Re: [TLS] Confirming Consensus on removing RSA key Transport from TLS 1.3

[Watson Ladd <watsonbladd@gmail.com>]

On Wed, Mar 26, 2014 at 5:12 PM, Martin Rex <mrex@sap.com> wrote:
> Joseph Salowey (jsalowey) wrote:
>>
>> TLS has had cipher suites based on RSA key transport (aka "static RSA",
>> TLS_RSA_WITH_*) since the days of SSL 2.0.   These cipher suites have
>> several drawbacks including lack of PFS, pre-master secret contributed
>> only by the client, and the general weakening of RSA over time.
>> It would make the security analysis simpler to remove this option from
>> TLS 1.3.  RSA certificates would still be allowed, but the key
>> establishment would be via DHE or ECDHE.  The consensus in the room
>> at IETF-89 was to remove RSA key transport from TLS 1.3.  If you have
>> concerns about this decision please respond on the TLS list by
>> April 11, 2014.
>
> To me that looks like a pretty bogus statement.
>
> There really is nothing wrong with static RSA, and I can conceive a
> number of scenarios where (EC)DHE could make the situation much worse.
>
> DHE has the problem that it lacks a required set of parameters.
> Generating everything anew and having to verify all parameters
> on the client side for each and every handshake is prohibitively expensive,
> so a number of implementations seem to be using a static keypair for the
> server that is manually generated by an admin once, and never refreshed/
> updated, making it appear better than static RSA, but de-facto much
> worse.  Small devices that currently have poor entropy sources may
> be much better off with a static RSA keypair once generated by an
>  admin on a machine with good entropy and then pushed onto the device
> rather then having to frequently generate new keys on such a device.

If the admin is provisioning the devices, they can seed the devices
with entropy, which gets irreversibly mixed each power cycle.
But yes, DHE parameter validation is a big issue.

>
>
> If RSA was weak, _any_single_use_ of RSA would make you "vulnerable",
> not just the RSA encryption of the premaster secret, but in just the
> same fashion the RSA signature on the (EC)DHE parameter in the
> ServerKeyExchange handshake message.  Or the signatures on the
> certificate chain, or the signatures on the OCSP responses or CRLs.

RSA signatures in the PKI are being increased in size to 2048 and 4096
over the next few years to address this problem. This doesn't seem to
be in the cards for static RSA because of the speed issues.

>
> And once you do the whole PKI glory (long and complex certificate chains
> and full revocation galore, then you may realize that RSA still has
> a significant performance advantage over the alternatives.

For a single signature, maybe. But for multiple signatures with the
Schnorr scheme (or ECDSA plus a single extra bit... why wasn't this
bit included?) you can batch verify. This has a significant
performance advantage.

Furthermore, this is orthogonal to the issue of the fastest TLS
handshake. RSA decryption is very slow, so you can do the two
exponentiations to complete a P256 handshake and signing in the time
to encrypt. The client doesn't matter: it is making very few
connections, so can take a while to do the calculations.

Sincerely,
Watson Ladd


>
>
> -Martin
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin