IETF Logo Mail Archive

Re: [TLS] Confirming Consensus on removing RSA key Transport from TLS 1.3

Alyssa Rowan <akr@akr.io> Thu, 27 March 2014 12:27 UTC

Return-Path: <akr@akr.io>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6414A1A0690 for <tls@ietfa.amsl.com>; Thu, 27 Mar 2014 05:27:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.398
X-Spam-Level:
X-Spam-Status: No, score=0.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MANGLED_BACK=2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8w3GHnmUR2ew for <tls@ietfa.amsl.com>; Thu, 27 Mar 2014 05:27:23 -0700 (PDT)
Received: from entima.net (entima.net [78.129.143.175]) by ietfa.amsl.com (Postfix) with ESMTP id B38731A068A for <tls@ietf.org>; Thu, 27 Mar 2014 05:27:23 -0700 (PDT)
Received: from [10.103.236.114] (94.197.120.139.threembb.co.uk [94.197.120.139]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by entima.net (Postfix) with ESMTPSA id E6B8C600FE for <tls@ietf.org>; Thu, 27 Mar 2014 12:27:20 +0000 (GMT)
User-Agent: K-9 Mail for Android
In-Reply-To: <20140327115551.GA24503@randombit.net>
References: <AD51D38F-2CFE-4277-854D-C0E56292A336@cisco.com> <20140326211219.27D281AC7D@ld9781.wdf.sap.corp> <20140327095527.5335c7fa@hboeck.de> <20140327115551.GA24503@randombit.net>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"
From: Alyssa Rowan <akr@akr.io>
Date: Thu, 27 Mar 2014 12:27:17 +0000
To: tls@ietf.org
Message-ID: <6f43d6c5-b70f-4a80-98e6-f653011317c7@email.android.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/3CSfk7pjZ4eKMNDIlWMoD-iWl5M
Subject: Re: [TLS] Confirming Consensus on removing RSA key Transport from TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Mar 2014 12:27:25 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Thu, Mar 27, 2014 at 09:55:27AM +0100, Hanno Böck wrote:
> Appart from the other issues, I think it would make a lot of sense to
> change DHE handling in TLS 1.3 away from "server can have arbitrary
> parameters".

I'm wondering: why even keep DHE around at all?

Let's face it: traditional DHE runs like an absolute dog compared to ECDHE using secp256r1, or especially curve25519 (which we have a live draft for now: I'm ready to start driving deployment almost as soon as we get a curve number!).

Speed is why people were reluctant to deploy PFS, and in many cases in the wild, advised increasing TLS server performance by disabling it (which is bad for everyone). ECDHE eliminates that problem.

Show of hands: who *really* wants to deploy 2048-bit (or above) DHE, when they could have curve25519 instead?

Suggestion: remove static RSA *and* traditional DHE and mandate ECDHE for key exchange in TLS 1.3. I propose,
 curve25519 as mandatory-to-implement and secp256r1 as recommended-to-implement [? Also mandatory, maybe?], both in constant time, which is comparatively easy, especially for 25519.

That would simplify the protocol considerably (decreasing the code and protocol surface to audit), increase its baseline security well above 2048-bit DH, to ~3072-bit (ish) levels, reduce the size of the exchanges and massively reduce the CPU load on both servers and clients.

That seems to me like a win for every one of the good guys and none of the bad guys: TLS 1.3 gets both simpler, easier to audit, more secure *and* faster - and that's the kind of thing that'll drive 1.3 adoption in my opinion. Thoughts?

- --
/akr
-----BEGIN PGP SIGNATURE-----
Version: APG v1.1.1

iQI3BAEBCgAhBQJTNBkkGhxBbHlzc2EgUm93YW4gPGFrckBha3IuaW8+AAoJEOyE
jtkWi2t67zwQAL0qda+2JX6ODJLzhuvKI6v82ng4cWvNh/OnVZ7CNKKq2JR/AdBj
CftYldhG/8ETi4chPhie3q4ovc+uo3NtP1W95zo696s1wPKDYI7/d60SrxvycdSA
zStYAmSxK39cXDvm9iyNNGTVPdvwbZAkiQjFGh+pXIN0c8SP4L11FtDaVhe/7/Ee
4Fn2cpSe9FojMbB7XYqO9QIeLsUzeEgfNBdL58P9ZbpkBK7SsHzu9u5LSSh+vtsF
ejbgwuvaPxDuRVGgKffI3lSUC4GCm0krqgou1eDM2uWMKoBydSOC4JMFbZDWrMrC
1CHDpnyhgU9a6dnBbI6W3mf/vrIddHeN2PAQHyAC7aRhMrMgLqNN7SuXo4ifFmco
tbSNCyiTguYE1juOMsxwMSRGjd0AMM3TSkY85COduWiEjvekfVyuT540CClqrar/
JqHgdo69SjNDT24sGfcMpji/5Hklg+pkUPX/pX9yVzZPUvfER6bRhnb2FaHFvvx0
rPBO/VOgTIP+0DRPYcSNVrkSymFSNs2wBwf8D3FrPa+6gKfByFIelLDY68nDs9O8
v2r+iiNIKKp97CNYJPvzx2srR7IDJF908ZA7U5v5fmUs3+JEV1VxRONwtxj+hJj4
qbQSdOwF/n8uRRsEZ+Z8vAbdo35j8v0DHCnn8T3DxE1qE1ymLFH9XqiK
=g6eK
-----END PGP SIGNATURE-----

v2.23.0 | Report a Bug | By Email