IETF Logo Mail Archive

Re: [TLS] Adoption call for Deprecating FFDH(E) Ciphersuites in TLS

David Benjamin <davidben@chromium.org> Tue, 17 August 2021 15:52 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EBAB3A2062 for <tls@ietfa.amsl.com>; Tue, 17 Aug 2021 08:52:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.949
X-Spam-Level:
X-Spam-Status: No, score=-9.949 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hW5222jHKBrL for <tls@ietfa.amsl.com>; Tue, 17 Aug 2021 08:52:14 -0700 (PDT)
Received: from mail-pj1-x1036.google.com (mail-pj1-x1036.google.com [IPv6:2607:f8b0:4864:20::1036]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 719D73A2060 for <tls@ietf.org>; Tue, 17 Aug 2021 08:52:14 -0700 (PDT)
Received: by mail-pj1-x1036.google.com with SMTP id gz13-20020a17090b0ecdb0290178c0e0ce8bso3255999pjb.1 for <tls@ietf.org>; Tue, 17 Aug 2021 08:52:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=k/hKl/kalyz2OBeq7xEygNmMD6tTXNORu5HkmpqjEAs=; b=PL4kZrtu2IWhNVKLzj2S3gWyXv5nAo5cJvenx8a1Xcayu4XMRcMmtLYeIWyGu4L4uP 4TgfAuP2/MCXTZhjXXC6dmowmzMD1KH87xqmb+iDrp9x81ONyL+Ba0rYzfaAJfyWScaG mPkTtgoTjB/CNrKyEtf9aEnyD2YUUojOwUNDo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=k/hKl/kalyz2OBeq7xEygNmMD6tTXNORu5HkmpqjEAs=; b=nU7kmL+mNIZVMGiKsOWW4m9NQ/m0Emj+dTAfo+cEz/PM5DbxHYITGTZwS7ysNKai4B CTDddlwVCqsiv/Z99izTXNNeJPZ0qCezQbgW1Vauw7JsfW23UbxciKcdoV3SURXTLuXA 3kkKrhZyApj08pG5EnQBEYwi4Bua/9siHlJRKYVN2VcJ+Kq8Q8rkM81fopZ7rJBJ98aY F0CxrH/RSHShnoLShlZij66O/JhtNpznzSM2aDabbAGRjIaA4GzJhjnNkPYcdlKdK8ua m63LCtMbV5ZskxZ720AxGFptmInT0AOnPPc57lkQMrhNd7SDszmiS5iT/88d5KhK4dFm 8CHQ==
X-Gm-Message-State: AOAM531g8bfwrrO0QNWSW7SbF3/fb0JtEDZ83CON8CNjspL36T5TQ6QI kjEbU0gW+ylFsbchYjZQDqoWyv2Pm/B7+hFDhqXbB5UgXA==
X-Google-Smtp-Source: ABdhPJxifnb4o1SQSyx3CAX7jdNvCWUw+Zok1HV8jMCQBj5w1IXKEQjTcQKHLBCS1s9NZaTkyUFRkuAD4lSDQgzq2sI=
X-Received: by 2002:a63:5f88:: with SMTP id t130mr4158978pgb.6.1629215532956; Tue, 17 Aug 2021 08:52:12 -0700 (PDT)
MIME-Version: 1.0
References: <CAOgPGoC4C0bWz0h0iyzGzMPEoDKAPv4euoOkmS+6Uuxncux4Zg@mail.gmail.com> <cc9c9d9f-d6b1-3b93-1231-a9a9c34a7fcd@gmail.com> <67533325-2983-47B7-871C-D90799D09532@ll.mit.edu> <CAOgPGoDAvnFic3VmEsge3i8C2FEfWp74ac_ievtfNo=MQB+C8g@mail.gmail.com> <385b963a-9627-4ede-b4a9-95b5badebc58@www.fastmail.com>
In-Reply-To: <385b963a-9627-4ede-b4a9-95b5badebc58@www.fastmail.com>
From: David Benjamin <davidben@chromium.org>
Date: Tue, 17 Aug 2021 11:51:56 -0400
Message-ID: <CAF8qwaA64fHrvUA9WjjRYQkg_zUV3AjgLaENSyo5C79U1XsPfg@mail.gmail.com>
To: Filippo Valsorda <filippo@ml.filippo.io>
Cc: tls@ietf.org
Content-Type: multipart/alternative; boundary="0000000000001b65cd05c9c34d7a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/7BU9rD_rcX5ig31Hdxok-gJ_CwQ>
Subject: Re: [TLS] Adoption call for Deprecating FFDH(E) Ciphersuites in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Aug 2021 15:52:22 -0000

I support adoption, and will second everything Filippo says.

Deprecation is about the working group issuing updated guidance. Existing
ecosystems may apply new guidance at different rates. That's up to TLS
implementations and deployments to work through. Some ecosystems may remove
things at long time scales. Some ecosystems may have particularly unusual
setups such that they almost never want to remove anything. That's fine,
but it cannot discount the other ecosystems which *do *incur security risk
from having weak ciphers enabled, or the new TLS uses with no legacy. The
working group needs to maintain up-to-date guidance here, and this is how
we do that.

On arbitrary FFDH groups, I think pre-TLS-1.3 FFDH, even ephemeral, is
unsalvageable [again, as up-to-date guidance, see above]. We don't have a
way to tell the server to only consider DHE ciphers if it would have used a
group the client supports. RFC7919 tried to solve the problem but, by
reusing the old cipher suites, it fails to solve the problem. Triggering an
external client retry instead has interesting downgrade consequences due to
ServerKeyExchange signatures not covering the ClientHello. (In fact, I
suspect RFC7919 has made the downgrade risks worse...)

On Tue, Aug 17, 2021 at 9:29 AM Filippo Valsorda <filippo@ml.filippo.io>
wrote:

> (I am listed as author to one of the drafts, but haven't contributed
> significantly since suggesting the deprecation on the list, so I am going
> to renounce authorship and express my support for the adoption instead.)
>
> As a TLS implementer, I don't want the specs to tell me what is *technically
> possible to implement correctly*. I want the specs to recommend the
> safer, most straightforward options for general purpose use.
>
> *DH reuse is less safe than ephemeral shares.* I don't think we need to
> debate this fact. There is a mile-high pile of CVEs that include the words
> "if DH shares are reused". I personally turned a 2^-32 chance of a carry
> bug into a full key recovery against ES-DH
> <https://www.youtube.com/watch?v=zPj5tTFDql0>, others have pulled off
> more and cooler attacks. None of these fun, job-security-providing stunts
> work with ephemeral shares, so it's with a heavy heart that I say we should
> absolutely deprecate all DH share reuses. (This includes all static kex,
> and an explicit MUST NOT for reuse in ephemeral kex.)
>
> *Checking the safety of an arbitrary FFDH group is relatively hard, and
> slow.* Implementers tend to skip hard, slow operations with no visible
> outcome. Besides, it's also a compatibility risk, because the only recourse
> on a failed check is to terminate the connection, which again encourages
> implementers to skip or relax the check. The most straightforward path to
> retaining FFDH in TLS 1.2 I see is requiring the use of a few, well known
> groups, that can be checked by memcmp. Still, I would rather support
> deprecating pre-TLS 1.3 FFDH entirely.
>
> It's not like things in the wild suddenly stop working when the IETF
> deprecates a cipher suite (that's my job!), it just tells bystanders "this
> is not the best way to do things" and in the case of DH reuse "you'll be
> much safer if you generate fresh shares" and in the case of FFDH "if you
> want to do FFDH it will be safer and more reliable to use TLS 1.3".
>
> I support adoption, and recommend merging all these deprecations into a
> single draft, which would be easier to refer to and communicate as an
> implementer.
>
> 2021-08-17 03:45 GMT+02:00 Joseph Salowey <joe@salowey.net>:
>
> Regardless of the Raccoon attack, the static DH and ECDH ciphersuites do
> not provide forward secrecy, which is a main reason cited for deprecating
> RSA in draft-aviram-tls-deprecate-obsolete-kex.  Do you object to just the
> citation of the Raccoon attack or do you also feel that we should keep
> these ciphersuites that do not provide forward secrecy around?
>
> Cheers,
>
> Joe
>
> On Fri, Aug 13, 2021 at 10:20 AM Blumenthal, Uri - 0553 - MITLL <
> uri@ll.mit.edu> wrote:
>
> I agree with Rene’s points.
>
>
>
> --
>
> Regards,
>
> Uri
>
>
>
>
>
> *From: *TLS <tls-bounces@ietf.org> on behalf of Rene Struik <
> rstruik.ext@gmail.com>
> *Date: *Friday, August 13, 2021 at 09:58
>
> Dear colleagues:
>
>
>
> I think this document should absolutely *not* be adopted, without
> providing far more technical justification. The quoted Raccoon attack is an
> easy to mitigate attack (which has nothing to do with finite field groups,
> just with poor design choices of postprocessing, where one uses
> variable-size integer representations for a key). There are also good
> reasons to have key exchanges where one of the parties has a static key,
> whether ecc-based or ff-based (e.g., sni, opaque), for which secure
> implementations are known. No detail is provided and that alone should be
> sufficient reason to not adopt.
>
>
>
> Rene
>
>
>
> On 2021-07-29 5:50 p.m., Joseph Salowey wrote:
>
> This is a working group call for adoption for Deprecating FFDH(E)
> Ciphersuites in TLS (draft-bartle-tls-deprecate-ffdhe-00
> <https://datatracker.ietf.org/doc/draft-bartle-tls-deprecate-ffdhe/>). We
> had a presentation for this draft at the IETF 110 meeting and since it is
> a similar topic to the key exchange deprecation draft the chairs want to
> get a sense if the working group wants to adopt this draft (perhaps the
> drafts could be merged if both move forward).  Please review the draft and
> post your comments to the list by Friday, August 13, 2021.
>
>
>
> Thanks,
>
>
>
> The TLS chairs
>
>
>
> _______________________________________________
>
> TLS mailing list
>
> TLS@ietf.org
>
> https://www.ietf.org/mailman/listinfo/tls
>
>
>
> --
>
> email: rstruik.ext@gmail.com | Skype: rstruik
>
> cell: +1 (647) 867-5658 <(647)%20867-5658> | US: +1 (415) 287-3867 <(415)%20287-3867>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email