IETF Logo Mail Archive

Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re: Confirming Consensus on removing RSA key Transport from TLS 1.3)

Watson Ladd <watsonbladd@gmail.com> Fri, 28 March 2014 15:13 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 417811A069C for <tls@ietfa.amsl.com>; Fri, 28 Mar 2014 08:13:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5yZLIy37G3ze for <tls@ietfa.amsl.com>; Fri, 28 Mar 2014 08:13:55 -0700 (PDT)
Received: from mail-yh0-x235.google.com (mail-yh0-x235.google.com [IPv6:2607:f8b0:4002:c01::235]) by ietfa.amsl.com (Postfix) with ESMTP id CAAAB1A0668 for <tls@ietf.org>; Fri, 28 Mar 2014 08:13:54 -0700 (PDT)
Received: by mail-yh0-f53.google.com with SMTP id v1so5090430yhn.40 for <tls@ietf.org>; Fri, 28 Mar 2014 08:13:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=jaBtlWTe5On40sNP2hgWDVp4qoJm4sZ28IukpNhjz18=; b=gY5U3vNT77ROuQeysfY6kiAWLcW9fjqQqv+/lSSK59PsCXsxzrt6M5jr1tujfs90M+ I6TCdpG3gdtpNlAhElPM3l2uWq00xj/DbfVXpc4dXsSr6Ym5jG6YRTSa12plRYTV5Gxa qHWSh9PVSkh2tD30gj8vBr9sjfYwWrrOgZVITS7c81BJc+X4rEGcWNMW7fncSq8M0fu8 HVXl2V8MAUSKlxCM3ElraCv3cZWoXiu+Z2yrAoo8WPJIsVD0ropKDsWNsZzxdDvYRy93 Y7mNrgfP6sr8MheFk2jTdcXYCwxfzt2AjYWKaXEWuvhGPh/textQd1sCcKr35B43T89G ZmQQ==
MIME-Version: 1.0
X-Received: by 10.236.90.12 with SMTP id d12mr2830525yhf.120.1396019632568; Fri, 28 Mar 2014 08:13:52 -0700 (PDT)
Received: by 10.170.80.214 with HTTP; Fri, 28 Mar 2014 08:13:52 -0700 (PDT)
In-Reply-To: <CABcZeBMB9mcDkYua_GHvwm5tWt7UNDAmMycJCJUGzd2kqq5qYg@mail.gmail.com>
References: <CABkgnnX=KM4YVf1+znp_HS+Pu6DSw64q1adDC4EOPqRLuTDZKQ@mail.gmail.com> <CACsn0cksap5t0--65gnJt5a2yJCNtzvkDX9mmQR=T_r2xYJjYQ@mail.gmail.com> <5334C8A8.2020906@streamsec.se> <C3A58B39-69DE-4AF9-99F5-41169886F87A@gmail.com> <CABcZeBMB9mcDkYua_GHvwm5tWt7UNDAmMycJCJUGzd2kqq5qYg@mail.gmail.com>
Date: Fri, 28 Mar 2014 11:13:52 -0400
Message-ID: <CACsn0cku43cqh_BeLWjuLYyx97QW4hyDsW2bJigqk4LkF0kWsg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/2t4ffd76Nvt3UxcVhMagvRjwgUg
Cc: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re: Confirming Consensus on removing RSA key Transport from TLS 1.3)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Mar 2014 15:13:57 -0000

On Fri, Mar 28, 2014 at 10:09 AM, Eric Rescorla <ekr@rtfm.com> wrote:
>
>
>
> On Thu, Mar 27, 2014 at 11:38 PM, Karthikeyan Bhargavan
> <karthik.bhargavan@gmail.com> wrote:
>>
>>
>> Well, the DHE handshake has validation issues: implementations aren't
>>
>> checking they get sensible inputs.
>>
>> Fix that, and maybe you have an argument for keeping it. But as it
>>
>> stands now the insecure resumption attacks are exploiting behavior in
>> DHE that isn't fixable without a DOS vector being introduced.
>>
>>
>> In regard to DHE validation, one answer (already proposed on this thread)
>> is to use well-known named groups, instead of arbitrary groups. So, rather
>> than banning DHE, we could standardise named groups (like named curves) and
>> ban the use of arbitrary groups (and arbitrary explicit curves).
>
>
> Note that we could do this for TLS 1.x not just for TLS 1.3, though
> obviously we couldn't *require* standardized groups for older
> versions for compatibility reasons.
>
> WRT group validation being a DoS vector (a point made by Watson),
> the effect of the DoS seems somewhat limited by the fact that it's the
> server who selects the group and therefore the client who has to validate
> it, so you can't push arbitrary computational load onto some server just by
> connecting
> to them and forcing it to validate parameters (though of course you can
> already do so to some extent by forcing them to do signatures, key
> exchanges, etc.)

Validating a DH group requires factoring p-1 and determining that it
has a large nonsmooth part, as well as determining p is prime.
This is a lot of work, which is why clients don't do it. (Even if we
demand that p-1 have no prime factors up to 256 bit there isn't a good
way to do that beyond factoring[1]). On my rather nice machine,
running gp and asking it to factor 2^1024-epsilon takes a long time.
The DoS is from one connection, not many.

As for Javascript, web browsers have to deal with scripts running
overtime already. It's a much easier problem.

Sincerely,
Watson Ladd

>
> This isn't to say that DoS of clients isn't a potentially big deal but at
> least in the Web context any network attacker can force arbitrary amounts of
> computation onto the client just by pushing JS into any HTTP connection [0].
> Outside the Web context, there probably are cases where this would be a
> more viable attack, though depending on the cost of validation they
> might require the client to also be willing to do a lot of reconnects
> automatically in order to be really affected.
>
> -Ekr
>
> [0] And of course in Karthik's attack, the assumption is that the client
> would connect to the attack server in any case and so even in an
> all HTTPS world, the attacker could shove down arbitrary JS from
> his own site.
>
>
>> Still, public key validation remains important for both ECDHE and DHE, and
>> essential to prevent insecure resumption-like attacks.
>>
>> 1. At the end of the first handshake, the finished messages of the
>> connections C/A and A/S will be different.
>> 2. The outline of the attack rests on the assumption that A might simply
>> forward the messages during the second handshake, because all parameters are
>> the same, and here the finished messages for C/A and A/S will consequently
>> also be the same. Well, they will be if no renegotiation indication
>> extension is included. If it is, this will however be different for C/A and
>> A/S, and hence result in different finished messages after the second
>> handshake as well.
>>
>>
>> Yes, which is why the attack requires 3 handshakes not two. By injecting a
>> resumption handshake between 1. and 2. above, the finished messages of C/A
>> and A/S can be made the same. I’d be happy to discuss off-list.
>>
>> Best,
>> Karthik
>>
>>
>>
>> Am I missing something obvious?
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
>>
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

v2.23.0 | Report a Bug | By Email