Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re: Confirming Consensus on removing RSA key Transport from TLS 1.3)
Watson Ladd <watsonbladd@gmail.com> Fri, 28 March 2014 15:13 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 417811A069C for <tls@ietfa.amsl.com>; Fri, 28 Mar 2014 08:13:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5yZLIy37G3ze for <tls@ietfa.amsl.com>; Fri, 28 Mar 2014 08:13:55 -0700 (PDT)
Received: from mail-yh0-x235.google.com (mail-yh0-x235.google.com [IPv6:2607:f8b0:4002:c01::235]) by ietfa.amsl.com (Postfix) with ESMTP id CAAAB1A0668 for <tls@ietf.org>; Fri, 28 Mar 2014 08:13:54 -0700 (PDT)
Received: by mail-yh0-f53.google.com with SMTP id v1so5090430yhn.40 for <tls@ietf.org>; Fri, 28 Mar 2014 08:13:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=jaBtlWTe5On40sNP2hgWDVp4qoJm4sZ28IukpNhjz18=; b=gY5U3vNT77ROuQeysfY6kiAWLcW9fjqQqv+/lSSK59PsCXsxzrt6M5jr1tujfs90M+ I6TCdpG3gdtpNlAhElPM3l2uWq00xj/DbfVXpc4dXsSr6Ym5jG6YRTSa12plRYTV5Gxa qHWSh9PVSkh2tD30gj8vBr9sjfYwWrrOgZVITS7c81BJc+X4rEGcWNMW7fncSq8M0fu8 HVXl2V8MAUSKlxCM3ElraCv3cZWoXiu+Z2yrAoo8WPJIsVD0ropKDsWNsZzxdDvYRy93 Y7mNrgfP6sr8MheFk2jTdcXYCwxfzt2AjYWKaXEWuvhGPh/textQd1sCcKr35B43T89G ZmQQ==
MIME-Version: 1.0
X-Received: by 10.236.90.12 with SMTP id d12mr2830525yhf.120.1396019632568; Fri, 28 Mar 2014 08:13:52 -0700 (PDT)
Received: by 10.170.80.214 with HTTP; Fri, 28 Mar 2014 08:13:52 -0700 (PDT)
In-Reply-To: <CABcZeBMB9mcDkYua_GHvwm5tWt7UNDAmMycJCJUGzd2kqq5qYg@mail.gmail.com>
References: <CABkgnnX=KM4YVf1+znp_HS+Pu6DSw64q1adDC4EOPqRLuTDZKQ@mail.gmail.com> <CACsn0cksap5t0--65gnJt5a2yJCNtzvkDX9mmQR=T_r2xYJjYQ@mail.gmail.com> <5334C8A8.2020906@streamsec.se> <C3A58B39-69DE-4AF9-99F5-41169886F87A@gmail.com> <CABcZeBMB9mcDkYua_GHvwm5tWt7UNDAmMycJCJUGzd2kqq5qYg@mail.gmail.com>
Date: Fri, 28 Mar 2014 11:13:52 -0400
Message-ID: <CACsn0cku43cqh_BeLWjuLYyx97QW4hyDsW2bJigqk4LkF0kWsg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/2t4ffd76Nvt3UxcVhMagvRjwgUg
Cc: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re: Confirming Consensus on removing RSA key Transport from TLS 1.3)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Mar 2014 15:13:57 -0000
On Fri, Mar 28, 2014 at 10:09 AM, Eric Rescorla <ekr@rtfm.com> wrote: > > > > On Thu, Mar 27, 2014 at 11:38 PM, Karthikeyan Bhargavan > <karthik.bhargavan@gmail.com> wrote: >> >> >> Well, the DHE handshake has validation issues: implementations aren't >> >> checking they get sensible inputs. >> >> Fix that, and maybe you have an argument for keeping it. But as it >> >> stands now the insecure resumption attacks are exploiting behavior in >> DHE that isn't fixable without a DOS vector being introduced. >> >> >> In regard to DHE validation, one answer (already proposed on this thread) >> is to use well-known named groups, instead of arbitrary groups. So, rather >> than banning DHE, we could standardise named groups (like named curves) and >> ban the use of arbitrary groups (and arbitrary explicit curves). > > > Note that we could do this for TLS 1.x not just for TLS 1.3, though > obviously we couldn't *require* standardized groups for older > versions for compatibility reasons. > > WRT group validation being a DoS vector (a point made by Watson), > the effect of the DoS seems somewhat limited by the fact that it's the > server who selects the group and therefore the client who has to validate > it, so you can't push arbitrary computational load onto some server just by > connecting > to them and forcing it to validate parameters (though of course you can > already do so to some extent by forcing them to do signatures, key > exchanges, etc.) Validating a DH group requires factoring p-1 and determining that it has a large nonsmooth part, as well as determining p is prime. This is a lot of work, which is why clients don't do it. (Even if we demand that p-1 have no prime factors up to 256 bit there isn't a good way to do that beyond factoring[1]). On my rather nice machine, running gp and asking it to factor 2^1024-epsilon takes a long time. The DoS is from one connection, not many. As for Javascript, web browsers have to deal with scripts running overtime already. It's a much easier problem. Sincerely, Watson Ladd > > This isn't to say that DoS of clients isn't a potentially big deal but at > least in the Web context any network attacker can force arbitrary amounts of > computation onto the client just by pushing JS into any HTTP connection [0]. > Outside the Web context, there probably are cases where this would be a > more viable attack, though depending on the cost of validation they > might require the client to also be willing to do a lot of reconnects > automatically in order to be really affected. > > -Ekr > > [0] And of course in Karthik's attack, the assumption is that the client > would connect to the attack server in any case and so even in an > all HTTPS world, the attacker could shove down arbitrary JS from > his own site. > > >> Still, public key validation remains important for both ECDHE and DHE, and >> essential to prevent insecure resumption-like attacks. >> >> 1. At the end of the first handshake, the finished messages of the >> connections C/A and A/S will be different. >> 2. The outline of the attack rests on the assumption that A might simply >> forward the messages during the second handshake, because all parameters are >> the same, and here the finished messages for C/A and A/S will consequently >> also be the same. Well, they will be if no renegotiation indication >> extension is included. If it is, this will however be different for C/A and >> A/S, and hence result in different finished messages after the second >> handshake as well. >> >> >> Yes, which is why the attack requires 3 handshakes not two. By injecting a >> resumption handshake between 1. and 2. above, the finished messages of C/A >> and A/S can be made the same. I’d be happy to discuss off-list. >> >> Best, >> Karthik >> >> >> >> Am I missing something obvious? >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> >> >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- [TLS] Nuking DHE in favour of ECDHE (Was: Re: Con… Martin Thomson
- Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re:… Watson Ladd
- Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re:… Marsh Ray
- Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re:… Henrick Hellström
- Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re:… Karthikeyan Bhargavan
- Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re:… Daniel Kahn Gillmor
- Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re:… Eric Rescorla
- Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re:… Watson Ladd
- Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re:… Andrei Popov
- Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re:… Paul Hoffman
- Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re:… Peter Gutmann
- Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re:… Rob Stradling
- Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re:… Andrei Popov
- Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re:… Andrei Popov