[TLS] FFDHE and SHOULDs on usage
Martin Thomson <martin.thomson@gmail.com> Thu, 13 November 2014 20:05 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8760C1ACFAC for <tls@ietfa.amsl.com>; Thu, 13 Nov 2014 12:05:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4
X-Spam-Level:
X-Spam-Status: No, score=-4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, GB_I_INVITATION=-2, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IHdcIhgRyic8 for <tls@ietfa.amsl.com>; Thu, 13 Nov 2014 12:05:22 -0800 (PST)
Received: from mail-ob0-x22f.google.com (mail-ob0-x22f.google.com [IPv6:2607:f8b0:4003:c01::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 196B81ACFDC for <tls@ietf.org>; Thu, 13 Nov 2014 12:05:03 -0800 (PST)
Received: by mail-ob0-f175.google.com with SMTP id gq1so11473358obb.20 for <tls@ietf.org>; Thu, 13 Nov 2014 12:05:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=q9LSC5LVEAm1iHtjlt3d7pFp0kavVTVK9r8QISC34a8=; b=QFn97bvtJTIWKbUVuY9iCcmbAQuk6PXUn9N5BpAZ0JnGPedXIuOcwt6S07Y2xALlBe 6XVdh2OXC94aZ5G278MwUpWdA0LSxMgvrnybz9PttjQePNXcyMwVV54xDzg+M0sr00DQ /UYrOfLhHU2WQBwVUKgxNCBJDFO8BkSlL3Lp4RW2SjCNZOQLeqQJjVBdl1vnQpBuwiLr KRfBu2Tj/3UgQ13fCasfWioB1pB7/h6UYXFjrVZYQciSwGlNMbvaJ2fuaaQPGOvNFV1n HPtOKOTCWeCm0ozS0PiOt9ArWvRQZxlWg/I+AUgY0TrG60QEaMLYjiV/wtmbQEh5tWs4 fPCg==
MIME-Version: 1.0
X-Received: by 10.60.177.41 with SMTP id cn9mr3207961oec.63.1415909102394; Thu, 13 Nov 2014 12:05:02 -0800 (PST)
Received: by 10.202.197.212 with HTTP; Thu, 13 Nov 2014 12:05:02 -0800 (PST)
Date: Thu, 13 Nov 2014 12:05:02 -0800
Message-ID: <CABkgnnVxLJhpm+vjUsaQTBGOQ7n=MDBiR3Pk+f7J0m_0rRGT+A@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: "tls@ietf.org" <tls@ietf.org>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/Kuth-Jp73n0ABYALzx-BiogqoVo
Subject: [TLS] FFDHE and SHOULDs on usage
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Nov 2014 20:05:24 -0000
The thesis here is that strong groups (and 2048 isn't that strong) are extremely expensive to verify, and folks are unlikely to do that verification. Therefore, the pick-your-own-group method is not just a bad idea, but an invitation to attack. The draft as written, however, allows all sorts of escapes in the form of SHOULD-based statements for clients and servers to negotiate FFDHE ciphersuites with the server doing PYOG. Clients who want to do PYOG can simply not support (or pretend to not support) this draft. ## Details: The draft says that, for servers: If a compatible TLS server receives a Supported Groups extension from a client that includes any FFDHE group (i.e. any codepoint between 256 and 511 inclusive, even if unknown to the server), and if none of the client-proposed FFDHE groups are known and acceptable to the server, then the server SHOULD NOT select an FFDHE ciphersuite. I think that this needs to be a MUST. If the client is willing to take the servers choice of group, then it would not be including the fixed groups. Similarly, all the SHOULDs in the client behaviour section needs to be hardened. OLD: The compatible client that wants to be able to negotiate strong FFDHE SHOULD send a "Supported Groups" extension NEW: The compatible client that wants to be able to negotiate strong FFDHE sends a "Supported Groups" extension Rationale: This is purely axiomatic. OLD: A client that offers any of these values in the elliptic_curves extension SHOULD ALSO include at least one FFDHE ciphersuite in the Client Hello. NEW: A client that offers a NamedCurve extension containing a FFDHE group cannot use Rationale: No need for normative language here, this is purely a (relevant) observation. And "SHOULD ALSO" doesn't appear in RFC 2119 ;) The only escape valve that is needed already exists: If none of the offered groups match, the server is not compatible with this draft. The client MAY decide to continue the connection if the selected group is acceptable under local policy, or it MAY decide to terminate the connection with a fatal insufficient_security(71) alert.
- [TLS] FFDHE and SHOULDs on usage Martin Thomson
- Re: [TLS] FFDHE and SHOULDs on usage Bodo Moeller
- Re: [TLS] FFDHE and SHOULDs on usage Martin Thomson
- Re: [TLS] FFDHE and SHOULDs on usage Daniel Kahn Gillmor
- Re: [TLS] FFDHE and SHOULDs on usage Martin Thomson
- [TLS] please review (was: Re: FFDHE and SHOULDs o… Sean Turner
- Re: [TLS] FFDHE and SHOULDs on usage Daniel Kahn Gillmor
- Re: [TLS] FFDHE and SHOULDs on usage Martin Thomson
- Re: [TLS] FFDHE and SHOULDs on usage Martin Rex
- Re: [TLS] FFDHE and SHOULDs on usage Andrey Jivsov
- Re: [TLS] FFDHE and SHOULDs on usage Thijs van Dijk
- Re: [TLS] FFDHE and SHOULDs on usage Hubert Kario