Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-00.txt

Yaron Sheffer <yaronf.ietf@gmail.com> Sat, 26 July 2014 21:13 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA4E91A03A8 for <tls@ietfa.amsl.com>; Sat, 26 Jul 2014 14:13:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4
X-Spam-Level:
X-Spam-Status: No, score=-4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, GB_I_LETTER=-2, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eJU_hWyWpNxd for <tls@ietfa.amsl.com>; Sat, 26 Jul 2014 14:13:55 -0700 (PDT)
Received: from mail-wi0-x231.google.com (mail-wi0-x231.google.com [IPv6:2a00:1450:400c:c05::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC1161A031C for <tls@ietf.org>; Sat, 26 Jul 2014 14:13:54 -0700 (PDT)
Received: by mail-wi0-f177.google.com with SMTP id ho1so2547383wib.4 for <tls@ietf.org>; Sat, 26 Jul 2014 14:13:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=alYv5PnX6S0hIHyqkli/xt0KcQdCuluKwZwo5pTtzqs=; b=ukuSvMjhCndMCW/mCHjXPkdsGgd+Yqi39vh/VbXwRA3e/14IcMgU1U54m14nSKsJYC WWjl25T3eNkhCgqF8yeqSnMisA34BOrMNzTlKa82Wa7w231Gti8A5iMtu0EwYZvRvG7u SogOy0i7ud5mtzsMxUtmHFxXYxd4jsyohSlv7+H311VVNPxHaQAE6hBhXzqvyXdmrthz K26qy4vK4n27xZis2sAJMhs1nqovjrvUv2W+Rs8NQEVcBX7gv5aTHgJ4vaNkhbAsPAzS BSRYJwr2jC/Wsh6iV2OFn4JGUve4lXwFyr2RDfNa56rodoDgUjqs2edfyfsEMwBUaQoa ALwQ==
X-Received: by 10.180.210.172 with SMTP id mv12mr15896909wic.14.1406409233346; Sat, 26 Jul 2014 14:13:53 -0700 (PDT)
Received: from [192.168.1.199] ([109.253.142.212]) by mx.google.com with ESMTPSA id gd13sm11466168wic.6.2014.07.26.14.13.51 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 26 Jul 2014 14:13:52 -0700 (PDT)
Message-ID: <53D41993.4040602@gmail.com>
Date: Sun, 27 Jul 2014 00:11:47 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Peter Gutmann <pgut001@cs.auckland.ac.nz>, "<tls@ietf.org>" <tls@ietf.org>
References: <9A043F3CF02CD34C8E74AC1594475C738EFB003E@uxcn10-5.UoA.auckland.ac.nz> <53D1E776.40706@fifthhorseman.net>
In-Reply-To: <53D1E776.40706@fifthhorseman.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/LWS4KsVoubN-eu38LCo9rLx47a4
Subject: Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Jul 2014 21:13:57 -0000

On 07/25/2014 08:13 AM, Daniel Kahn Gillmor wrote:
> On 07/24/2014 10:53 AM, Peter Gutmann wrote:
>> - Why not just use the well-known and -accepted IKE groups from RFC 3526 for
>> this?  In fact why invent entirely new groups (that don't even cover the
>> existing range in RFC 3526) when there's already well-established ones
>> available?
>
> There's a possibility that a very expensive (e.g. precomputation) attack
> exists that can be mounted against any given group.  If we reuse the
> same group used by other mechanisms (e.g. ipsec) then the value for
> mounting such an expensive attack goes up.
>
> Selecting a different group forces an attacker to choose which group to
> attack.
>

Both IKE and TLS are high value enough that (choose your favorite 
3-letter acronym) would gladly spend the money to break either or both, 
if such an attack was possible. And actually the logical outcome of your 
argument is that we need 10 or 100 new named groups in TLS to minimize 
this risk. I don't think anybody is seriously considering that.

Thanks,
	Yaron