to document those values
explicitly in the draft if you think that would be useful.