Re: [TLS] Adoption call for Deprecating FFDH(E) Ciphersuites in TLS

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Fri, 13 August 2021 17:21 UTC

Return-Path: <prvs=78599ebe20=uri@ll.mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 337B13A1FC5 for <tls@ietfa.amsl.com>; Fri, 13 Aug 2021 10:21:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.894
X-Spam-Level:
X-Spam-Status: No, score=-1.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tWnV0t5IkyoN for <tls@ietfa.amsl.com>; Fri, 13 Aug 2021 10:21:00 -0700 (PDT)
Received: from llmx2.ll.mit.edu (llmx2.ll.mit.edu [129.55.12.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5EDA13A2076 for <tls@ietf.org>; Fri, 13 Aug 2021 10:20:29 -0700 (PDT)
Received: from LLE2K16-HYBRD02.mitll.ad.local (LLE2K16-HYBRD02.mitll.ad.local) by llmx2.ll.mit.edu (unknown) with ESMTPS id 17DHKPrp045379; Fri, 13 Aug 2021 13:20:25 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=CjuwrwugSUaG1kT1Ql1AID9BfaZPAWCm7dHuIv6YhIufRYlk2SCMYbCQDYg4MoWd9CcebmPTLMfRIOBEooHHbE6ir9i1RbLDCGgX7K1Ivt+aK+lgx0W0XRRGfcJRcDs5NJoripSbrhU4rYDA0M/xI9lvfBjTMqzSZYW6mAIF7o7IXXJhJAsJLBL7GXYxHrga+eFKsGrrsdHnjmWipp+n4bt76pzXJwOEaUvVZdClOx/y/WOHsOvB90oA9feKrUKPJKQ0tMWsDnwAATIfx9Q2nxsF5uTnZYdNz2rCfinh2iJ8CN0HXe6f7FBWSAT4GQmZBluZ5DziRnfjii21o23mbA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DQ+xiGd4mg07aVMz/cLdXPH9KUv3ij+DSSJHOhdiRWk=; b=AHttONC+6M45k8TzDql12u7t55tLK1lCGJW12MRIbIE1yQH4Q/52SNTYtcEGNEkZ1Ym6pzK4RkRbNC2hHePIu4GXhThxgDwSBTlTIs2Cpz6NPtuKjnjLIXgZtNSj0lqVOH4C1QsUXPHlBQe92Wzwmpxam9lOIROfgfjV73rJ7JIN+IhFJJPiNIRlz4pIZc3VSRL/pNc0gog5n4LMFiUgSo5t9LeD/WACSS3CYD/wo/3QTJyMVft9UZHKj/VcyYXntpYcFQQosb9dHfqjIsNDl3dbCnvKIbFMaGhUuVlkY5v0X9HT/71icf7He0q6jtnpLhRPF0ixYeaUe5KUlhyXvw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Joseph Salowey <joe@salowey.net>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Adoption call for Deprecating FFDH(E) Ciphersuites in TLS
Thread-Index: AQHXhMPxpzrCMsaNt0Kem/sQDBKbl6txjJmA///1ygA=
Date: Fri, 13 Aug 2021 17:20:18 +0000
Message-ID: <67533325-2983-47B7-871C-D90799D09532@ll.mit.edu>
References: <CAOgPGoC4C0bWz0h0iyzGzMPEoDKAPv4euoOkmS+6Uuxncux4Zg@mail.gmail.com> <cc9c9d9f-d6b1-3b93-1231-a9a9c34a7fcd@gmail.com>
In-Reply-To: <cc9c9d9f-d6b1-3b93-1231-a9a9c34a7fcd@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.50.21061301
authentication-results: salowey.net; dkim=none (message not signed) header.d=none;salowey.net; dmarc=none action=none header.from=ll.mit.edu;
x-originating-ip: [129.55.200.20]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 6feafa8f-1d26-49b9-7034-08d95e7e9fce
x-ms-traffictypediagnostic: BN1P110MB001:
x-microsoft-antispam-prvs: <BN1P110MB00185D6EFC512C98B269F1D90FA9@BN1P110MB001.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 5cUImRY+P8RG8AXXj7N2k4LDibxL0+/gDQ8aTx9wW5T7+wymx511rD/sJMZmQRQHsvP7sYTAA1mO5zU68OxdRMIRdJc4olqfQc1xXfZOw4zdvsfxJGf6fLwVwZ4wgk9/NxbCv98MAYvVwfW/6/3Eu5lKCAoWcTHw6kxyoZIcRYNwQZbpv/Up0+QZ7s5SC6iU7V9HjTKhFyUPIPYpfykvWQf6j4xjTxYtnltSQ0w+KTWhHBPMvCQ229qIp0+KSkYxpnspQS2BK6DeMrQPS97Jt7Ob7mS/mgImq3jF5oqmTKRodwFs7OqfFXj8B0HY6bnnNg2hdFn6OioeHJ2tPI5bQSK4GpHkGnK9Ov1QTxRf8aMHRsXG8MaJb1CmrOq0YNX2ZXgc6lUdeRQXfo/46300AH+NelSwVjJ52ONrDamqFNW7rL2yw6ynnRDRCcya9GdoZ69vDKgx3BsasOwYFXU9cC5yPNLaPNd2psSh1RXZzr/oAEdXrVSQwpBYfCwB2cfhgq5QXfTqBstjPNs/dvrKmWfWafydpZQUyRIURF3PCKsEe9WA6DsmJnOY+BPC6rV4K8JCA7VGa/Bs/dnMwZnjRoFUY2sY6PbwaYrDiefn3XlH//kJmV5k8B6cHEnqsyF3/Mc5Hh7LSzd/Ovk13B9PwNnhMWdoujFJ5292lx1ViDQOvbHkecjUhmXLBETiBmw3r8eNEG5iauzCSNwb5pFEmYU5t2AOS8CBeofNBw84OLk=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN1P110MB0706.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(366004)(64756008)(66476007)(66446008)(66556008)(66616009)(6512007)(5660300002)(71200400001)(2906002)(75432002)(122000001)(508600001)(99936003)(8936002)(38070700005)(6486002)(110136005)(316002)(6506007)(53546011)(966005)(38100700002)(26005)(166002)(186003)(86362001)(76116006)(66946007)(2616005)(8676002)(83380400001)(33656002)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 408+8c0mgjORHzZ6oyDuBQJm5elerHU/lMBUk9wGthCx14Sl+Zy2qRIGptsr9bcR8ZWooSVENaDDRKymKbi4QGHDOfCaMbGxD3iz8y2ckfdl8x//kpr8UtuXKfbCanKsGDE28WmmNPQdtNZdMK0ropKcInfZZBJWvn8O7HnbHyCa6leYn7fTSBAnJzhxL21itcB44bcRs46OKsk/kXEzIZnIrCN1Z3qge42RpTPUBgV7OiMqiKTS8wTLDBdT0/ELxdkeW01c9/m941hefUIGtgjew7fOp5UmsZM4+TVfyRXveIhpHRIXrSJI1zqmhbWav7Snq+c+R0qJadGDx8HLQAw4keCC3XZP3P+l8E/NDui9WavxSLiS6qjP9CpCRSat51ZSg/sfe2LvZ58brs1sp5pfU1rSe5JnEsD/COZyX+dP7XCkbY8rQ9Egyn1E39aR5VnYcSwuRXrdgpvMMD1iYaBZzVRJ3XBBHmjDw1/TWOveFCg150jrMdwaL1SGLLOMTFIlTbYTlSx64Yqh8BP//ICpd4JLv9wFln47C6jN3J3m7oVAmOhx52wa9TCHerlmYgAGs2qwd34O5zCxRgANtR8eV3gzdHUA/9hhKimBeJ2a+RBgYCK7UR8e6SNUt/7Bf/l2gfIQ6Xlq8Lp5/TwprvkCINpVfbchUcEdzKhotNFvmVDAdog9CCWXmISg7RTBoriQLvQMNF4RyjJ2dT/7jg==
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3711705618_1166588863"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN1P110MB0706.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 6feafa8f-1d26-49b9-7034-08d95e7e9fce
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Aug 2021 17:20:18.8083 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1P110MB001
X-OriginatorOrg: ll.mit.edu
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790 definitions=2021-08-13_06:2021-08-13, 2021-08-13 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-2103310000 definitions=main-2108130104
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/7qeB7ooCoV8DmWYStyTpfoMwUvE>
Subject: Re: [TLS] Adoption call for Deprecating FFDH(E) Ciphersuites in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Aug 2021 17:21:05 -0000

I agree with Rene’s points.

 

-- 

Regards,

Uri

 

 

From: TLS <tls-bounces@ietf.org> on behalf of Rene Struik <rstruik.ext@gmail.com>
Date: Friday, August 13, 2021 at 09:58

Dear colleagues:

 

I think this document should absolutely *not* be adopted, without providing far more technical justification. The quoted Raccoon attack is an easy to mitigate attack (which has nothing to do with finite field groups, just with poor design choices of postprocessing, where one uses variable-size integer representations for a key). There are also good reasons to have key exchanges where one of the parties has a static key, whether ecc-based or ff-based (e.g., sni, opaque), for which secure implementations are known. No detail is provided and that alone should be sufficient reason to not adopt.

 

Rene

 

On 2021-07-29 5:50 p.m., Joseph Salowey wrote:

This is a working group call for adoption for Deprecating FFDH(E) Ciphersuites in TLS (draft-bartle-tls-deprecate-ffdhe-00). We had a presentation for this draft at the IETF 110 meeting and since it is a similar topic to the key exchange deprecation draft the chairs want to get a sense if the working group wants to adopt this draft (perhaps the drafts could be merged if both move forward).  Please review the draft and post your comments to the list by Friday, August 13, 2021.  

 

Thanks,

 

The TLS chairs



_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
 
-- 
email: rstruik.ext@gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 287-3867