IETF Logo Mail Archive

Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-02.txt

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 11 October 2014 15:09 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6E741A6EFB for <tls@ietfa.amsl.com>; Sat, 11 Oct 2014 08:09:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i9TxI-CkVVDF for <tls@ietfa.amsl.com>; Sat, 11 Oct 2014 08:09:12 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id CA6161A6EE8 for <tls@ietf.org>; Sat, 11 Oct 2014 08:09:11 -0700 (PDT)
Received: from [160.39.146.222] (dyn-160-39-146-222.dyn.columbia.edu [160.39.146.222]) by che.mayfirst.org (Postfix) with ESMTPSA id 5AD47F984; Sat, 11 Oct 2014 11:09:07 -0400 (EDT)
Message-ID: <54394811.60003@fifthhorseman.net>
Date: Sat, 11 Oct 2014 11:09:05 -0400
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101 Icedove/32.0
MIME-Version: 1.0
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, "<tls@ietf.org>" <tls@ietf.org>
References: <9A043F3CF02CD34C8E74AC1594475C739B9C8F65@uxcn10-tdc05.UoA.auckland.ac.nz>
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C739B9C8F65@uxcn10-tdc05.UoA.auckland.ac.nz>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="Ur0qKqj6O0ECACFbMj7RAtPL8QTlQCK42"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/5CunzLVLPw8D4rU2-GQqKApomdE
Subject: Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-02.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Oct 2014 15:09:15 -0000

Hi Peter, thanks for the quick review.

On 10/11/2014 04:19 AM, Peter Gutmann wrote:
> Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:
> 
>> I'd appreciate any comments or suggestions, and particularly review related
>> to the IANA considerations would be great.
> 
> It still doesn't include the widely-deployed IPsec groups (RFC 3526) that I
> asked for last time round, or the RFC 5114 groups which specifically mention
> use in TLS in their RFC.

yes, and that's a deliberate choice, as documented (perhaps not well
enough?) in the draft under "Choice of Groups".

I don't think we should include many groups (this leads to interop
issues and fingerprinting issues), so just adding to the list seems like
a bad idea.

Some of the MODP groups (768, 1024, 1536 at least) are also smaller than
we should be explicitly supporting in updated tools, so i don't think
re-blessing them into another standard is a good idea.

And if there is some fancy attack that needs expensive pre-computation
to work against a targeted group, we shouldn's expose both TLS and IPSEC
because they're sharing groups.

One counterargument i'm aware of is that systems that want to support
both sets of groups would need to have a larger table of known moduli.
So perhaps the argument is that extremely memory-constrained devices
running both TLS and IPSec (or TLS with SRP) could share a table of
known moduli to reduce RAM consumption?  I'm not convinced that this is
particularly important for modern hardware, or that there are many
deployments that meet this scope anyway.

The 5114 groups are small, have unusual generators, and the moduli don't
appear to be safe primes, so it's difficult to know if a peer is forcing
you into a small subgroup with their share -- am i mistaken on that?

We had a discussion about the use of e-derived safe primes instead of
pi-derived safe primes in Toronto, and no one seemed to think that the
groups currently proposed were any worse than the MODP groups.

So i'm not inclined to change this, unless there is a stronger argument
or more widespread opposition to it.

Should i add more of the above detail anywhere in the draft to make it
clear why it's set up this way?

	--dkg

v2.23.0 | Report a Bug | By Email