Re: [TLS] WGLC: draft-ietf-tls-negotiated-ff-dhe-05
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 24 January 2015 21:25 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D55C91A007A for <tls@ietfa.amsl.com>; Sat, 24 Jan 2015 13:25:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.8
X-Spam-Level:
X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XYgZ6CxhdPOv for <tls@ietfa.amsl.com>; Sat, 24 Jan 2015 13:25:33 -0800 (PST)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 0E51F1A0079 for <tls@ietf.org>; Sat, 24 Jan 2015 13:25:32 -0800 (PST)
Received: from fifthhorseman.net (ool-6c3a0662.static.optonline.net [108.58.6.98]) by che.mayfirst.org (Postfix) with ESMTPSA id F01C8F984 for <tls@ietf.org>; Sat, 24 Jan 2015 16:25:30 -0500 (EST)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 36211201F8; Fri, 23 Jan 2015 19:23:38 -0500 (EST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: tls@ietf.org
In-Reply-To: <3F4C76ED-4375-438F-ADC9-66E49A19574B@ieca.com>
References: <3F4C76ED-4375-438F-ADC9-66E49A19574B@ieca.com>
User-Agent: Notmuch/0.18.2 (http://notmuchmail.org) Emacs/24.4.1 (x86_64-pc-linux-gnu)
Date: Fri, 23 Jan 2015 19:23:34 -0500
Message-ID: <87fvb1hvqx.fsf@alice.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/EhrSCRYkiFfqQt-hCISAJZXwy20>
Subject: Re: [TLS] WGLC: draft-ietf-tls-negotiated-ff-dhe-05
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Jan 2015 21:25:36 -0000
On Fri 2015-01-23 14:30:42 -0500, Sean Turner wrote: > This is the WGLC (working group last call) for draft-ietf-tls-negotiated-ff-dhe-05: > http://datatracker.ietf.org/doc/draft-ietf-tls-negotiated-ff-dhe-05/ > Please send comments on this draft to the TLS list before February 16, 2015. Off-list, i've recieved a handful of requests for changes in the last couple weeks that i've been remiss in processing. I list them below, From least controversial to most controversial in my estimation. My biggest fear is that the last two points on the list of 5 below threaten to be a repeat of the current CFRG curve selection morass. I really do not want to see that happen. Adding back ffdhe6144 --------------------- I had ffdhe6144 in the earlier draft, and had removed it to reduce the number of groups to minimize fingerprintability of the handshake, but have no strong feelings here. The argument was that the cost increase jumping from a 4kib group to an 8kib group could be seen as prohibitive, and if we ever need to encourage people to move up from the 4kib group due to a cryptanalytic advance that puts that range in question, we'd like to offer something with less of a cost increase. I'm not convinced i buy the argument: anything that makes folks think 4kib groups are seriously dangerous seems like it could also cause worry at the 6kib level, but i can also imagine a DLOG work-factor reduction of modest size that makes this argument seem plausible. I don't particularly mind putting 6144 back in unless there are objections. Increasing the size of the short exponent recommendation -------------------------------------------------------- The estimates of the group strength come from ECRYPT, and the short exponent sizes are recommended based on this group strength. But some other strength estimates suggest groups of this size are slightly stronger. If ECRYPT is wrong, and we base our short exponent length on its estimates, then we might weaken the system below the actual strength of the group. Also, attacking the DLOG problem requires different resources and precomputation from attacking the stream ciphers. So the proposal is to leave the estimates based on ECRYPT estimates, but to increase the size of the recommended short exponents per group. This only slightly reduces the extra efficiency provided by the short expoenents, and seems like the right choice to make. Designating private-use pre-agreed ffdhe groups ----------------------------------------------- A request was made to set aside one (or a few) codepoint(s) for TLS endpoints that have pre-agreed on a group together. It's not clear to me exactly how many "private use" codepoints would be needed. But two would allow a large deployment to implement a smooth transition between two different private groups, which seems like a reasonable goal. I'll probably designate 510 and 511 ( 0x01fe and 0x01ff ) as these private-use codepoints for deployments that want this capability. If anyone has objections, or wants more or less than 2 private-use codepoints, please speak up. Using a keyed PRF instead of e ------------------------------ Two objections were made about the use of e -- (a) because of its definition as the base of the natural log, e has some sort of special internal structure that might make FFDH groups derived from it more vulnerable to analysis. (b) that starting from e and counting up biases the randomized prime selection by only fiddling certain bits in the prime while counting. I've spoken with several cryptographers about (a) who dismissed it as totally implausible. I haven't gotten much feedback about (b). The proposed change is to select the "random" bits by using a keyed PRF, or KDF, with the seed or additional input incrementing until a safe prime is found. I confess this sounds better than using e to me, simply because the construction avoids any claims about (a) and (b). One approach would be to use [HKDF] with SHA-512, with the initial key material ("IKM") and info parameter both set to "TLS-ffdheNNNN" (where ffdheNNNN is the ASCII name of the group), and a salt that we increment until a safe prime is found at the right length. [HKDF] https://tools.ietf.org/html/rfc5869 Avoiding the high-64 and low-64 bits set to 1 --------------------------------------------- The high 64 bits and the low 64 bits of these primes are set to 1 specifically to facilitate Montgomery and Barrett reduction. This is similar to the choices made in the MODP FFDHE groups. The objection to this is that the special structure may make these groups more vulnerable to attacks that we don't know about, potentially making them equivalent to groups the size of the inner bits or something. I'd like to think that if any advances had been made against the DLOG problem for groups with this special form, they would be published already, since the first Oakley group is 768 bits, with the top and bottom 64 bits all set to 0xff, so this should be in-range and high-profile for anyone who wants to take a crack at it: https://tools.ietf.org/html/rfc2409#section-6.1 But i'm not a cryptographer, i know of no such attack, and i have no idea how to judge the likelihood of something like this existing. I also don't know how widespread or desirable Barrett and Montgomery reductions are: if these reduction methods are unlikely to be actually used in the field, or offer only insignificant efficiency incentives for adoption, then we might not need to maintain them. Another argument here is that if efficiency is paramount, most people will choose ECDHE instead of FFDHE. So if we're proposing FFDHE groups as a bulwark against some future failure of ECDHE, we might as well accept that performance efficiency isn't the highest priority. These last two points are what Andrei is referring to when he says "avoid special-form primes", fwiw. Thoughts, feedback? --dkg
- [TLS] WGLC: draft-ietf-tls-negotiated-ff-dhe-05 Sean Turner
- Re: [TLS] WGLC: draft-ietf-tls-negotiated-ff-dhe-… Andrei Popov
- Re: [TLS] WGLC: draft-ietf-tls-negotiated-ff-dhe-… Daniel Kahn Gillmor
- Re: [TLS] WGLC: draft-ietf-tls-negotiated-ff-dhe-… Watson Ladd
- Re: [TLS] WGLC: draft-ietf-tls-negotiated-ff-dhe-… Sean Turner
- Re: [TLS] WGLC: draft-ietf-tls-negotiated-ff-dhe-… Daniel Kahn Gillmor
- Re: [TLS] WGLC: draft-ietf-tls-negotiated-ff-dhe-… Hubert Kario
- Re: [TLS] WGLC: draft-ietf-tls-negotiated-ff-dhe-… Daniel Kahn Gillmor