Re: [TLS] draft-sheffer-tls-bcp: DH recommendations

Yaron Sheffer <yaronf.ietf@gmail.com> Tue, 24 September 2013 06:30 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7998C21F9C52 for <tls@ietfa.amsl.com>; Mon, 23 Sep 2013 23:30:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.465
X-Spam-Level:
X-Spam-Status: No, score=-102.465 tagged_above=-999 required=5 tests=[AWL=0.134, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uF0oziLFBbEz for <tls@ietfa.amsl.com>; Mon, 23 Sep 2013 23:30:32 -0700 (PDT)
Received: from mail-ee0-x22d.google.com (mail-ee0-x22d.google.com [IPv6:2a00:1450:4013:c00::22d]) by ietfa.amsl.com (Postfix) with ESMTP id 9B69F21F9C47 for <tls@ietf.org>; Mon, 23 Sep 2013 23:30:32 -0700 (PDT)
Received: by mail-ee0-f45.google.com with SMTP id c50so2224772eek.18 for <tls@ietf.org>; Mon, 23 Sep 2013 23:30:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=QjTIfMiAxVzGfcExiB5pziZeDcd8iwELKT2fB7LRzrM=; b=qre056ch8ad/mXacOgKxmtZVN7BbN6effGlux2AbRd2ov4WIYORT+lbBC+w+DjmF2E 5s+vKJv+5T+bm13YoOXtePGAfW27KxN7Vkxm13rcYGN1G/cS6itvS2mj1zY2+5rRFtqW +thiNDv9PPJInqNeSCZW93sSeywG+N+Kpk+YUmyFb2YyHF0OOMVBOHLKtvlDxNywVP3P SlCzGCaFdL5AwCIPGxsoXvxfWqulTuWHMc7jbBX6dg5MFkDQ/FalHVM1EG2wkJ3dr7y4 69Sn3HoKqXqCTGno7QgFwJfLzZDFasM4yr9PIvnHs74WlUgixPRH4+p6uiUg1RuJK1K0 uJNA==
X-Received: by 10.15.76.68 with SMTP id m44mr202152eey.78.1380004231754; Mon, 23 Sep 2013 23:30:31 -0700 (PDT)
Received: from [10.0.0.8] ([109.64.175.213]) by mx.google.com with ESMTPSA id n48sm49718858eeg.17.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 23 Sep 2013 23:30:31 -0700 (PDT)
Message-ID: <52413186.9000609@gmail.com>
Date: Tue, 24 Sep 2013 09:30:30 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0
MIME-Version: 1.0
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, "tls@ietf.org" <tls@ietf.org>
References: <9A043F3CF02CD34C8E74AC1594475C7355676085@uxcn10-6.UoA.auckland.ac.nz>
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C7355676085@uxcn10-6.UoA.auckland.ac.nz>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] draft-sheffer-tls-bcp: DH recommendations
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Sep 2013 06:30:33 -0000

Just to clarify my sloppy terminology: I was asking about ECDH with 
named curves (which today means P-256 in practice, but in the future 
will allow non-NIST curves, e.g. Brainpool). Of course the "parameters" 
(DH public key) are generated periodically or even on each connection.

Thanks,
	Yaron

On 09/24/2013 07:45 AM, Peter Gutmann wrote:
> Yaron Sheffer <yaronf.ietf@gmail.com> writes:
>
>> - Does any of this brittleness still apply when talking about ECDH (as
>> opposed to ECDSA), with fixed parameters?
>
> Probably not, in terms of brittleness.  But then if you're using fixed ECDH
> parameters (rather than, say, regenerating them once an hour and discarding
> the old ones) you've got potentially NSA-influenced values like P256 that the
> NSA has been awfully keen to get everyone to use, and that even without NSA
> skullduggery make a nice single target for attack.  So that's an entirely
> different problem.
>
> If you do want to generate your own ECDH parameters (i.e. curves), that's
> another huge mess to deal with.  For DH you just use Lim-Lee and you're done
> (although the fact that TLS doesn't communicate the 'q' value is something I'd
> really like to see corrected), while for ECC you need to get an awful lot of
> special-case checks and conditions just right.
>
> Then, once you've done that, you get to find out how many implementations
> support the arbitrary_explicit_prime_curves format, which I suspect is pretty
> close to zero.
>
> Peter.
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>