IETF Logo Mail Archive

Re: [TLS] Regarding draft-bartle-tls-deprecate-ffdhe

David Benjamin <davidben@chromium.org> Mon, 08 March 2021 19:25 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BF233A157C for <tls@ietfa.amsl.com>; Mon, 8 Mar 2021 11:25:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.496
X-Spam-Level:
X-Spam-Status: No, score=-9.496 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.248, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Icb9YohJRP7P for <tls@ietfa.amsl.com>; Mon, 8 Mar 2021 11:25:13 -0800 (PST)
Received: from mail-pj1-x102b.google.com (mail-pj1-x102b.google.com [IPv6:2607:f8b0:4864:20::102b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 905023A157D for <tls@ietf.org>; Mon, 8 Mar 2021 11:25:13 -0800 (PST)
Received: by mail-pj1-x102b.google.com with SMTP id jx13so204858pjb.1 for <tls@ietf.org>; Mon, 08 Mar 2021 11:25:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=7tF8u69x/VVFNYAp7ukyDe2IWrOy0VZ1e+UFhnLlQtE=; b=ER654ahobmUY2jrGJXNQb1AY9RB0Z+CwKaPArKiadX55XIacOOcQ9NN+8NEXC2+ZQK waiN4GJhc8E2qLt6VPBTMgpJKYzGRRfWzvLrE7IjfhOAM3e3CcncM+qsIznRrBRSszwG KaJ6+iO4Heu6ajyrn6KztqRcBLtJXluW5NfdE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=7tF8u69x/VVFNYAp7ukyDe2IWrOy0VZ1e+UFhnLlQtE=; b=Pdn4MrH1QrZiCtk/cOfWsHMv7+NAIg9NbRdMKFAuN3mXJszjGe6LaL7nhnSglnj6yE Ya7hUJ+722OoKcmyXtKTN8RbnIfj0rILF6gR3PfqtNalqNjHRDZP9mfxBJFgfwC/LokS 7+2MQA73ZKI33WelV8pGeOec4TYYSF4WBYHVObd3XSfy4TFAgR4AoEBya5iYnGcS0xoo oqAEYfi6e209T8kyRyJwwk9FWAyOFRxYUzKjfn6kZXD2tqGZsEshSj9jk68Jb5dxcDPa O0qKGW4GvQuTKATe6/YG+w3yKen4HNjCIzEwJDhsv0VVATaX8E1cAjfKiYIsCY0sSGyD AQgQ==
X-Gm-Message-State: AOAM530hBd4H2wn/t7yG6UPZQK1ZHdh+6mTdvsGERfOxZZPCH7SGlYLd VjpeFG2w57cNb82Jlh6ldqENsSMfrlgiAhJLQvrTDl0XiQ==
X-Google-Smtp-Source: ABdhPJw8B7U9oayEYNn55CZ++Oxzh/SjEPU21+iO7mhnJtWG/yab+dxQyTSGfRUV7nG44h/G1X7CIUIefcTDQlSamac=
X-Received: by 2002:a17:902:7b83:b029:e5:d4f4:fc4a with SMTP id w3-20020a1709027b83b02900e5d4f4fc4amr22206718pll.0.1615231512068; Mon, 08 Mar 2021 11:25:12 -0800 (PST)
MIME-Version: 1.0
References: <426843f6-9cc8-4807-b4f7-79c0685fd140@www.fastmail.com> <220B49E4-A194-4514-A7FE-D1FA6C593A3A@icloud.com> <CAF8qwaA2grxOS8SEfPa2Lnoq0OBW1Zb2Tne5+g_A=UEXvDeadg@mail.gmail.com> <fd981993-5163-4f6b-b270-560708654c19@www.fastmail.com> <34ACCD66-3833-4400-AB93-1362AB0B9C0A@icloud.com>
In-Reply-To: <34ACCD66-3833-4400-AB93-1362AB0B9C0A@icloud.com>
From: David Benjamin <davidben@chromium.org>
Date: Mon, 08 Mar 2021 14:24:55 -0500
Message-ID: <CAF8qwaAANPA1zT9e=UULY9k_9xizu+mx0wo7a3WC3Y3COm+nPg@mail.gmail.com>
To: Carrick Bartle <cbartle891@icloud.com>
Cc: Martin Thomson <mt@lowentropy.net>, Carrick Bartle <cbartle891=40icloud.com@dmarc.ietf.org>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000082391505bd0b64aa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/7B8aZEeQw4nVYsJVETrew-WGOKQ>
Subject: Re: [TLS] Regarding draft-bartle-tls-deprecate-ffdhe
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Mar 2021 19:25:16 -0000

I guess it's a question of what the goal of this draft is. I don't
particularly care as long as it's self-consistent. :-)

We've got the title, "FFDH(E)", which would suggest targeting TLS_DH_*,
TLS_DHE_*, and even NamedGroup.ffdhe*, and not anything around ECDH(E).
We've got the contents, which are targeting non-PFS flows, EC or FF. That
is, TLS_DH_*, TLS_ECDH_*, and uses of (EC)DHE that aren't actually
ephemeral.
We've got the Raccoon citation, which would suggest[*] targeting TLS_DH_*
and TLS_DHE_*, due to the buggy construction, and possibly also the non-PFS
modes of both 1.3 FFDHE and 1.2/1.3 ECDHE because key reuse is more fragile.

[*] From the conclusion of the paper: "The most straightforward mitigation
against the attack is to remove support for TLS-DH(E) entirely, as most
major client implementations have already stopped supporting them"

On Mon, Mar 8, 2021 at 2:06 PM Carrick Bartle <cbartle891@icloud.com> wrote:

> I'm not opposed to expanding the scope of this document to include
> deprecating DHE. Is there a major advantage to that being its own draft?
>
>
> > On Mar 8, 2021, at 10:09 AM, Martin Thomson <mt@lowentropy.net> wrote:
> >
> > One thing at a time?
> >
> > On Tue, Mar 9, 2021, at 05:05, David Benjamin wrote:
> >> I'd suggest we also deprecate TLS 1.2 TLS_DHE_*, even when ephemeral:
> >>
> >> - The construction is broken. The leak itself in the Raccoon attack
> >> comes from TLS 1.2 removing leading zeros. We can't change the meaning
> >> of the existing code points, so any fix there would involve dropping
> >> them.
> >>
> >> - It lacks group negotiation, which makes it very difficult to migrate
> >> away from small groups. At least in the web, it's already no longer
> >> supported by most implementations.
> >>
> https://groups.google.com/a/chromium.org/g/blink-dev/c/AAdv838-koo/m/bJv17voIBAAJ
> >> https://bugzilla.mozilla.org/show_bug.cgi?id=1496639
> >> https://weakdh.org/
> >>
> >> On Mon, Mar 8, 2021 at 12:52 PM Carrick Bartle
> >> <cbartle891=40icloud.com@dmarc.ietf.org> wrote:
> >>> Agreed. I'll change the title to reflect that.
> >>>
> >>>> On Mar 8, 2021, at 7:33 AM, Martin Thomson <mt@lowentropy.net> wrote:
> >>>>
> >>>> Well overdue.  We should do this.
> >>>>
> >>>> The title "Deprecating FFDH(E) Ciphersuites in TLS" doesn't seem to
> match the document content.  I only see static or semi-static DH and ECDH
> key exchange being deprecated (in the document as non-ephemeral).
> >>>>
> >>>> _______________________________________________
> >>>> TLS mailing list
> >>>> TLS@ietf.org
> >>>> https://www.ietf.org/mailman/listinfo/tls
> >>>
> >>> _______________________________________________
> >>> TLS mailing list
> >>> TLS@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/tls
> >
> > _______________________________________________
> > TLS mailing list
> > TLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/tls
>
>

v2.23.0 | Report a Bug | By Email