Re: [TLS] Sending Custom DHE Parameters in TLS 1.3

Hanno Böck <hanno@hboeck.de> Tue, 13 October 2020 06:49 UTC

Return-Path: <hanno@hboeck.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF50F3A0EA1 for <tls@ietfa.amsl.com>; Mon, 12 Oct 2020 23:49:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NViZAT-le_A2 for <tls@ietfa.amsl.com>; Mon, 12 Oct 2020 23:49:43 -0700 (PDT)
Received: from zucker.schokokeks.org (zucker.schokokeks.org [178.63.68.96]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E213E3A0E9D for <tls@ietf.org>; Mon, 12 Oct 2020 23:49:42 -0700 (PDT)
Received: from computer ([2a02:8109:83c0:5eee:a45a:3e64:5f8f:6786]) (AUTH: PLAIN hanno-default@schokokeks.org, SSL: TLSv1.3, 256bits, TLS_AES_256_GCM_SHA384) by zucker.schokokeks.org with ESMTPSA id 0000000000000091.000000005F854E03.000076CC; Tue, 13 Oct 2020 08:49:39 +0200
Date: Tue, 13 Oct 2020 08:49:39 +0200
From: Hanno =?iso-8859-1?q?B=F6ck?= <hanno@hboeck.de>
To: tls@ietf.org
Message-ID: <20201013084939.17572673@computer>
In-Reply-To: <8f57527d-efba-4d03-a3e5-f0ee33463d56@www.fastmail.com>
References: <8f57527d-efba-4d03-a3e5-f0ee33463d56@www.fastmail.com>
X-Mailer: Claws Mail 3.17.7 (GTK+ 2.24.32; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/4LnnrVb-0X7XIIRitoQzi7d9xG8>
Subject: Re: [TLS] Sending Custom DHE Parameters in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Oct 2020 06:49:45 -0000

Hi,

There was a reason custom DH parameters were removed.
Custom DH parameters were the source of plenty of problems.

I suggest reading:
https://blog.hboeck.de/archives/841-Diffie-Hellman-and-TLS-with-nonsense-parameters.html
https://eprint.iacr.org/2016/644
https://www.openssl.org/news/secadv/20160128.txt

There's also a more general theme I think what we have learned over
time:
Moving parts in crypto protocols are bad, simplicity is good. Fix as
much as you can, avoid negotiating stuff.

This is not talked about that much explicitly, but it is a major change
of how crypto protocols were designed in the past (i.e. TLS 1.2 times)
where it was often considered desirable to add as much flexibility as
possible.

(Also FWIW the relevance of DH is pretty small these days. I think the
largest web clients simply don't support it at all.)

-- 
Hanno Böck
https://hboeck.de/