IETF Logo Mail Archive

Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-02.txt

Nikos Mavrogiannopoulos <nmav@redhat.com> Sun, 26 October 2014 07:14 UTC

Return-Path: <nmavrogi@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 011031A6FDD for <tls@ietfa.amsl.com>; Sun, 26 Oct 2014 00:14:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.612
X-Spam-Level:
X-Spam-Status: No, score=-2.612 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QQWYFFHUaT90 for <tls@ietfa.amsl.com>; Sun, 26 Oct 2014 00:14:10 -0700 (PDT)
Received: from mx6-phx2.redhat.com (mx6-phx2.redhat.com [209.132.183.39]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63CA81A6FC8 for <tls@ietf.org>; Sun, 26 Oct 2014 00:14:10 -0700 (PDT)
Received: from zmail22.collab.prod.int.phx2.redhat.com (zmail22.collab.prod.int.phx2.redhat.com [10.5.83.26]) by mx6-phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s9Q7E8KV024721; Sun, 26 Oct 2014 03:14:08 -0400
Date: Sun, 26 Oct 2014 03:14:08 -0400
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
To: Watson Ladd <watsonbladd@gmail.com>
Message-ID: <153436771.84597.1414307648093.JavaMail.zimbra@redhat.com>
In-Reply-To: <CACsn0cna6uZqZP=j6U67PNNJncTTNO+PP=iyrHp_mBOpm+pt+Q@mail.gmail.com>
References: <20141011044948.27553.93984.idtracker@ietfa.amsl.com> <5438B82B.6090600@fifthhorseman.net> <544BD3BF.9030702@streamsec.se> <1682594903.63043.1414266713793.JavaMail.zimbra@redhat.com> <CACsn0ckWj2Jb65JN3mpABe0hC=ao3Bi7qQgUJYkUgzG9giAn8Q@mail.gmail.com> <20141025201642.GA7408@LK-Perkele-VII> <CACsn0cna6uZqZP=j6U67PNNJncTTNO+PP=iyrHp_mBOpm+pt+Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.5.82.6]
X-Mailer: Zimbra 8.0.6_GA_5922 (ZimbraWebClient - FF29 (Linux)/8.0.6_GA_5922)
Thread-Topic: I-D Action: draft-ietf-tls-negotiated-ff-dhe-02.txt
Thread-Index: 5nUzKf2l+DBGMtozEnpvD7tWS59dKw==
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/4rztc3dFj5od8P-r2pocWPbC5K0
Cc: tls@ietf.org
Subject: Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-02.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Oct 2014 07:14:12 -0000


----- Original Message -----
> On Sat, Oct 25, 2014 at 1:16 PM, Ilari Liusvaara
> <ilari.liusvaara@elisanet.fi> wrote:
> > On Sat, Oct 25, 2014 at 12:55:58PM -0700, Watson Ladd wrote:
> >> On Sat, Oct 25, 2014 at 12:51 PM, Nikos Mavrogiannopoulos
> >> <nmav@redhat.com> wrote:
> >>
> >> > 3. There are known attacks against the current ServerKeyExchange format
> >> > which
> >> > remain applicable if we go this path (a sufficiently long DH
> >> > serverkeyexchange
> >> > message can be parsed as an ECDH serverkeyexchage).
> >>
> >> And 4: session_hash solves the same problem if I understand the
> >> elements of it correctly, and we need it anyway because of this
> >> ambiguity in parsing mentioned above. So do we even need this draft?
> >
> > AFAIK, no, it won't, at least not completely.
> 
> I'm afraid I didn't realize how what I wrote would be read. It seems
> to me that the session_hash doesn't necessarily fix the ambiguity
> issue, but does ensure that sending bad groups will achieve nothing
> for an attacker. Even if we adopt this draft for DHE, session_hash is
> still needed in TLS 1.2. So what does this draft get us, assuming
> session_hash is deployed?

I think it is a bit unproductive to comment without reading the actual
draft. The issue it solves is unrelated to session hash. It is described
in its introduction at
https://tools.ietf.org/html/draft-ietf-tls-negotiated-ff-dhe-02#section-1

"Traditional TLS [RFC5246] offers a Diffie-Hellman ephemeral (DHE) key
   exchange mode which provides Perfect Forward Secrecy for the
   connection.  The client offers a ciphersuite in the ClientHello that
   includes DHE, and the server offers the client group parameters g and
   p.  If the client does not consider the group strong enough (e.g. if
   p is too small, or if p is not prime, or there are small subgroups),
   or if it is unable to process it for other reasons, it has no
   recourse but to terminate the connection ..."

regards,
Nikos

v2.23.0 | Report a Bug | By Email