IETF Logo Mail Archive

Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-02.txt

Henrick Hellström <henrick@streamsec.se> Sun, 26 October 2014 08:11 UTC

Return-Path: <henrick@streamsec.se>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6996C1A6FF5 for <tls@ietfa.amsl.com>; Sun, 26 Oct 2014 01:11:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.25
X-Spam-Level:
X-Spam-Status: No, score=-1.25 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wST-UswbUzLe for <tls@ietfa.amsl.com>; Sun, 26 Oct 2014 01:11:56 -0700 (PDT)
Received: from vsp3.ballou.se (vsp3.ballou.se [91.189.40.101]) by ietfa.amsl.com (Postfix) with SMTP id E952F1A6FF2 for <tls@ietf.org>; Sun, 26 Oct 2014 01:11:55 -0700 (PDT)
Received: from nmail1.ballou.se (unknown [10.0.0.116]) by vsp3.ballou.se (Halon Mail Gateway) with ESMTP; Sun, 26 Oct 2014 09:11:51 +0100 (CET)
Received: from [192.168.0.195] (c-21cfe555.06-134-73746f39.cust.bredbandsbolaget.se [85.229.207.33]) (Authenticated sender: henrick@streamsec.se) by nmail1.ballou.se (Postfix) with ESMTPSA id DA6C41DE4C; Sun, 26 Oct 2014 09:11:51 +0100 (CET)
Message-ID: <544CAC9D.3090909@streamsec.se>
Date: Sun, 26 Oct 2014 09:11:09 +0100
From: Henrick Hellström <henrick@streamsec.se>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: Nikos Mavrogiannopoulos <nmav@redhat.com>
References: <20141011044948.27553.93984.idtracker@ietfa.amsl.com> <5438B82B.6090600@fifthhorseman.net> <544BD3BF.9030702@streamsec.se> <1682594903.63043.1414266713793.JavaMail.zimbra@redhat.com> <544C1BC3.5060204@streamsec.se> <1749574094.84536.1414307373087.JavaMail.zimbra@redhat.com>
In-Reply-To: <1749574094.84536.1414307373087.JavaMail.zimbra@redhat.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/27muncfm-1DYp-0kD_iAoRhIeSs
Cc: tls@ietf.org
Subject: Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-02.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: henrick@streamsec.se
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Oct 2014 08:11:58 -0000

On 2014-10-26 08:09, Nikos Mavrogiannopoulos wrote:
> To be honest I don't see that to be a lot more complex, and the complexity
> on the same level as supporting ECDH with named groups and arbitrary groups,
> which was deemed reasonable for ECDH. Consistency (with ECDH) is also another
> reason to keep the code paths separated.

No, ECDHE is different, because you can't implement RFC 4492 (EC cipher 
suites) fully, unless your implementation supports the hello extensions 
and curve negotiation mechanism, and there exists clients that don't 
support arbitrary explicit curves. In the case of DHE, most clients will 
probably only support explicit groups and not support the extension and 
named groups at all, for several years ahead.

Consequently, a server that e.g. only implements secp256r1 encoded as a 
named curve, would stand a fair chance of being interoperable, if it 
simply refuses to negotiate ECDHE cipher suites unless the client sends 
a supported curve extension with this one included. A server that only 
wants to negotiate the FFDHE 3072 bit group could easily encode it as an 
arbitrary group if the client doesn't send the extension (which would 
still happen most of the time), but if the client *does* send the 
extension, then, under the current draft-02, the server would have to 
propagate this information to the server key exchange encoder somehow 
(be it with maps, switches or if-clauses).

> Note also, that the current approach will simplify a lot an implementation that
> doesn't want to keep the old DHE key exchange with arbitrary groups (and unlike
> the other key exchanges in TLS, DHE was the most problematic compatibility-wise so
> I guess many small implementations would be more than happy to drop it).

I don't know about compatibility issues, but rather see a security issue 
that SSL 3.0 up to TLS 1.2 didn't explicitly require the DHE parameters 
to have a bit size greater than or equal to the certificate public key. 
I don't know how common it is for clients that offer DHE cipher suites 
to be able to use the server certificate key for signature verification, 
but unable to compute a DHE handshake using integers of a comparable 
size. I doesn't seem reasonable to expect this to be a problem of such 
magnitude, that the standards should keep an acceptance for low(er) 
security (than necessary) in order to keep interoperability with such 
clients.

v2.23.0 | Report a Bug | By Email