Re: [TLS] Do we need DH?

Maarten Bodewes <maarten.bodewes@gmail.com> Tue, 30 December 2014 14:40 UTC

Return-Path: <maarten.bodewes@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30C371A00C5 for <tls@ietfa.amsl.com>; Tue, 30 Dec 2014 06:40:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.599
X-Spam-Level:
X-Spam-Status: No, score=-0.599 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gJlPS0BA9Xoc for <tls@ietfa.amsl.com>; Tue, 30 Dec 2014 06:40:51 -0800 (PST)
Received: from mail-vc0-x230.google.com (mail-vc0-x230.google.com [IPv6:2607:f8b0:400c:c03::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C64421A00BF for <tls@ietf.org>; Tue, 30 Dec 2014 06:40:50 -0800 (PST)
Received: by mail-vc0-f176.google.com with SMTP id hq12so5652313vcb.7 for <tls@ietf.org>; Tue, 30 Dec 2014 06:40:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=gjqc4BZiGKoF+cDNLuEWkLkYalLuVSvPySqdDURO3uU=; b=ivh/YBJTldqrPF7G9xUXhDfMpaFXs5ktrX8tjb4jLY7+5JuDjjn3SRBb3Oys2CiWSX fMrXMg0o+10wtGaiT3Ll7dAsN0kI+1QVML5CcUdj4sJcOpRlm6JluX2jm0aE2+GiWQrf slDQ5Egu0o8MSOyj2ayHDdY7fNwGSkYY42FAkxsvG5HJhZuXd8rC7NHexMx5CDCZXyeQ 9gCChOeXjNGW2WgQ4qGqR4hxegz9qO/OjU+3QAfbVJALp7uPWGCDryU0AqrDY09Ko4C7 0rbjdZMy9zG34XEuswu7AevuBleizhMiL6aBYkqFXoi0sw95/tb81SSX5yO61tXmEzY3 JTiA==
MIME-Version: 1.0
X-Received: by 10.220.102.20 with SMTP id e20mr31723391vco.12.1419950449957; Tue, 30 Dec 2014 06:40:49 -0800 (PST)
Received: by 10.52.142.171 with HTTP; Tue, 30 Dec 2014 06:40:49 -0800 (PST)
In-Reply-To: <54A252EA.1010905@iki.fi>
References: <CACsn0cmD=YA4i889f--e_b-OahUVoYdKyQUaiUN--QKOmqn8uA@mail.gmail.com> <54A252EA.1010905@iki.fi>
Date: Tue, 30 Dec 2014 15:40:49 +0100
Message-ID: <CADwHJ+8yyOBM7cT-fQwHHvaDF=9vHHdA-=DMMrZBfD_VFGXS9Q@mail.gmail.com>
From: Maarten Bodewes <maarten.bodewes@gmail.com>
To: tls@ietf.org
Content-Type: multipart/alternative; boundary="047d7b3a94422b20d8050b6ffae6"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/M08EO3rh5fbqPVZphKjIzqUjlps
Subject: Re: [TLS] Do we need DH?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Dec 2014 14:40:52 -0000

On Tue, Dec 30, 2014 at 8:23 AM, Tapio Sokura <tapio.sokura@iki.fi> wrote:

>
> With regards to all eggs being in the same basket, AES is also something
> that really should have a realistic alternative standardized and
> deployed _before_ (/if) AES is broken. Like SHA-3 is coming around the
> corner while SHA-2 is still well alive and kicking.
>

Although it doesn't invalidate the rest of your argument, the SHA-3
competition was started up when SHA-1 was under significant attack. It
wasn't clear at that time if SHA-2 would be affected as well. By now no
SHA-1 collisions have been found, and - more importantly - the attacks on
SHA-1 don't seem to translate to SHA-2. This is probably a main reason why
at the time of writing SHA-3/Keccak is still not finalized as a standard
(although I expect it will be soon).

The main problem with ECDH is that it can be executed without performing
enough verification on the parameters or public key. But those issues are
present for DH as well. So in my opinion the main thing speaking for DH is
it's relative simplicity of implementation compared to ECDH (for some
libraries ECDH is slower than DH for comparative levels of security for
this reason alone!).

Regards,
Maarten