Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)DHE public values be fresh
Peter Gutmann <pgut001@cs.auckland.ac.nz> Mon, 02 January 2017 04:09 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E78B012954B for <tls@ietfa.amsl.com>; Sun, 1 Jan 2017 20:09:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.3
X-Spam-Level:
X-Spam-Status: No, score=-7.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-3.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wKxvNym9ipgG for <tls@ietfa.amsl.com>; Sun, 1 Jan 2017 20:09:07 -0800 (PST)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E7E112947F for <tls@ietf.org>; Sun, 1 Jan 2017 20:09:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1483330146; x=1514866146; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=wponG/hBdpxHnjsIYcOO35ziyy0k064+XMq6ID8xTp4=; b=H7eF/Nlg4GC4AkSlaItCIR5jByrRrycMqYEWyW7hqDNQUmQJffwTwKUA 5rDMAyMzN2sCG3p0xnwzr/JXQWp9gBwlevPZeNY1mhRrB22Yy4h7Z5F9U kEJmNJGIDaGi6n52hMKJg/RarjdR+JKrppUaYEl6p5qHANqvZxoz5ofYP 952gid7BXZr6jxuw3BbbSkyi72i+TbfovSBumYLM/ELEWZT3QQvPqT30r bJHTrVw1A8oQCNa8bK/9kT7rfXgtLLzGna/ywsVFadSe11RKRMX3OXoQ9 SC1z42a+XEvei7YCeo8qWm5DrEDdpA7uIcMr2QC7nGsSSxhle/ZoBU8Iu A==;
X-IronPort-AV: E=Sophos;i="5.33,432,1477911600"; d="scan'208";a="123482679"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 10.6.2.3 - Outgoing - Outgoing
Received: from uxcn13-ogg-b.uoa.auckland.ac.nz ([10.6.2.3]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 02 Jan 2017 17:09:03 +1300
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-ogg-b.UoA.auckland.ac.nz (10.6.2.23) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Mon, 2 Jan 2017 17:09:03 +1300
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) with mapi id 15.00.1178.000; Mon, 2 Jan 2017 17:09:03 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Hugo Krawczyk <hugo@ee.technion.ac.il>, Adam Langley <agl@imperialviolet.org>
Thread-Topic: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)DHE public values be fresh
Thread-Index: AQHSZFairLbDH8qWXUS+vlGTA4gOHKEkkwFS
Date: Mon, 02 Jan 2017 04:09:02 +0000
Message-ID: <1483330131409.25713@cs.auckland.ac.nz>
References: <CAMfhd9Urd1DWF9yhMdhvx1AcKyB4-E7Qy+tzqz_-1RpXR+Wp1w@mail.gmail.com> <CAFewVt44xm3rgm=n8PpEcqbTvC-Ei2EvoJciL=+m2UnQ-fUm2A@mail.gmail.com> <CAMfhd9Xq4RA6XBqLZtsbWSnMk4SnvZLC9V3_gCH-FzyVBMg4xg@mail.gmail.com>, <CADi0yUPSkBhyuX7utW1tsVkkbDc6YgBLie41qWPwbo+X6CpuZA@mail.gmail.com>
In-Reply-To: <CADi0yUPSkBhyuX7utW1tsVkkbDc6YgBLie41qWPwbo+X6CpuZA@mail.gmail.com>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/LCmwSlGQ39uG0qvH_SW5L5dXXVQ>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)DHE public values be fresh
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Jan 2017 04:09:09 -0000
Hugo Krawczyk <hugo@ee.technion.ac.il> writes: >there may be applications with legitimate reasons not to use FS. It's not so much reasons not to use FS (well, there are some specialised cases where people want to do that as well), it's reasons to reuse (EC)DH values. This isn't something that was ever mentioned in the spec, it's what developers have implemented themselves in order to deal with high-load conditions. This also means that no matter what the spec might say in the future, if you've got a developer facing a situation where they need 480% of available CPU to service requests then they're going to do things like cache (EC)DH, regardless of what the spec says. So making it a MUST NOT will end up as what someone on PKIX once described as "workgroup posturing". Better to include an advisory note on using it, for example what TLS-LTS says: TLS-LTS mandates the use of cipher suites that provide so-called Perfect Forward Secrecy (PFS), in which an attacker can't record sessions and decrypt them at a later date. The PFS property is however impacted by the TLS session cache and session tickets, which allow an attacker to decrypt old sessions. The session cache is relatively short-term and only allows decryption while a session is held in the cache, but the use of long-term keys in combination with session tickets means that an attacker can decrypt any session used with that key, defeating PFS: o Implementations SHOULD consider the impact of using session caches and session tickets on PFS. Security issues in this area can be mitigated by using short session cache expiry times, and avoiding session tickets or changing the key used to encrypt them periodically. Another form of cacheing that can affect security is the reuse of the supposedly-ephemeral DH value y = g^x mod p or its elliptic curve equivalent. Instead of computing a fresh value for each session, some servers for performance reasons compute the y value once and then reuse it across multiple TLS sessions. If this is done then an attacker can compute the discrete log value from one TLS session and reuse it to attack later sessions: o Implementations SHOULD consider the impact of reusing the y = g^x mod p value across multiple TLS sessions, and avoid this reuse if possible. Where the reuse of y is unavoidable, it SHOULD be refreshed as often as is feasible. One way to do this is to compute it as a background task so that a fresh value is available when required. Peter.
- Re: [TLS] Requiring that (EC)DHE public values be… Martin Rex
- [TLS] Requiring that (EC)DHE public values be fre… Adam Langley
- Re: [TLS] Requiring that (EC)DHE public values be… Stephen Farrell
- Re: [TLS] Requiring that (EC)DHE public values be… Eric Rescorla
- [TLS] cross-domain cache sharing and 0rtt (was: R… Stephen Farrell
- Re: [TLS] cross-domain cache sharing and 0rtt (wa… Eric Rescorla
- Re: [TLS] Requiring that (EC)DHE public values be… Adam Langley
- Re: [TLS] cross-domain cache sharing and 0rtt (wa… Adam Langley
- Re: [TLS] Requiring that (EC)DHE public values be… Brian Smith
- Re: [TLS] cross-domain cache sharing and 0rtt (wa… Ilari Liusvaara
- Re: [TLS] cross-domain cache sharing and 0rtt (wa… Richard Barnes
- Re: [TLS] cross-domain cache sharing and 0rtt Stephen Farrell
- Re: [TLS] cross-domain cache sharing and 0rtt Eric Rescorla
- Re: [TLS] cross-domain cache sharing and 0rtt Stephen Farrell
- Re: [TLS] cross-domain cache sharing and 0rtt Ilari Liusvaara
- Re: [TLS] cross-domain cache sharing and 0rtt Eric Rescorla
- Re: [TLS] cross-domain cache sharing and 0rtt Bill Frantz
- Re: [TLS] cross-domain cache sharing and 0rtt Stephen Farrell
- Re: [TLS] Requiring that (EC)DHE public values be… Scott Schmit
- Re: [TLS] Requiring that (EC)DHE public values be… Adam Langley
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Hugo Krawczyk
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Dan Brown
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Ilari Liusvaara
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Peter Gutmann
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Hugo Krawczyk
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Yoav Nir
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Eric Rescorla
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Ilari Liusvaara
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Eric Rescorla
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Yoav Nir
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Colm MacCárthaigh
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Adam Langley
- Re: [TLS] cross-domain cache sharing and 0rtt Benjamin Kaduk
- Re: [TLS] cross-domain cache sharing and 0rtt Ilari Liusvaara
- Re: [TLS] cross-domain cache sharing and 0rtt Martin Thomson
- Re: [TLS] cross-domain cache sharing and 0rtt Benjamin Kaduk
- Re: [TLS] cross-domain cache sharing and 0rtt Ilari Liusvaara
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Adam Langley
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Kurt Roeckx