Re: [TLS] DH group negotiation extension [was: Re: draft-sheffer-tls-bcp: DH recommendations]

Watson Ladd <watsonbladd@gmail.com> Sun, 10 November 2013 05:42 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEE4321E80E8 for <tls@ietfa.amsl.com>; Sat, 9 Nov 2013 21:42:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.55
X-Spam-Level:
X-Spam-Status: No, score=-2.55 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sGM3s4nnon2X for <tls@ietfa.amsl.com>; Sat, 9 Nov 2013 21:42:05 -0800 (PST)
Received: from mail-wi0-x229.google.com (mail-wi0-x229.google.com [IPv6:2a00:1450:400c:c05::229]) by ietfa.amsl.com (Postfix) with ESMTP id 1003121E80E7 for <tls@ietf.org>; Sat, 9 Nov 2013 21:42:04 -0800 (PST)
Received: by mail-wi0-f169.google.com with SMTP id cb5so1188334wib.0 for <tls@ietf.org>; Sat, 09 Nov 2013 21:42:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=eyuGe/bSzUGy5g29H1+CZPzGvpAH8i0NBX5/JOvLcCk=; b=g2nFe6bbhCNOyd78e3xFoEB6OgN2Kd2T1LvSBPNAry4gqZs/OYhBsARMZDmnRIHLU+ fsvkbU0nJzde+up3XNkWIOUvvQTLlyqmQkfGsAXNxgNWGGaFYzd25nUyZu5fKa/uJrWY mCAbUCWQQwgDEEEJ+DlCXkAChZPtj9MXnUQZA8s2LD0KIEwvbwvLQ9dRyUxWmivrvTOP 8GmBKhw3zBMrxV44azpWKcBrhEbkyakvI70A9Fe7mkxbGebQxMDrjMWq2VhhiJl2z7xv 1c6FkMnnofIr1WD9cfNXWTB19+x7UCh9HIPDh1Ng6dme2wMwAeaC3AjZbeRYp2fDmrw0 /x5A==
MIME-Version: 1.0
X-Received: by 10.180.37.162 with SMTP id z2mr7728099wij.58.1384062123921; Sat, 09 Nov 2013 21:42:03 -0800 (PST)
Received: by 10.194.242.131 with HTTP; Sat, 9 Nov 2013 21:42:03 -0800 (PST)
In-Reply-To: <527F1AD1.20804@funwithsoftware.org>
References: <9A043F3CF02CD34C8E74AC1594475C735567407D@uxcn10-6.UoA.auckland.ac.nz> <A3161699-0975-403C-B9C1-8BE548062949@mac.com> <523DCC5D.9040707@pobox.com> <523E2F56.9040307@funwithsoftware.org> <3E26A3FE-2491-4D48-BBE9-A11B995CD28D@checkpoint.com> <523E763C.1010701@pobox.com> <87d2mcy2s3.fsf@alice.fifthhorseman.net> <527F1AD1.20804@funwithsoftware.org>
Date: Sat, 9 Nov 2013 21:42:03 -0800
Message-ID: <CACsn0cnNA5PwE2Og+w08fJqqDdwhFm54_ajdx30ymJa=iZTyiA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Patrick Pelletier <code@funwithsoftware.org>
Content-Type: text/plain; charset=UTF-8
Cc: TLS Mailing List <tls@ietf.org>
Subject: Re: [TLS] DH group negotiation extension [was: Re: draft-sheffer-tls-bcp: DH recommendations]
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Nov 2013 05:42:06 -0000

On Sat, Nov 9, 2013 at 9:34 PM, Patrick Pelletier
<code@funwithsoftware.org>; wrote:
> On 11/7/13 1:33 AM, Daniel Kahn Gillmor wrote:
>
>> The minmalist proposal:
>> -----------------------
>>
>>   * compliant clients advertising a ciphersuite using EDH would include
>>     an extension indicating the smallest and largest EDH group sizes they
>>     are willing to accept.
>
>
> The only thing I would add is that besides minimum and maximum number of
> bits, the client should also indicate a multiple, which the group size must
> be divisible by.  For example, Java only supports DH groups whose size is a
> multiple of 64.  If the client can accept any group size within its
> minimum,maximum range, then it uses 1 as its multiple.  So, examples of this
> triple might be:
>
> 1024,2048,64
> 1280,4096,8
> 1024,8192,1
>
>
>> All of the observations above make me think that the minimalist proposal
>> seems to be the least likely to cause controversy and the simplest to
>> patch into existing implementations quickly and safely.
Fuck no.
Why don't we just use an elliptic curve? Failing that, why not define one group?
Having servers and clients suggest groups to each other is a great
denial of service attack
as factoring p-1 might take a while.  What does EDH group negotiation solve?
Sincerely,
Watson
>
>
> +1.  It just fixes the existing mechanism, rather than introducing a new
> mechanism.
>
> However, at the risk of making the minimalist proposal slightly less
> minimal, I'd like to suggest that the extension should also allow the server
> to reply with the DH exponent size:
>
> http://lists.gnutls.org/pipermail/gnutls-help/2012-May/002748.html
>
> --Patrick
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin