IETF Logo Mail Archive

[TLS] Contemplated major revision to draft-ietf-negotiated-ff-dhe

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 19 September 2014 19:52 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C87A1A068A for <tls@ietfa.amsl.com>; Fri, 19 Sep 2014 12:52:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level:
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_40=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LihRJF-m2-Hf for <tls@ietfa.amsl.com>; Fri, 19 Sep 2014 12:52:51 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 94FB11A070A for <tls@ietf.org>; Fri, 19 Sep 2014 12:52:50 -0700 (PDT)
Received: from fifthhorseman.net (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id F0328F984 for <tls@ietf.org>; Fri, 19 Sep 2014 15:52:47 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 8C3E12000E; Fri, 19 Sep 2014 12:52:35 -0700 (PDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: IETF TLS Working Group <tls@ietf.org>
User-Agent: Notmuch/0.18.1 (http://notmuchmail.org) Emacs/24.3.1 (x86_64-pc-linux-gnu)
Date: Fri, 19 Sep 2014 15:52:31 -0400
Message-ID: <87bnqbxu9s.fsf@alice.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/FrBNnLZMQJwbwsuOJmDsjU6n5cQ
Subject: [TLS] Contemplated major revision to draft-ietf-negotiated-ff-dhe
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Sep 2014 19:52:53 -0000

Hi TLS folks--

I'm considering a radical syntactic change to the negotiated-ff-dhe
draft (though it changes the semantics very little if at all) for the
purposes of aligning 1.3 handshake with pre-1.3 handshakes.  Feedback
about this idea would be appreciated.


   The idea is to have the draft drop the proposed FF-DHE TLS extension
   entirely and instead redefine "Supported Elliptic curves" (TLS
   extension 10) [0] to be a "Supported named groups" extension.  Then
   we would allocate some of the currently unallocated codepoints in the
   NamedCurve IANA registry [1] to the proposed FF-DHE groups.


== Advantages ==

The main goal of this change is to simplify the TLS 1.3 handshake while
allowing clients to send a 1.2+1.3 compatible first flight that includes
FF DHE without excessive duplication.

TLS 1.2+1.3 handshakes will be able to reference a single registry for
their preferred groups and handle them in parallel, without an extra
extension.  We also avoid introducing new TLS extensions.  Clients
would be able to send extension 10 without needing to have implemented
EC.


== Further Considerations ==

So, for a TLS 1.2 client that wants to support named FF-DHE groups, it
would just send TLS extension 10 with only FF-DHE codepoints.  It would
include DHE ciphersuites, but need not include any ciphersuites with
ECDHE key exchange.

If a TLS 1.2 client wants to include ciphersuites with ECDHE as well, it
can do so, but can also indicate FF-DHE codepoints in the same TLS
extension that it indicates the available curves.

Servers responding to such a client will fall into two categories: those
aware of the FF-DHE entries in named-curves, and those that are not.

for unaware servers, they should ignore these entries and carry on with
a normal response.

For aware servers, if they select a DHE key exchange they should send an
SKE as indicated in the current draft, with the server's DHParams
modified appropriately.  (possibly, Alfredo's suggestion of sending an
entirely different handshake message instead of SKE in this case offers
a clearer indication to the client that the server has selected a named
group).


== Codepoint Requests ==

The NamedCurve registry is 16 bits, which is *huge* considering the
pressure we've given to the CFRG to limit the number of proposed curves.

This proposal suggests carving out a small space of that registry for
finite field groups.  For simplicity's sake, i imagine something like
"if the high byte is 0x01, it's FF-DHE" (the draft currently only
allocates 1 byte anyway).  But i'd also be OK with just allocating some
specific codepoints and not making any block designation, if folks think
that would make more sense.


== Feedback Please! ==

Please speak up if you find this change terrible for some reason, or if
you've already implemented the proposed draft and think that backing it
out would be misery.  I don't think this proposal changes the semantics
of the draft at all, and i think it would help the 1.3 handshake to have
this established.

If i hear no shouts of horror, i hope to get a revision of
negotiated-ff-dhe published next week with these changes.

I'm likely to need some help in navigating the IANA procedures for a
change like this which isn't exactly a straightforward codepoint
request, so if anyone has suggestions or experience with that, i'd
appreciate pointers.


All the best,

        --dkg


[0] https://tools.ietf.org/html/rfc4492#section-5.1.1
[1] https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8

v2.23.0 | Report a Bug | By Email