Re: [TLS] Another IRINA bug in TLS

Daniel Kahn Gillmor <> Mon, 01 June 2015 21:20 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 78B3C1A0013 for <>; Mon, 1 Jun 2015 14:20:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.5
X-Spam-Status: No, score=-0.5 tagged_above=-999 required=5 tests=[BAYES_05=-0.5] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 0t6v00svVaH6 for <>; Mon, 1 Jun 2015 14:20:40 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 074BA1A000E for <>; Mon, 1 Jun 2015 14:20:39 -0700 (PDT)
Received: from (unknown []) by (Postfix) with ESMTPSA id A8AB8F984; Mon, 1 Jun 2015 17:20:36 -0400 (EDT)
Received: by (Postfix, from userid 1000) id 861331FF5D; Mon, 1 Jun 2015 17:20:14 -0400 (EDT)
From: Daniel Kahn Gillmor <>
To: Peter Gutmann <>, "noloader\" <>
In-Reply-To: <>
References: <> <> <>
User-Agent: Notmuch/0.20 ( Emacs/24.4.1 (x86_64-pc-linux-gnu)
Date: Mon, 01 Jun 2015 17:20:14 -0400
Message-ID: <>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <>
Cc: "<>" <>
Subject: Re: [TLS] Another IRINA bug in TLS
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 01 Jun 2015 21:20:41 -0000

On Sun 2015-05-24 03:12:00 -0400, Peter Gutmann wrote:
> Jeffrey Walton <> writes:
>>GnuTLS with its Lim-Lee primes causes me a lot of problems because they
>>cannot be validated.
> Actually the problem isn't GnuTLS (hey, I use Lim-Lee primes as well!), it's
> the fact that TLS uses the PKCS #3 format rather than the DSA format, so
> you've got nice verifiable values for which you have to throw away the
> parameter used to verify them and send them in an unverifiable format.  Having
> said that, there's a pretty simple fix, define an extension that acts like the
> existing propose/accept extensions that signals a change in DH values to the
> DSA form (p, q, g) rather than PKCS #3 form (p, g).  And for TLS 1.3, use the
> DSA form by default, not the PKCS #3 form.

If we're still shipping arbitrary groups across the wire, then adding
(q) to the data over the wire not only increases the size of the
handshake (by the size of q) but now the receiving peer has to verify

 (a) p is prime

 (b) q itself is prime

 (c) p is actually a Lim-Lee prime

either that, or they can skip the checks and cross their fingers.

Standardizing on known safe prime moduli seems simpler and easier and
less likely to include some steps that people will be tempted to skip
for speed.