Re: [TLS] [Cfrg] 3DES diediedie

Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 25 August 2016 02:59 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18FF812D127 for <tls@ietfa.amsl.com>; Wed, 24 Aug 2016 19:59:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PL_mmTagvIf0 for <tls@ietfa.amsl.com>; Wed, 24 Aug 2016 19:59:26 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DA3B12D1B1 for <tls@ietf.org>; Wed, 24 Aug 2016 19:59:25 -0700 (PDT)
Received: from [172.31.24.203] (gzac12-mdf2-1.aoa.twosigma.com [208.77.215.155]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mournblade.imrryr.org (Postfix) with ESMTPSA id CFB47284D97; Thu, 25 Aug 2016 02:59:23 +0000 (UTC) (envelope-from ietf-dane@dukhovni.org)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <CAHOTMVKBmDT-okm=ikECrotcEKS5fdn840-gV+5Tnx3eg4JBkQ@mail.gmail.com>
Date: Wed, 24 Aug 2016 22:59:23 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <E201DE55-20AF-4581-B502-5112DBA535A5@dukhovni.org>
References: <CAHOTMV+r5PVxqnSozYyqJqq_YocMKV06aAa-43t+5Huzh7Lo=A@mail.gmail.com> <alpine.GSO.1.10.1608242231290.5272@multics.mit.edu> <CAHOTMVKBmDT-okm=ikECrotcEKS5fdn840-gV+5Tnx3eg4JBkQ@mail.gmail.com>
To: tls@ietf.org
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/CEmMW9XYlNiWQSF_qBf6CoYrSw8>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [TLS] [Cfrg] 3DES diediedie
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Aug 2016 02:59:27 -0000

> On Aug 24, 2016, at 10:34 PM, Tony Arcieri <bascule@gmail.com> wrote:
> 
> I am particularly interested in 3DES's usage in TLS, given its previous MTI status in TLS, and because it was until very recently included in the OpenSSL "DEFAULT" ciphersuite list.

For the record, it is only removed from the "DEFAULT" ciphersuite list in
tomorrow's (US/Eastern, today already for folks in Europe) 1.1.0 release.

In the 1.0.x releases it will change from "HIGH" to "MEDIUM", but remains
in "DEFAULT".  Users who elect just "HIGH" ciphers will not use 3DES, but
those who go with "DEFAULT" or explicitly include "MEDIUM" will generally
continue to enable 3DES as a low preference ciphersuite.

https://www.openssl.org/blog/blog/2016/08/24/sweet32/

My personal take is quoted in:

http://arstechnica.com/security/2016/08/new-attack-can-pluck-secrets-from-1-of-https-traffic-affects-top-sites/

   "We're not making a fuss about the 3DES issue, and rating it 'LOW',"
   Dukhovni wrote. "The 3DES issue is of little practical consequence at
   this time. It is just a matter of good hygiene to start saying goodbye
   to 3DES."

I am not opposed to a "diediedie" RFC, if that is likely to be helpful.
For TLS, this ciphersuite is already comparatively rare, and perhaps its
disappearance will not be sped up by a "diediedie" RFC?  Would an RFC
help to prod vendors into action more than the already published findings?
Would our collective energies be better focused on other, more pressing
goals?

-- 
	Viktor.