Re: [TLS] Deprecating Obsolete Key Exchange Methods in TLS
Carrick Bartle <cbartle@apple.com> Wed, 02 March 2022 18:46 UTC
Return-Path: <cbartle@apple.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8508F3A0ACA for <tls@ietfa.amsl.com>; Wed, 2 Mar 2022 10:46:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZBXV5HdxKCxQ for <tls@ietfa.amsl.com>; Wed, 2 Mar 2022 10:46:19 -0800 (PST)
Received: from ma1-aaemail-dr-lapp03.apple.com (ma1-aaemail-dr-lapp03.apple.com [17.171.2.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B6D8E3A0872 for <tls@ietf.org>; Wed, 2 Mar 2022 10:46:19 -0800 (PST)
Received: from pps.filterd (ma1-aaemail-dr-lapp03.apple.com [127.0.0.1]) by ma1-aaemail-dr-lapp03.apple.com (8.16.0.42/8.16.0.42) with SMTP id 222IXgQV012593; Wed, 2 Mar 2022 10:46:18 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=d/QY/KwqM2jhOCTfJLgcORrIbBfpsUzMNkYPN2B7SUQ=; b=LzbekkvSNBBupoLt96tPRZVH7wPkT9qfNIsB16G3pxfNptvR37PeVrDZTqqPhbn5S8fY IdzOLiFrh5hcs+lafs4UQfkf/Omo0ZNNrVKv3Idfd123tNh7A0vvAKBpqbikvVE+wsrD Uks7aCWVQ3JxakgAQRgyDkXlrk2loDeO99scCo2PJcdhIFUKWKWlV+09qyMbMFCRJQI7 79UZPr0gVu6k99gpogZylnWfAqabTJEjB9s++3SBA9XisE2QIcRAoXNYmTORBiiFrGSI c8lqk+JRb/6wrt1vHgwez7g7Td43R+MR4/+FKrnuS//1GB2XyVkgptguytgyIcU+tdny ig==
Received: from rn-mailsvcp-mta-lapp03.rno.apple.com (rn-mailsvcp-mta-lapp03.rno.apple.com [10.225.203.151]) by ma1-aaemail-dr-lapp03.apple.com with ESMTP id 3efm30nfc0-19 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Wed, 02 Mar 2022 10:46:18 -0800
Received: from rn-mailsvcp-mmp-lapp04.rno.apple.com (rn-mailsvcp-mmp-lapp04.rno.apple.com [17.179.253.17]) by rn-mailsvcp-mta-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.12.20210903 64bit (built Sep 3 2021)) with ESMTPS id <0R8400OU5S52BI00@rn-mailsvcp-mta-lapp03.rno.apple.com>; Wed, 02 Mar 2022 10:46:14 -0800 (PST)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp04.rno.apple.com by rn-mailsvcp-mmp-lapp04.rno.apple.com (Oracle Communications Messaging Server 8.1.0.12.20210903 64bit (built Sep 3 2021)) id <0R8400B00S4ODQ00@rn-mailsvcp-mmp-lapp04.rno.apple.com>; Wed, 02 Mar 2022 10:46:14 -0800 (PST)
X-Va-A:
X-Va-T-CD: d6d9237ca1f7551bf00109847e467705
X-Va-E-CD: 63d5b4ff0aafd5379612f74f0a79930e
X-Va-R-CD: 84cc1aeb8af23c64c919b77f168b33c2
X-Va-CD: 0
X-Va-ID: fd890e82-7494-40bd-91a4-efa0200b7d45
X-V-A:
X-V-T-CD: d6d9237ca1f7551bf00109847e467705
X-V-E-CD: 63d5b4ff0aafd5379612f74f0a79930e
X-V-R-CD: 84cc1aeb8af23c64c919b77f168b33c2
X-V-CD: 0
X-V-ID: d5a64ec6-1ef5-49e9-9f58-03b045cda026
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425, 18.0.816 definitions=2022-03-02_05:2022-02-26, 2022-03-02 signatures=0
Received: from smtpclient.apple (unknown [17.234.20.168]) by rn-mailsvcp-mmp-lapp04.rno.apple.com (Oracle Communications Messaging Server 8.1.0.12.20210903 64bit (built Sep 3 2021)) with ESMTPSA id <0R8400GIRS51T200@rn-mailsvcp-mmp-lapp04.rno.apple.com>; Wed, 02 Mar 2022 10:46:13 -0800 (PST)
From: Carrick Bartle <cbartle@apple.com>
Message-id: <584C15C5-F152-4233-AB83-569B47A8569D@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_58D3023A-20AA-4494-BA73-DA16B6E513A2"
MIME-version: 1.0 (Mac OS X Mail 15.0 \(3693.60.0.1.1\))
Date: Wed, 02 Mar 2022 10:46:13 -0800
In-reply-to: <CAF8qwaA2go0o_gN=9bh4hqe7hfT+1N8cCBnxd1t00-fGUbSxvg@mail.gmail.com>
Cc: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>, "<tls@ietf.org>" <tls@ietf.org>
To: David Benjamin <davidben@chromium.org>
References: <CABiKAoRZZy2Bqgf_QJOQxiyREwLscOWJ9LeqgEvam7Lz+dqyCA@mail.gmail.com> <F631C8A5-3684-4693-B828-4CAA7820125B@ll.mit.edu> <CAF8qwaA2go0o_gN=9bh4hqe7hfT+1N8cCBnxd1t00-fGUbSxvg@mail.gmail.com>
X-Mailer: Apple Mail (2.3693.60.0.1.1)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425, 18.0.816 definitions=2022-03-02_05:2022-02-26, 2022-03-02 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/AjCy1PjknJamsZyZRs0wj28YIB8>
X-Mailman-Approved-At: Thu, 03 Mar 2022 21:09:44 -0800
Subject: Re: [TLS] Deprecating Obsolete Key Exchange Methods in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Mar 2022 18:46:25 -0000
> NIST PQC API is Key Encapsulation – conceptually similar to RSA key exchange. > > > Yes, but this has no bearing on why it's deprecated. +1. The PQ KEMs aren't relevant here. > On Mar 2, 2022, at 10:31 AM, David Benjamin <davidben@chromium.org> wrote: > > On Wed, Mar 2, 2022 at 12:19 PM Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu <mailto:uri@ll.mit.edu>> wrote: > Following the discussions around draft-bartle-tls-deprecate-ffdh and draft-aviram-tls-deprecate-obsolete-kex, and after consulting the chairs, we have merged the two drafts into draft-aviram-tls-deprecate-obsolete-kex <https://datatracker.ietf.org/doc/draft-aviram-tls-deprecate-obsolete-kex/>. > > > > The merged draft prescribes the following: > > RSA key exchange is a MUST NOT. > NIST PQC API is Key Encapsulation – conceptually similar to RSA key exchange. > > > Yes, but this has no bearing on why it's deprecated. > > The question is how you use the KEM, and as well as the properties of the KEM in question. In TLS 1.3, and in TLS 1.2 (EC)DHE key exchanges, the KEM recipient generates an ephemeral, per-connection key. This gives us forward secrecy properties, which this WG has treated as important. In TLS 1.2 RSA key exchange, the recipient uses a static RSA key. In principle, one could also use an RSA-based KEM with ephemeral keys, but RSA key generation is so expensive that this is implausible. Regardless, "RSA key exchange" in the context of TLS is specifically the TLS 1.2 RSA construction, which doesn't do this. > > Additionally, the particular KEM-like construction used in TLS RSA key exchange is flawed, per the Bleichenbacher attack. While we have a mitigation, it is just a workaround for what is ultimately a flawed construction. That mitigation has also had a series of implementation issues, per the documents cited by the draft. > > > Non-ephemeral finite-field DH is a MUST NOT. > > > Overkill, and unnecessary. Should be SHOULD NOT. > > > > Non-ephemeral ECDH is a SHOULD NOT. > > > OK. > > > > Ephemeral finite-field DH (DHE) is a MAY, only when fully ephemeral, and only using a well-known group of size at least 2048 bits. > > > Overkill, though requiring sufficiently large group size is fine. > > > > > > We added greater justification for point 3 <https://www.ietf.org/archive/id/draft-aviram-tls-deprecate-obsolete-kex-01.html#name-security-considerations-2> above to address concerns previously raised on the list. > > > > We'd love to hear your thoughts. > > > > best wishes, > > Carrick and Nimrod > > _______________________________________________ > TLS mailing list > TLS@ietf.org <mailto:TLS@ietf.org> > https://www.ietf.org/mailman/listinfo/tls <https://www.ietf.org/mailman/listinfo/tls>
- [TLS] Deprecating Obsolete Key Exchange Methods i… Nimrod Aviram
- Re: [TLS] Deprecating Obsolete Key Exchange Metho… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Deprecating Obsolete Key Exchange Metho… David Benjamin
- Re: [TLS] Deprecating Obsolete Key Exchange Metho… Salz, Rich
- Re: [TLS] Deprecating Obsolete Key Exchange Metho… Carrick Bartle