[TLS] Fwd: [pkix] Updated elliptic curve drafts
Phillip Hallam-Baker <phill@hallambaker.com> Thu, 15 October 2015 16:28 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A45A31B2F35 for <tls@ietfa.amsl.com>; Thu, 15 Oct 2015 09:28:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.677
X-Spam-Level:
X-Spam-Status: No, score=-0.677 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_12=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qiQZqCWPJ0ZR for <tls@ietfa.amsl.com>; Thu, 15 Oct 2015 09:27:59 -0700 (PDT)
Received: from mail-lb0-x22b.google.com (mail-lb0-x22b.google.com [IPv6:2a00:1450:4010:c04::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C64841ACEAA for <tls@ietf.org>; Thu, 15 Oct 2015 09:27:37 -0700 (PDT)
Received: by lbwr8 with SMTP id r8so75302173lbw.2 for <tls@ietf.org>; Thu, 15 Oct 2015 09:27:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:content-type; bh=TP6v3/e+2SPfukxlmXPBGdC4Ysf1S1+INmmd6jw4U6Y=; b=NngxjpZ0O5ZXhA/W11DjrP42vyKPljZ9tgj+HrjKsfoHpczBpQHu+HZzF3fvm5sYP8 IXvJTAbDzO/meqgIWJOcCn837R6oj6LIid+CHW0cjXrELsS180sAEtEpLDn3amiUZ/Ry acT2xMb+gz4ML5PnpCfT55W/FGUo0PdfA4s64Nsf9GA/J2yMK8p8rEJjTQdGlRZm4izr HSkDodE9WeJrK/fRvonemNV32veDVyaDZPFoq3vMM7pri4h7PcRjsD3UQpwydWTUhG/n qFCWe2UDmT0qACJ28rOUF82PgoIC9twE41FyNxMB9oDo5FsYSaWgtKKjbJxY6BhjCCTM XSXQ==
MIME-Version: 1.0
X-Received: by 10.112.53.131 with SMTP id b3mr5259521lbp.55.1444926455521; Thu, 15 Oct 2015 09:27:35 -0700 (PDT)
Sender: hallam@gmail.com
Received: by 10.112.213.75 with HTTP; Thu, 15 Oct 2015 09:27:35 -0700 (PDT)
In-Reply-To: <CAMm+LwhDmnKFGWrcXP2N5W15uiazj+SiYNQvqviXz+6Fp442xQ@mail.gmail.com>
References: <87fv1fal6s.fsf@latte.josefsson.org> <CAMm+LwhDmnKFGWrcXP2N5W15uiazj+SiYNQvqviXz+6Fp442xQ@mail.gmail.com>
X-Google-Sender-Auth: lnDt1tonREgx7yuGzOxcYTFlAis
Message-ID: <CAMm+LwgR+o_g_vecu+vbj=pTZ83t3MA9rqmoWe+sms6f9RjHtQ@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a11c3e9ac1ba91e052227284f"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/43GXOkQcABeWMut3IH5ml0hIz_o>
X-Mailman-Approved-At: Sun, 01 Nov 2015 16:49:51 -0800
Subject: [TLS] Fwd: [pkix] Updated elliptic curve drafts
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
Date: Thu, 15 Oct 2015 16:28:01 -0000
X-Original-Date: Thu, 15 Oct 2015 12:27:35 -0400
X-List-Received-Date: Thu, 15 Oct 2015 16:28:01 -0000
I strongly oppose any new crypto that does not include a fix for the ephemeral keygen. The reason logjam is possible is that the key negotiation is essentially 1) Negotiate a shared secret S1 using the strong, long term server key. 2) Use the shared secret to authenticate ephemeral key parameters Ec, Es 3) Derive the session keys S2 from the ephemeral key parameters only and throw away the output from the strong long term keys. It is not just 512 bit keys that are vulnerable. 1024 bit DH keys are also weak: https://freedom-to-tinker.com/blog/haldermanheninger/how-is-nsa-breaking-so-much-crypto/ If we are changing the crypto suites we can and should fix this instead of S2 being a function of Ec, Es alone, add in the original S1 as a salt. e.g. S2 = SHA512 (S1 + f(Ec, Es)) This ensures that no matter how broken the ephemeral crypto is, the key exchange is always at least as secure as either the long term or the ephemeral key. Logjam isn't the only way that the system can be compromised. Oh and damn right I think BULLRUN might have had a part in keeping the spec broken. There is a right way to design an ephemeral key exchange and it is to 'Do no harm'. Logjam shows that our current key negotiation mechanism has a hole that makes it possible for the ephemeral to do harm. The move to the CFRG curves will mean a backwards incompatible change to the deployed infrastructure so this is a perfect time to fix ephemeral key establishment. I am going to keep raising this until the issue is fixed. On Mon, Oct 12, 2015 at 4:25 PM, Simon Josefsson <simon@josefsson.org> wrote: > Hi, > > I've updated my drafts on Curve25519/Curve448 support in PKIX to refer > to the CFRG-Curves and CFRG-EdDSA drafts. > > The following document adds new EdDSA key/signature OIDs directly: > > https://tools.ietf.org/html/draft-josefsson-pkix-eddsa-04 > > The following document adds new namedCurve OIDs, thus going indirectly > through the existing ECDSA 3279 route: > > https://tools.ietf.org/html/draft-josefsson-pkix-newcurves-01 > > These two drafts take different approaches to including the new curves > into PKIX, and currently both lack applicability statements. There is > potential for overlap and conflict right now. It recently came up that > for PKCS#11 a namedCurve approach would be useful, but for normal PKIX > Certificates, it may be that the first direct approach is preferrable. > The former lack the possibility of encoding keys for DH. I believe each > approach can be useful on its own, but we need to include text adressing > use-cases that can be resolved by both documents to avoid conflicts. > > /Simon > > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix >
- [TLS] Fwd: Updated elliptic curve drafts Simon Josefsson
- Re: [TLS] Fwd: Updated elliptic curve drafts Ilari Liusvaara
- [TLS] Fwd: [pkix] Updated elliptic curve drafts Phillip Hallam-Baker
- Re: [TLS] Fwd: [pkix] Updated elliptic curve draf… Martin Thomson