Re: [TLS] Do we need DH?
Peter Gutmann <pgut001@cs.auckland.ac.nz> Tue, 30 December 2014 04:34 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA6421ACD20 for <tls@ietfa.amsl.com>; Mon, 29 Dec 2014 20:34:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.51
X-Spam-Level:
X-Spam-Status: No, score=-1.51 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CMO8qD2-V9Gs for <tls@ietfa.amsl.com>; Mon, 29 Dec 2014 20:34:54 -0800 (PST)
Received: from mx2.auckland.ac.nz (mx2.auckland.ac.nz [130.216.125.245]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B9121ACD19 for <tls@ietf.org>; Mon, 29 Dec 2014 20:34:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=uoa; t=1419914094; x=1451450094; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=7z9Txa+cy3w3szoAPi6xQPumVuAW1+zKoitJTWoUlmg=; b=TONsIKiUuW0XOCkb49Gh0x65WErvP/0p39Ipki1FbaUTjx+X4/Ulj5La rVADIv+X3qhWzHmytwW1f93/zpU1cDDViw86QR1zgGO1TcjGmrEAXK2aH zcQX7w94uiXaPF5ecyGhdMqkpnk67JYmJid8Xzm81qRCmJlZR4XHzidis A=;
X-IronPort-AV: E=Sophos;i="5.04,630,1406548800"; d="scan'208";a="298823653"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.106 - Outgoing - Outgoing
Received: from uxchange10-fe2.uoa.auckland.ac.nz ([130.216.4.106]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 30 Dec 2014 17:34:52 +1300
Received: from UXCN10-TDC05.UoA.auckland.ac.nz ([169.254.9.148]) by uxchange10-fe2.UoA.auckland.ac.nz ([130.216.4.106]) with mapi id 14.03.0174.001; Tue, 30 Dec 2014 17:34:51 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] Do we need DH?
Thread-Index: AdAj6fNGG3O9pH7CSo6QkGgH8wnwBg==
Date: Tue, 30 Dec 2014 04:34:50 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C73AAF4C7B5@uxcn10-tdc05.UoA.auckland.ac.nz>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/DjxDRoaC8bEBvcL5k4ktt_c8vLQ
Subject: Re: [TLS] Do we need DH?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Dec 2014 04:34:59 -0000
Watson Ladd <watsonbladd@gmail.com> writes: >I invite you to consider the following interesting sources > >http://www.spiegel.de/media/media-35511.pdf >http://www.spiegel.de/media/media-35510.pdf > >DH is also being attacked by PHOENIX: I can wild mass guess that this is >batch FFS: I don't know if this has been researched extensively, and even >batch NFS has only an asymptotic analysis. Where did you see this? All I saw was a note (in 35511) that "EDH key exchange not exploitable by the 'easy' way" (I assume 'easy' is "grab the private key", since that's what's referred to for RSA in the line above). The only PHOENIX reference was "pushing new moduli for testing against publicly known weaknesses", which could mean anything ("we're checking whether anything's vulnerable to the small-subgroup attack circa 1997, so far we haven't found anything"). So if anything it's a ringing endorsement of EDH. In any case I doubt it's FFS (or any other cryptanalytic technique), given that the rest of the documents talk about using implants, stealing config files with static keys, and similar techniques. That's the cryptographers fallacy, "The NSA can attack TLS, they must have some amazing new cryptanalytic technique that we don't know about". No, they just lifted the static keys from the config file (c.f. the XKCD "hit him with this $5 wrench until he tells us the password" approach). I also note that 35511 seems to be a case of rampant over-classification, there's nothing in there that's remotely sensitive or novel, it's just an SSL 101 talk. 35510 is barely better, I've seen more detailed data on public security blogs. Further, interesting to note from 35521 that GCHQ (via FLYING PIG) identified the Iranian government using Diginotar certs to target their own citizens. Peter.
- Re: [TLS] Do we need DH? Fedor Brunner
- Re: [TLS] Do we need DH? Tapio Sokura
- [TLS] Do we need DH? Watson Ladd
- Re: [TLS] Do we need DH? Alyssa Rowan
- Re: [TLS] Do we need DH? Yoav Nir
- Re: [TLS] Do we need DH? Peter Gutmann
- Re: [TLS] Do we need DH? Brian Smith
- Re: [TLS] Do we need DH? Maarten Bodewes
- Re: [TLS] Do we need DH? Hubert Kario
- Re: [TLS] Do we need DH? Yoav Nir
- Re: [TLS] Do we need DH? Alyssa Rowan
- Re: [TLS] Do we need DH? Nico Williams
- Re: [TLS] Do we need DH? Yoav Nir
- Re: [TLS] Do we need DH? Florian Weimer
- [TLS] Spec tls13 comments, handshake tampering, m… Michael Clark
- Re: [TLS] Spec tls13 comments, handshake tamperin… Michael Clark
- Re: [TLS] Spec tls13 comments, handshake tamperin… Nikos Mavrogiannopoulos