Re: [TLS] draft-green-tls-static-dh-in-tls13-01

Peter Gutmann <pgut001@cs.auckland.ac.nz> Sun, 16 July 2017 04:04 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D9F8127869 for <tls@ietfa.amsl.com>; Sat, 15 Jul 2017 21:04:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BISrU1IuyZK6 for <tls@ietfa.amsl.com>; Sat, 15 Jul 2017 21:04:04 -0700 (PDT)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CFEBC127735 for <tls@ietf.org>; Sat, 15 Jul 2017 21:04:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1500177843; x=1531713843; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=isD3Kwgt1pgF8SEy9a7wRjXxpKqi2dlezZljAEHcYGA=; b=fWOQlzf9t2nPnLwMYFsb/tVjFw0KHGtUFldoK03swgY2PrndI4dQy5qb yN2EVAkZrwJYu1SS4rsJjPB4wGwf5JDLwDy/+b7F64WqAWezIzzrpp7+B 3fK2OBdf7NvItHsjxsCW9R6hFS8uvTCqkawHOb5JTIu0ld8lnNLg12ha9 hnWU5wSCXTYe0F3JriQNnhLIL+6GFUAqApqON+4aY4z7KiPVM/3Jkt2FD kdTWyB2mXjtBSWSpY/85nFe6gGCUIZUcTZbJGdG0+KqNVJ7mu73G4m/Ml NG25Ff/1fURUj0IsVAfspLfxPnzY6ZBGpitNpX5frSRL0Np3AzCALt6dy Q==;
X-IronPort-AV: E=Sophos;i="5.40,367,1496059200"; d="scan'208";a="165620923"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 10.6.2.8 - Outgoing - Outgoing
Received: from uxcn13-ogg-e.uoa.auckland.ac.nz ([10.6.2.8]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 16 Jul 2017 16:03:57 +1200
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz (10.6.3.5) by uxcn13-ogg-e.UoA.auckland.ac.nz (10.6.2.28) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Sun, 16 Jul 2017 16:03:57 +1200
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::6929:c5b:e4d6:fd92]) by uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::6929:c5b:e4d6:fd92%14]) with mapi id 15.00.1263.000; Sun, 16 Jul 2017 16:03:57 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Nick Sullivan <nicholas.sullivan@gmail.com>, "Dobbins, Roland" <rdobbins@arbor.net>, Ted Lemon <mellon@fugue.com>
CC: IETF TLS <tls@ietf.org>, Matthew Green <matthewdgreen@gmail.com>
Thread-Topic: [TLS] draft-green-tls-static-dh-in-tls13-01
Thread-Index: AQHS9u8WfZRzCSd0QUCONEJhviFEL6JHi20AgAA7kwCAAB2SAIAABXAAgAABDgCAABZXAIALri2AgAAVVwCAAAFLgIAAAg6AgAADOACAAASTAIAAB0QAgAAEhACAAAMcAIAAHD8AgAHnA4s=
Date: Sun, 16 Jul 2017 04:03:56 +0000
Message-ID: <1500177825613.70567@cs.auckland.ac.nz>
References: <CAPCANN-xgf3auqy+pFfL6VO5GpEsCCHYkROAwiB1u=8a4yj+Fg@mail.gmail.com> <CAL02cgRJeauV9NQ2OrGK1ocQtg-M2tbWm2+5HUc4-Wc8KC3vxQ@mail.gmail.com> <71E07F32-230F-447C-B85B-9B3B4146D386@vigilsec.com> <39bad3e9-2e17-30f6-48a7-a035d449dce7@cs.tcd.ie> <CAJU8_nXBFkpncFDy4QFnd6hFpC7oOZn-F1-EuBC2vk3Y6QKq3A@mail.gmail.com> <f0554055-cdd3-a78c-8ab1-e84f9b624fda@cs.tcd.ie> <A0BEC2E3-8CF5-433D-BA77-E8474A2C922A@vigilsec.com> <87k23arzac.fsf@fifthhorseman.net> <D37DF005-4C6E-4EA8-9D9D-6016A04DF69E@arbor.net> <CAPt1N1nVhCQBnHd_MCm79e7c1gO6CY6vZG_rZSNePPvmmU_Bow@mail.gmail.com> <44AB7CB8-13C1-44A0-9EC4-B6824272A247@arbor.net> <CAPt1N1=rvtssKXCnsNmr1vy4ejb6YDUxO2kDcgh-ZMh5WGjfWg@mail.gmail.com> <D43C7836-9F72-4D3C-A8FA-E536FCBEEB6A@arbor.net> <CAPt1N1m6QNmpHY4Zkm3eJSKjBpTs_xaAy6vv6pZi0ySYej_4Sg@mail.gmail.com> <CF285C9C-9822-4B5F-98FC-C5B2701619D4@arbor.net> <6770F4F3-3793-46F9-B47C-25EBE2E7DF5A@arbor.net>, <CAOjisRzaBtWZJrz8rGw+2K_nwb=O2GR4gkYyJq0VEZinJnecQQ@mail.gmail.com>
In-Reply-To: <CAOjisRzaBtWZJrz8rGw+2K_nwb=O2GR4gkYyJq0VEZinJnecQQ@mail.gmail.com>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/JBaCC_6KaNdGwjqT1wGunxq2XQI>
Subject: Re: [TLS] draft-green-tls-static-dh-in-tls13-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Jul 2017 04:04:06 -0000

Nick Sullivan <nicholas.sullivan@gmail.com>; writes:

>the Elliptic Curve variant has recently been identified as troublesome as
>well (see recent JWE vulnerability
>https://blogs.adobe.com/security/2017/03/critical-vulnerability-uncovered-in-json-encryption.html 
>and CVE-2017-8932).

Which sorta begs the question, why was it put in the standard (or at least an
addendum to the standard) in the first place?  Misusing DH as if it was RSA
was a dumb idea [0] when it was made a part of S/MIME twenty years ago - the
entire S/MIME implementer community ignored the X9.42 MUST and kept on using
the RSA MAY as if it was the MUST, and PGP used it as Elgamal even if they
labelled it DH.  Given that JWE quite sensibly specifies RSA-OAEP, why was
ECDH-ES also given as an option, and why would anyone then actually use it
rather than just ignoring it like X9.42?

Peter.

[0] I was going to say "bad idea" but it was so obviously wrong to pretty much
    everyone involved that I've upgraded the epithet.