Re: [TLS] Ensuring consistent strength across certificate, ECDHE, cipher, and MAC

Ilari Liusvaara <ilariliusvaara@welho.com> Wed, 23 March 2016 08:42 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B950F12D672 for <tls@ietfa.amsl.com>; Wed, 23 Mar 2016 01:42:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DmhgyhFxJibM for <tls@ietfa.amsl.com>; Wed, 23 Mar 2016 01:42:24 -0700 (PDT)
Received: from welho-filter2.welho.com (welho-filter2.welho.com [83.102.41.24]) by ietfa.amsl.com (Postfix) with ESMTP id 7636712DB76 for <tls@ietf.org>; Wed, 23 Mar 2016 01:42:23 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id E004F11C7; Wed, 23 Mar 2016 10:42:21 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id xeCM1QCY0Dz0; Wed, 23 Mar 2016 10:42:21 +0200 (EET)
Received: from LK-Perkele-V2 (87-100-143-35.bb.dnainternet.fi [87.100.143.35]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id AE09E21C; Wed, 23 Mar 2016 10:42:21 +0200 (EET)
Date: Wed, 23 Mar 2016 10:42:19 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Timothy Jackson <tjackson@mobileiron.com>
Message-ID: <20160323084219.GA4476@LK-Perkele-V2.elisa-laajakaista.fi>
References: <97CC494E-FB13-4A6B-8824-80CF2C7A76BF@mobileiron.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <97CC494E-FB13-4A6B-8824-80CF2C7A76BF@mobileiron.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: ilariliusvaara@welho.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/EDil6zcoAe0hov_1itrGI8jvAIE>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Ensuring consistent strength across certificate, ECDHE, cipher, and MAC
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Mar 2016 08:42:26 -0000

On Wed, Mar 23, 2016 at 12:38:13AM +0000, Timothy Jackson wrote:
> I’ve noted that many (most?) TLS implementations choose their ECDHE
> curves seemingly without regard to the cipher suite strength. Thus,
> they'll select an AES256 cipher suite (e.g. TLS_ECDHE_ECDSA_WITH_AES256_SHA384),
> but then generate an ECDHE key on the P256 curve. This seems odd to
> me, since the P256 curve obviously has a lower security strength than
> AES256. This seems important issue to resolve because most product
> (and even TLS libraries) do not allow the administrator to configure
> the available ECDHE curves, only the cipher suites. Thus, ECDHE may
> be invisibly undermining the security of your TLS connection.

The security levels are much less obvious than they at first seem.

128 bit symmetric encryption, 128 bit elliptic curve DH and 128 bit
MAC are not even _close_ to being the same security.

And if you want to configure things, configuring strong enough ECDHE
and strong enough ciphers should be enough... If 128-bit ECDHE is
enough, 256-bit symmetric encryption will certainly be enough (can't
say the same about 128-bit symmetric encryption).



-Ilari