Re: [TLS] draft-sheffer-tls-bcp: DH recommendations

Yoav Nir <> Wed, 18 September 2013 19:47 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C576B11E8140 for <>; Wed, 18 Sep 2013 12:47:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -9.934
X-Spam-Status: No, score=-9.934 tagged_above=-999 required=5 tests=[AWL=-0.087, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, SARE_OBFU_ALL=0.751]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id vsOcSYdC08dK for <>; Wed, 18 Sep 2013 12:47:31 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id BE34311E825A for <>; Wed, 18 Sep 2013 12:47:05 -0700 (PDT)
Received: from ([]) by (8.13.8/8.13.8) with ESMTP id r8IJkvK7009334; Wed, 18 Sep 2013 22:47:01 +0300
X-CheckPoint: {523A0331-7-1B221DC2-1FFFF}
Received: from ([]) by ([]) with mapi id 14.02.0347.000; Wed, 18 Sep 2013 22:46:57 +0300
From: Yoav Nir <>
To: james hughes <>
Thread-Topic: [TLS] draft-sheffer-tls-bcp: DH recommendations
Date: Wed, 18 Sep 2013 19:46:57 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
x-kse-antivirus-interceptor-info: protection disabled
Content-Type: multipart/alternative; boundary="_000_E9939285E47A4D4C8EA35F2924559897checkpointcom_"
MIME-Version: 1.0
Cc: "" <>
Subject: Re: [TLS] draft-sheffer-tls-bcp: DH recommendations
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 18 Sep 2013 19:47:37 -0000

On Sep 18, 2013, at 10:15 PM, james hughes <<>>

On Sep 18, 2013, at 10:34 AM, "Blumenthal, Uri - 0558 - MITLL" <<>> wrote:

If you think that in 5 years 1024-bit DH will be trivially crackable - I'd like to see some evidence to support it.

There is a different between "trivially crackable" and routinely exploitable. In 5 years this will be routinely exploitable.

Based on what? There's been a paper ([1]) describing how to produce a SHA-1 collision in 2^61 steps for two years, and nobody's produced a collision yet. This should be within the powers of a moderately well-funded company or university, not just government agencies. Sure, the NSA has the resources to produce a SHA-1 collision. But if they had to produce one for *each* session they wanted to break, they would have to be very picky with choosing the sessions that they break.

1024-bit RSA and DSA are usually considered equivalent to 80-bit security, so half a million times more difficult to crack than producing a SHA-1 collision (an effort no civilian has yet dared to take). DHE with 1024-bit keys means that our favorite pervasive attacker would need that much effort to crack a single connection. It's much better to deploy that than to not deploy 2048-bit DHE because so many of the servers and clients don't support it.

It seems to me that the standards process does not need NSA to subvert the process, the standards people seem to be doing this fine by themselves. Anyway, speaking as someone working in this field (more factoring than discreet log) the professional recommendation is 2048.

Yes, and where it's possible (RSA keys) we've all migrated. But the professional recommendation that I'm hearing is to move to ECC.

I am not baiting here, but the argument that 2048 is "too much" given that a PC can do a complete authenticated PFS key exchange in 3ms of CPU time seems "interesting".

Moving from 1 ms to 3 ms is trivial for a client, but may require buying more hardware for the server. As someone in the field of selling hardware, that's great! But it does slow adoption.

But that is not the argument you hear from me. My argument is that it's pointless to change implementation to support a better DHE, when (a) the current DHE implementation is OK for now, and (b) ECDHE is the future and already implemented in most codebases.