Re: [TLS] IANA Recommendations for Obsolete Key Exchange
David Benjamin <davidben@chromium.org> Mon, 15 April 2024 18:46 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27270C14CE4A for <tls@ietfa.amsl.com>; Mon, 15 Apr 2024 11:46:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.295
X-Spam-Level:
X-Spam-Status: No, score=-11.295 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-2.049, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.248, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W0soc1DRdPFN for <tls@ietfa.amsl.com>; Mon, 15 Apr 2024 11:46:29 -0700 (PDT)
Received: from mail-oi1-x22e.google.com (mail-oi1-x22e.google.com [IPv6:2607:f8b0:4864:20::22e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 612F4C14CE25 for <tls@ietf.org>; Mon, 15 Apr 2024 11:46:29 -0700 (PDT)
Received: by mail-oi1-x22e.google.com with SMTP id 5614622812f47-3c60adf3474so2169455b6e.1 for <tls@ietf.org>; Mon, 15 Apr 2024 11:46:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1713206788; x=1713811588; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=3mMMZr2dG59TKhJQF5RQ9D9pPnLnNhjGgw+fmM0nJPU=; b=UDi5f065IrHMUWVXB6WoX7juTESW1yG8Uh4UkZNMbLg+nMX1rOu/Qt9wVfTbq2f2IV ulfuNJQDt7MSixrvF5rwR/MKGKnLKtIttauRsUO9Wi3fvjb3AWtHfeqPREO4qAMDt6Ji HiNj8Y/RMXp88ROPFtdQgGhaI0CAvj/zin+Ho=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713206788; x=1713811588; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=3mMMZr2dG59TKhJQF5RQ9D9pPnLnNhjGgw+fmM0nJPU=; b=dlhx47XgoK3b54ZBdq9TfmPK6Bb+dLmV8Kq9VM9/BK5g7n9r5AFMOmiZeH8HNcx/SX FN+wrPOjwMPyhLnbYSRJPcDgP0IGWhHiK2IKj6FSDhtIg2yqmyJfAFnlTJoll9YmdcT6 4KciYmSK1HeB4oGED+DUfj57u3RDg75aL4gBfAmUsOgvZpGvioFhysxznuSdaluxPVmC pSPqRp9GvgvMH/ebE1cUI7IdI4euYcetjgsfrdFJvFaW/vCwbKoLhv53CtBS8+5dxO0v M3WH4CZ8tZDQ4Taoy93/KWaBTmZ81V2KuMaD7hkXhGn4NWEMFEJoSfsfqDdRDyGmXTvS vJRg==
X-Gm-Message-State: AOJu0YwfICVVk+WathQxxyPuxTNv5+wo2KK1U2vSyzqb/iokLzHJM30t J5vMnRP08vHFSP90+FKWkJHOLy+DkPXdMr3NbrF4DnBVWP2XSHqEtChWaHH6a6KJ53X/YwbRiUL nEp8iYfj7zYeezqMH62PDlpEVptruZ8LKpds=
X-Google-Smtp-Source: AGHT+IH2wBSpEeax2Ytc8lUdwEO8tdMaoO5XyMSo1qyPYwFzYyzfj0GmKmpRev8tXjjXz+HGGYXQ8+IWY+d3ukPZBK8=
X-Received: by 2002:a05:6808:2798:b0:3c7:2043:2cd7 with SMTP id es24-20020a056808279800b003c720432cd7mr433941oib.58.1713206788167; Mon, 15 Apr 2024 11:46:28 -0700 (PDT)
MIME-Version: 1.0
References: <CAOgPGoDZbdQD_i+u4=XQ7gRmJPOHM-T+Q-=dzRQh-+cs3ZLEkg@mail.gmail.com>
In-Reply-To: <CAOgPGoDZbdQD_i+u4=XQ7gRmJPOHM-T+Q-=dzRQh-+cs3ZLEkg@mail.gmail.com>
From: David Benjamin <davidben@chromium.org>
Date: Mon, 15 Apr 2024 14:46:10 -0400
Message-ID: <CAF8qwaCOK75mpZmAzOvFDgofsZS5C0bu1-TFJJ_wsWUnXL-P3g@mail.gmail.com>
To: Joseph Salowey <joe@salowey.net>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000009847d0616270a07"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/1xZt0rxq1QSzJVdjWRY-bYjNbiI>
Subject: Re: [TLS] IANA Recommendations for Obsolete Key Exchange
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Apr 2024 18:46:33 -0000
>From the meeting, I remember there being some confusion around a table that split things up between TLS 1.2 and TLS 1.3, and differences in how they negotiate things, which makes this listing a bit ambiguous. In particular, there aren't any *cipher suites* with FFDH or FFDHE in their name in TLS 1.2. Also some of these constructions have analogs in TLS 1.3 and some don't, but none as cipher suites. Agreed with the proposal, but specifically, this is what I understand the proposal to mean: TLS 1.2 RSA cipher suites (TLS_RSA_WITH_*) should be marked with a "D" -- These lack forward secrecy and use a broken encryption scheme. -- There is no analog to RSA key exchange in TLS 1.3, so leave it alone. TLS 1.2 static DH cipher suites (TLS_DH_*_WITH_*) should be marked with a "D" -- These lack forward secrecy and the DH(E) construction in TLS 1.2 is broken. It lacks parameter negotiation, and uses a variable-length secret that is vulnerable to the Raccoon attack, particularly in this context with a static DH key. -- There is no analog to static DH in TLS 1.3, so leave it alone. TLS 1.2 DHE cipher suites (TLS_DHE_*_WITH_*) should be marked with a "D" -- While these do provide forward secrecy, the DH(E) construction in TLS 1.2 is broken. It lacks parameter negotiation, and uses a variable-length secret that is vulnerable to the Raccoon attack. In this context, the Racoon attack is less fatal, but it is still a side channel leakage that the protocol should have avoided. -- In theory RFC 7919 addressed the lack of parameter negotiation, but by reusing the old construction's cipher suites, it is undeployable. It also does not fix the side channel. -- There *is* an analog in TLS 1.3 (the ffdhe* named groups). However, they do not share the TLS 1.2 construction's problems, so we can leave them alone. They're just slow and kinda pointless given ECC exists. TLS 1.2 static ECDH cipher suites (TLS_ECDH_*_WITH_*) should be marked with a "D" -- These lack forward secrecy -- There is no analog to static ECDH in TLS 1.3, so leave it alone. On Mon, Apr 15, 2024 at 1:30 PM Joseph Salowey <joe@salowey.net> wrote: > At IETF 119 we had discussion on how to mark the ciphersuites deprecated > by draft-ietf-tls-deprecate-obsolete-kex in the IANA Registry. At the > meeting there was support for ('D' means discouraged): > > RSA ciphersuites should be marked with a "D" > FFDH ciphersuites should be marked with a "D" > FFDHE ciphersuites should be marked with a "D" > ECDH ciphersuites should be marked with a "D" > > This aligns with the deprecation intent of the draft. The draft states > ECDH are a SHOULD NOT instead of a MUST NOT, but the sentiment was they > should be generally discouraged. > > Please respond with any comments on this proposal by April 30,2024. > > Thanks, > > Sean, Deirdre and Joe > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] IANA Recommendations for Obsolete Key Excha… Joseph Salowey
- Re: [TLS] IANA Recommendations for Obsolete Key E… Rob Sayre
- Re: [TLS] IANA Recommendations for Obsolete Key E… David Benjamin
- Re: [TLS] IANA Recommendations for Obsolete Key E… Martin Thomson
- Re: [TLS] IANA Recommendations for Obsolete Key E… Hubert Kario