IETF Logo Mail Archive

[TLS] Do we need DH?

Watson Ladd <watsonbladd@gmail.com> Sun, 28 December 2014 22:38 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFD241AC3E4 for <tls@ietfa.amsl.com>; Sun, 28 Dec 2014 14:38:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.7
X-Spam-Level:
X-Spam-Status: No, score=0.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F1bewJRf-QPj for <tls@ietfa.amsl.com>; Sun, 28 Dec 2014 14:38:12 -0800 (PST)
Received: from mail-yk0-x231.google.com (mail-yk0-x231.google.com [IPv6:2607:f8b0:4002:c07::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01D901AC3CF for <tls@ietf.org>; Sun, 28 Dec 2014 14:38:12 -0800 (PST)
Received: by mail-yk0-f177.google.com with SMTP id 9so6125845ykp.36 for <tls@ietf.org>; Sun, 28 Dec 2014 14:38:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=iuy4xWrRavMJUOrL3UQZIpLlELJnnCayQjvB2Ts03pM=; b=dU6//ABhdd52g4xT442JEIh03ZSYmDNKsZdk69Y3eFToqrOHgn51MAasrJ8CI2FKJO r2Bms7RXKywSJk399tBsCtrQd5Nd2ByqAbqKHkWd5mzM+xjdlhF7S2jdio0KWBUbv6ge 7xWScUKC6XDSrROLJFbokRK56q/ou9rZj1A8+tW9oA2CLIWnPwEHpIo+T8scZe2xuqxo 8oD3qoOPhsaOqiJeY2lcDS8b3da7uG4L+/8VkrbvM1QriaMG2xrjVb7joDLPfD7BlKN0 ifGsj9UZdc6XaJkAecSzDyAy90rllJTJpM2YR2gj2ZmP0VUknAKRqi71v11PESZ4Eujk JB7A==
MIME-Version: 1.0
X-Received: by 10.170.220.195 with SMTP id m186mr8665660ykf.58.1419806291222; Sun, 28 Dec 2014 14:38:11 -0800 (PST)
Received: by 10.170.207.6 with HTTP; Sun, 28 Dec 2014 14:38:11 -0800 (PST)
Date: Sun, 28 Dec 2014 17:38:11 -0500
Message-ID: <CACsn0cmD=YA4i889f--e_b-OahUVoYdKyQUaiUN--QKOmqn8uA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/0VjRY8gkKOAFwUnzQwKTYt4VwTc
Subject: [TLS] Do we need DH?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Dec 2014 22:38:13 -0000

Dear all,

I invite you to consider the following interesting sources

http://www.spiegel.de/media/media-35511.pdf
http://www.spiegel.de/media/media-35510.pdf

These show that the NSA has a comparatively easy time exploiting static RSA.

>From this it seems that performance actually matters: the slow speed
of DH exchange compared to ECC explains why ECC, and not DH is
replacing RSA. DH is also being attacked by PHOENIX: I can wild mass
guess that this is batch FFS: I don't know if this has been researched
extensively, and even batch NFS has only an asymptotic analysis.

Given the low usage of the DH handshake, and potential vulnerabilities
(not potential, but certainly not as well understood) should we keep
it in TLS 1.3?

Sincerely,
Watson Ladd

v2.23.0 | Report a Bug | By Email