Re: [TLS] RFC 7919 on Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS)

Peter Gutmann <> Fri, 19 August 2016 12:29 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3352C12B077 for <>; Fri, 19 Aug 2016 05:29:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.447
X-Spam-Status: No, score=-5.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.247] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id cEIzKFNXgCAa for <>; Fri, 19 Aug 2016 05:29:29 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 063A212D0D3 for <>; Fri, 19 Aug 2016 05:29:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=mail; t=1471609769; x=1503145769; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=CFrPZFaDSGGBe5g8/eqnLmqoTUf3/Z67luZ55c6Vt1I=; b=BC5Fil2WnhG22IKxW20U6Qaa+SknaTtx9OrzaJyZltjgdPTN7e/SsJXk 0NY2KTdEEb9YjcltgIO04MZJZEQyvwcKhkRpBEqxeFQMH2pvu3E2pccn+ zsi1hDmty8wVr/mzAXhtsuKOXAX+PeGf4WwLatC+Fwbt+HxzmMELEdMyX GJQiRVwFNFJaxL6FG1OgSs1LmCE2xOmRFKPGGGPb6bJ7Wbb8/v4wTWIKx L37xWgveMsLPSrO/U6zEAHra6AYTGsrLfXY5c7H4WgqdJOBpaBEDbngG2 ONg8owAzsQilwzEBKbumIlO+O8u1zdbitaXqwk8EGCDci57oSmr/FGOx6 w==;
X-IronPort-AV: E=Sophos;i="5.28,544,1464609600"; d="scan'208";a="102835150"
X-Ironport-Source: - Outgoing - Outgoing
Received: from ([]) by with ESMTP/TLS/AES256-SHA; 20 Aug 2016 00:29:25 +1200
Received: from ([]) by ([]) with mapi id 14.03.0266.001; Sat, 20 Aug 2016 00:29:25 +1200
From: Peter Gutmann <>
To: Bodo Moeller <>, "" <>
Thread-Topic: [TLS] RFC 7919 on Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS)
Thread-Index: AdH3qzVttHomztzDTIKlIRH23NqfIv//fPYAgAIjA03//486AIADpKzA
Date: Fri, 19 Aug 2016 12:29:23 +0000
Message-ID: <>
References: <> <> <>, <>
In-Reply-To: <>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [TLS] RFC 7919 on Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS)
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 19 Aug 2016 12:29:34 -0000

Bodo Moeller <> writes:

>Peter, so your complaint is about the lack of support for explicitly
>specified (non-"named") groups?

It's the lack of support for DHE unless it's the exact parameters the server
wants.  At the moment if your implementation wants to use DHE (which pretty
much all of them do) you have two options:

1. Ignore RFC 7919 and perform DHE with several billion devices worldwide.

2. Implement RFC 7919 and, unless both client and server happen to choose an
   appropriate FFDHE parameter set that both sides can agree on, be forced to
   fall back to the old, unsafe RSA key exchange.

The problem is that 7919 doesn't say "I want to do DHE, if possible with these
parameters", it says "I will only accept DHE if you use these parameters,
otherwise you cannot use DHE but must drop back to RSA".  Talk about cutting
off your nose to spite your face, you'd have to have rocks in your head to
want to break your implementation like that.

Until now I hadn't had a major interest in 7919 (it's rather hard to identify
what problem it's actually solving), but thought I'd look at it for TLS-LTS
use.  However, if using it requires giving up DHE in a lot of cases there's no
way I'll be implementing it.