IETF Logo Mail Archive

Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-02.txt

Nikos Mavrogiannopoulos <nmav@redhat.com> Mon, 27 October 2014 10:47 UTC

Return-Path: <nmav@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C74111A900B for <tls@ietfa.amsl.com>; Mon, 27 Oct 2014 03:47:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IXYAP3nPLL0Z for <tls@ietfa.amsl.com>; Mon, 27 Oct 2014 03:47:47 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94DB41A9087 for <tls@ietf.org>; Mon, 27 Oct 2014 03:47:46 -0700 (PDT)
Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s9RAPthA027585 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 27 Oct 2014 06:25:55 -0400
Received: from [10.34.2.127] (dhcp-2-127.brq.redhat.com [10.34.2.127]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s9RAPpu8029425 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Mon, 27 Oct 2014 06:25:54 -0400
Message-ID: <1414405551.2543.8.camel@dhcp-2-127.brq.redhat.com>
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
To: henrick@streamsec.se
Date: Mon, 27 Oct 2014 11:25:51 +0100
In-Reply-To: <544E0682.30804@streamsec.se>
References: <20141011044948.27553.93984.idtracker@ietfa.amsl.com> <5438B82B.6090600@fifthhorseman.net> <544BD3BF.9030702@streamsec.se> <1682594903.63043.1414266713793.JavaMail.zimbra@redhat.com> <544C1BC3.5060204@streamsec.se> <1749574094.84536.1414307373087.JavaMail.zimbra@redhat.com> <544E0682.30804@streamsec.se>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/5mdETrDI16KhMqewpLRVnpagCBg
Cc: tls@ietf.org
Subject: Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-02.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Oct 2014 10:47:49 -0000

On Mon, 2014-10-27 at 09:46 +0100, Henrick Hellström wrote:
> On 2014-10-26 08:09, Nikos Mavrogiannopoulos wrote:
> > To be honest I don't see that to be a lot more complex, and the complexity
> > on the same level as supporting ECDH with named groups and arbitrary groups,
> > which was deemed reasonable for ECDH. Consistency (with ECDH) is also another
> > reason to keep the code paths separated.
> 
> Another thing about this rule:
> 
> >    A compatible TLS server that receives the NamedCurve extension with
> >    FFDHE codepoints in it, and which selects an FFDHE ciphersuite MUST
> >    select one of the offered groups and indicates the choice of groups
> >    to the client by sending a specially-formatted ServerDHParams as
> >    described below.
> 
> Suppose a client offers both ECDHE and FFDHE cipher suites, and does 
> send the NamedCurve extension, but with no identifiers the server 
> recognizes as FFDHE groups, but with a few identifiers the server 
> doesn't recognize at all.
> How is the server supposed to tell if:
>    1. The client doesn't support named FFDHE groups at all and expects 
> the arbitrary encoding of FFDHE server key exchange messages, or

All the server needs to know is the common FFDHE groups they support.
And that it apparent in that case. None.

If they have no common groups the server SHOULD NOT negotiate DHE
according to the current draft, so no dilemma here.

>    2. The client supports only a few named FFDHE groups defined in a 
> later revision of the standard that the server hasn't yet implemented, 
> meaning the server ideally MUST NOT use the arbitrary encoding of FFDHE 
> groups, but rather pick other cipher suites?

I think the situation is similar as above. The intersection of the
supported FFDHE groups is empty, thus according to the
draft-ietf-tls-negotiated-ff-dhe a compliant server should not select
the DHE ciphersuites at all. If he selected DHE ciphersuites, it is a
legacy server that doesn't support the draft. So for the server, the
decisions are straightforward as far as I understand.

A client though will have to decide on whether a legacy server is seen,
or a compliant to ffdhe draft, based on the format of ServerKeyExchange.
That's why I suggested to make them sufficiently distinct.

regards,
Nikos

v2.23.0 | Report a Bug | By Email