Re: [TLS] draft-sheffer-tls-bcp: DH recommendations

Yoav Nir <> Sat, 21 September 2013 19:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D285821F9D31 for <>; Sat, 21 Sep 2013 12:15:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.338
X-Spam-Status: No, score=-10.338 tagged_above=-999 required=5 tests=[AWL=0.261, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id i5N1jKB19Zbq for <>; Sat, 21 Sep 2013 12:15:40 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 8867121F9D33 for <>; Sat, 21 Sep 2013 12:15:39 -0700 (PDT)
Received: from ([]) by (8.13.8/8.13.8) with ESMTP id r8LJFWD1023318; Sat, 21 Sep 2013 22:15:36 +0300
X-CheckPoint: {523DF054-0-1B221DC2-1FFFF}
Received: from ([]) by ([]) with mapi id 14.02.0347.000; Sat, 21 Sep 2013 22:15:33 +0300
From: Yoav Nir <>
To: "Michael D'Errico" <>
Thread-Topic: [TLS] draft-sheffer-tls-bcp: DH recommendations
Thread-Index: Ac61Hnof5dKKYJ0xmEuWRIX4Ztx5/QBYDy2AABRpPoAABVvNgA==
Date: Sat, 21 Sep 2013 19:15:31 +0000
Message-ID: <>
References: <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
x-kse-antivirus-interceptor-info: protection disabled
Content-Type: text/plain; charset="us-ascii"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: " \(\)" <>
Subject: Re: [TLS] draft-sheffer-tls-bcp: DH recommendations
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 21 Sep 2013 19:15:46 -0000

On Sep 21, 2013, at 7:42 PM, Michael D'Errico <> wrote:

> James,
> The problem is that there apparently is lots of TLS code which can only handle
> 1024-bit DH parameters and would break if a server sent larger parameters.
> The idea that 1024 is big enough stems from the fact that many many connections
> don't use DH at all, and would benefit if RSA was replaced by EDH.  Thus an
> attacker would need to break 1024-bit DH for each connection of interest.

Many websites cannot deploy 2048-bit EDH because of limitations in their software, and those who can won't, because of interop issues with many of the browsers that are out there.

OTOH 2048-bit RSA keys work well pretty much everywhere. So we're left with three choices:

 1. 2048-bit RSA keying. That's good security, but no forward secrecy.
 2. 1024-bit EDH, which gives forward secrecy, but may be breakable now or in 5 years.
 3. 256-bit ECDH, which gives forward secrecy, but some people feel uneasy about.

There are good arguments for and against each of these. I don't think we have a measure of whether it's easier to compromise a single RSA private key, or to calculate the DL for several 1024-bit EDH. I don't like how #1 creates an attractive, shiny target for attackers - a single file stolen from a web server, and all the traffic can be decrypted in Wireshark. OTOH assuming that an agency such as the NSA or French equivalent is able to break any 1024-bit EDH (that's not a given) they will be able to decrypt any single connection that they would like, but I don't believe they have the resources to decrypt every one. That's good for people who are not near the top of the list of threats to national security, but kind of not so good for those who are.

As I've said before, I'd rather we chose #3.