[TLS] Do we need DH?
Watson Ladd <watsonbladd@gmail.com> Sun, 28 December 2014 22:38 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFD241AC3E4 for <tls@ietfa.amsl.com>; Sun, 28 Dec 2014 14:38:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.7
X-Spam-Level:
X-Spam-Status: No, score=0.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F1bewJRf-QPj for <tls@ietfa.amsl.com>; Sun, 28 Dec 2014 14:38:12 -0800 (PST)
Received: from mail-yk0-x231.google.com (mail-yk0-x231.google.com [IPv6:2607:f8b0:4002:c07::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01D901AC3CF for <tls@ietf.org>; Sun, 28 Dec 2014 14:38:12 -0800 (PST)
Received: by mail-yk0-f177.google.com with SMTP id 9so6125845ykp.36 for <tls@ietf.org>; Sun, 28 Dec 2014 14:38:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=iuy4xWrRavMJUOrL3UQZIpLlELJnnCayQjvB2Ts03pM=; b=dU6//ABhdd52g4xT442JEIh03ZSYmDNKsZdk69Y3eFToqrOHgn51MAasrJ8CI2FKJO r2Bms7RXKywSJk399tBsCtrQd5Nd2ByqAbqKHkWd5mzM+xjdlhF7S2jdio0KWBUbv6ge 7xWScUKC6XDSrROLJFbokRK56q/ou9rZj1A8+tW9oA2CLIWnPwEHpIo+T8scZe2xuqxo 8oD3qoOPhsaOqiJeY2lcDS8b3da7uG4L+/8VkrbvM1QriaMG2xrjVb7joDLPfD7BlKN0 ifGsj9UZdc6XaJkAecSzDyAy90rllJTJpM2YR2gj2ZmP0VUknAKRqi71v11PESZ4Eujk JB7A==
MIME-Version: 1.0
X-Received: by 10.170.220.195 with SMTP id m186mr8665660ykf.58.1419806291222; Sun, 28 Dec 2014 14:38:11 -0800 (PST)
Received: by 10.170.207.6 with HTTP; Sun, 28 Dec 2014 14:38:11 -0800 (PST)
Date: Sun, 28 Dec 2014 17:38:11 -0500
Message-ID: <CACsn0cmD=YA4i889f--e_b-OahUVoYdKyQUaiUN--QKOmqn8uA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/0VjRY8gkKOAFwUnzQwKTYt4VwTc
Subject: [TLS] Do we need DH?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Dec 2014 22:38:13 -0000
Dear all, I invite you to consider the following interesting sources http://www.spiegel.de/media/media-35511.pdf http://www.spiegel.de/media/media-35510.pdf These show that the NSA has a comparatively easy time exploiting static RSA. >From this it seems that performance actually matters: the slow speed of DH exchange compared to ECC explains why ECC, and not DH is replacing RSA. DH is also being attacked by PHOENIX: I can wild mass guess that this is batch FFS: I don't know if this has been researched extensively, and even batch NFS has only an asymptotic analysis. Given the low usage of the DH handshake, and potential vulnerabilities (not potential, but certainly not as well understood) should we keep it in TLS 1.3? Sincerely, Watson Ladd
- Re: [TLS] Do we need DH? Fedor Brunner
- Re: [TLS] Do we need DH? Tapio Sokura
- [TLS] Do we need DH? Watson Ladd
- Re: [TLS] Do we need DH? Alyssa Rowan
- Re: [TLS] Do we need DH? Yoav Nir
- Re: [TLS] Do we need DH? Peter Gutmann
- Re: [TLS] Do we need DH? Brian Smith
- Re: [TLS] Do we need DH? Maarten Bodewes
- Re: [TLS] Do we need DH? Hubert Kario
- Re: [TLS] Do we need DH? Yoav Nir
- Re: [TLS] Do we need DH? Alyssa Rowan
- Re: [TLS] Do we need DH? Nico Williams
- Re: [TLS] Do we need DH? Yoav Nir
- Re: [TLS] Do we need DH? Florian Weimer
- [TLS] Spec tls13 comments, handshake tampering, m… Michael Clark
- Re: [TLS] Spec tls13 comments, handshake tamperin… Michael Clark
- Re: [TLS] Spec tls13 comments, handshake tamperin… Nikos Mavrogiannopoulos