IETF Logo Mail Archive

Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-02.txt

Henrick Hellström <henrick@streamsec.se> Mon, 27 October 2014 08:47 UTC

Return-Path: <henrick@streamsec.se>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 707E81A8A7B for <tls@ietfa.amsl.com>; Mon, 27 Oct 2014 01:47:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.25
X-Spam-Level:
X-Spam-Status: No, score=-1.25 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C6G6s4446ioS for <tls@ietfa.amsl.com>; Mon, 27 Oct 2014 01:47:05 -0700 (PDT)
Received: from vsp6.ballou.se (vsp6.ballou.se [91.189.40.85]) by ietfa.amsl.com (Postfix) with SMTP id 1F9AC1A0020 for <tls@ietf.org>; Mon, 27 Oct 2014 01:47:02 -0700 (PDT)
Received: from nmail1.ballou.se (unknown [10.0.0.116]) by vsp6.ballou.se (Halon Mail Gateway) with ESMTP; Mon, 27 Oct 2014 09:46:59 +0100 (CET)
Received: from [192.168.0.195] (c-21cfe555.06-134-73746f39.cust.bredbandsbolaget.se [85.229.207.33]) (Authenticated sender: henrick@streamsec.se) by nmail1.ballou.se (Postfix) with ESMTPSA id 4CC891DE4C; Mon, 27 Oct 2014 09:46:59 +0100 (CET)
Message-ID: <544E0682.30804@streamsec.se>
Date: Mon, 27 Oct 2014 09:46:58 +0100
From: Henrick Hellström <henrick@streamsec.se>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: Nikos Mavrogiannopoulos <nmav@redhat.com>
References: <20141011044948.27553.93984.idtracker@ietfa.amsl.com> <5438B82B.6090600@fifthhorseman.net> <544BD3BF.9030702@streamsec.se> <1682594903.63043.1414266713793.JavaMail.zimbra@redhat.com> <544C1BC3.5060204@streamsec.se> <1749574094.84536.1414307373087.JavaMail.zimbra@redhat.com>
In-Reply-To: <1749574094.84536.1414307373087.JavaMail.zimbra@redhat.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/20bUIPhlN1c8o5QUuiEpB3gj7T0
Cc: tls@ietf.org
Subject: Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-02.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: henrick@streamsec.se
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Oct 2014 08:47:07 -0000

On 2014-10-26 08:09, Nikos Mavrogiannopoulos wrote:
> To be honest I don't see that to be a lot more complex, and the complexity
> on the same level as supporting ECDH with named groups and arbitrary groups,
> which was deemed reasonable for ECDH. Consistency (with ECDH) is also another
> reason to keep the code paths separated.

Another thing about this rule:

>    A compatible TLS server that receives the NamedCurve extension with
>    FFDHE codepoints in it, and which selects an FFDHE ciphersuite MUST
>    select one of the offered groups and indicates the choice of groups
>    to the client by sending a specially-formatted ServerDHParams as
>    described below.

Suppose a client offers both ECDHE and FFDHE cipher suites, and does 
send the NamedCurve extension, but with no identifiers the server 
recognizes as FFDHE groups, but with a few identifiers the server 
doesn't recognize at all.

How is the server supposed to tell if:
   1. The client doesn't support named FFDHE groups at all and expects 
the arbitrary encoding of FFDHE server key exchange messages, or
   2. The client supports only a few named FFDHE groups defined in a 
later revision of the standard that the server hasn't yet implemented, 
meaning the server ideally MUST NOT use the arbitrary encoding of FFDHE 
groups, but rather pick other cipher suites?

This is a dilemma that implementors might decide to circumvent in 
complex and undesirable ways.

v2.23.0 | Report a Bug | By Email