IETF Logo Mail Archive

Re: [TLS] Adoption call for Deprecating FFDH(E) Ciphersuites in TLS

Joseph Salowey <joe@salowey.net> Fri, 27 August 2021 03:09 UTC

Return-Path: <joe@salowey.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E20183A02C1 for <tls@ietfa.amsl.com>; Thu, 26 Aug 2021 20:09:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rPn1nvH_FRk8 for <tls@ietfa.amsl.com>; Thu, 26 Aug 2021 20:08:58 -0700 (PDT)
Received: from mail-lj1-x229.google.com (mail-lj1-x229.google.com [IPv6:2a00:1450:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31F463A0143 for <tls@ietf.org>; Thu, 26 Aug 2021 20:08:58 -0700 (PDT)
Received: by mail-lj1-x229.google.com with SMTP id j12so8856188ljg.10 for <tls@ietf.org>; Thu, 26 Aug 2021 20:08:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=3m+CQRXIRAevNIk5eVERUJB6UbXRPVfp+lj6CO/oooE=; b=uf73o7FneE0x0Hpz3io8sWWRuJ/T42KukOiP7wOCz4tTYC2SyJyzlW97eIR5QJ/78m OaR6PI540VkJUE3uB9R7l/gaLS4r0dLp55qgyjj15g0gRZo0fizMWg1k9k/cY+iXf5gn kJL00+m3NheASe0vz5uTMclfOdGdmSIuaEtZdPWW7o/HJGFbKM+byySRmsMcAQkqfNSV OQUexoT9TD/CM3j7XD23BtuxLfqJBEjDNearTDd0igCMqIVmlCC2HRBPisR0lp1yCDQh kO6xIFmJv0s4hqDuS9OmnTqEZxcaZb+DwOMskmkO4H7FQbQns/ZG0LHQHrCUm/2qZCja ER+w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=3m+CQRXIRAevNIk5eVERUJB6UbXRPVfp+lj6CO/oooE=; b=AAMq3yXGgy/WFMq7hYPpPKbAirsxYxgNDyRMZgdxEYSBLxmKle2w8VMJ/KBBQZqJ4o F6qoNWj2pzW+mUxKJg9OFgI6udqz9rQjAAr0u6nQ3SXqBkfV27WZjLSmOOsxSxGxyio9 UvVVGfk/VUVt2xwXHv/hUzM72Cv2HFbCsOM5e/k6uCE7pcRKkBknPlUDwrPbK7Z1h6NS QDutvKYythNhR+i8da/9e+Z5CKGBiBk+KbV83aHWLT/AeAX8l9KokQCOTgLMFZKPFNt6 4qPjEECwXhUnHq4TtgHKrZTlqHVoCTAdz67b3bh0ROmb5gWb8WUrWriYxR/5Pe0/myxR g4AA==
X-Gm-Message-State: AOAM531OEKPLkzNTCvlyXBNmvuaQ2FvWPG9ID5tH0EDXYCV0CNe6CuTy pI0L+Wz8mTroktkNscbyxhAivpIzWtEnYTSf9UH0ciulGs1e7Q==
X-Google-Smtp-Source: ABdhPJw7/Lw/gaN3FKgYhItqKcJTvZfO4ODlzSvNTS56DAd58N4VzGOzBYjH8O1mBvIDfrgZMPKqabaMWutbezlIEIw=
X-Received: by 2002:a2e:90d6:: with SMTP id o22mr5813025ljg.366.1630033731013; Thu, 26 Aug 2021 20:08:51 -0700 (PDT)
MIME-Version: 1.0
References: <CAOgPGoC4C0bWz0h0iyzGzMPEoDKAPv4euoOkmS+6Uuxncux4Zg@mail.gmail.com> <cc9c9d9f-d6b1-3b93-1231-a9a9c34a7fcd@gmail.com> <67533325-2983-47B7-871C-D90799D09532@ll.mit.edu> <CAOgPGoDAvnFic3VmEsge3i8C2FEfWp74ac_ievtfNo=MQB+C8g@mail.gmail.com> <C8E91D9B-2326-4AAF-9952-69481081E337@ll.mit.edu> <BD109A95-129A-4995-AFCA-FEF10DBD6440@icloud.com>
In-Reply-To: <BD109A95-129A-4995-AFCA-FEF10DBD6440@icloud.com>
From: Joseph Salowey <joe@salowey.net>
Date: Thu, 26 Aug 2021 20:08:39 -0700
Message-ID: <CAOgPGoBMhhsTupXuWF__zkLuy-4qQhha_Kp1_+ToZrNoaFUsgQ@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000825f4b05ca81cd75"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/MiJpVxvG-fSdn7GaxROiON5OPp4>
Subject: Re: [TLS] Adoption call for Deprecating FFDH(E) Ciphersuites in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Aug 2021 03:09:05 -0000

Thanks for all the discussion on this topic.  There are several modes that
TLS 1.2 can operate with respect to DH.  Below is a proposal on cases to
merge some of the cases covered by this draft into the obsolete keyex
draft.  I'd like to see if there is some consensus to make this change
before we adopt it into the working group.

1. static-static where both client and server have DH certificates with
long term keys.  I think we have general consensus that this mode should be
a must not.  To deprecate this mode I think we need to state that clients
MUST NOT use certificates of type rsa_fixed_dh and dsa_fixed_dh and server
MUST NOT request them.  Would the working group support merging this
guidance into the obsolete keyex draft?

2. ephemeral-static where the client uses an ephemeral key and the server
uses a long term key.  This mode does not provide forward secrecy.  I'm not
sure we have reached consensus on how far to deprecate this option.  Would
the working group support MUST NOT use these ciphersuites unless forward
secrecy does not matter for your use case and any implementation guidance
provided to avoid weaknesses is followed?

3. ephemeral-ephemeral  - I think these are already covered in the obsolete
keyex draft.

Thanks,

Joe

On Sun, Aug 22, 2021 at 9:32 PM Carrick Bartle <cbartle891@icloud.com>
wrote:

> >   which is a main reason cited for deprecating RSA
> in draft-aviram-tls-deprecate-obsolete-kex.
>
> Have the authors look at Post-Quantum KEMs?
>
>
> I'm not sure why PQ KEMs are relevant here.
>
>
> On Aug 17, 2021, at 10:41 AM, Blumenthal, Uri - 0553 - MITLL <
> uri@ll.mit.edu> wrote:
>
> >  Regardless of the Raccoon attack, the static DH and ECDH ciphersuites
> do not provide
> >  forward secrecy,
>
> Unless you use semi-static exchange, which in many cases makes sense.
>
> >   which is a main reason cited for deprecating RSA
> in draft-aviram-tls-deprecate-obsolete-kex.
>
> Have the authors look at Post-Quantum KEMs?
>
> >  Do you object to just the citation of the Raccoon attack or do you also
> feel that we
> >  should keep these ciphersuites that do not provide forward secrecy
> around?
>
> I think these suites should stay around.
>
> While static-static indeed do not provide forward secrecy (and many of us
> – though not everybody! – carry for that), static-ephemeral DH and ECDH are
> perfectly fine from that point of view.
>
>
>
> On Fri, Aug 13, 2021 at 10:20 AM Blumenthal, Uri - 0553 - MITLL <
> uri@ll.mit.edu> wrote:
>
> I agree with Rene’s points.
>
> --
> Regards,
> Uri
>
>
>
> *From: *TLS <tls-bounces@ietf.org> on behalf of Rene Struik <
> rstruik.ext@gmail.com>
> *Date: *Friday, August 13, 2021 at 09:58
> Dear colleagues:
>
> I think this document should absolutely *not* be adopted, without
> providing far more technical justification. The quoted Raccoon attack is an
> easy to mitigate attack (which has nothing to do with finite field groups,
> just with poor design choices of postprocessing, where one uses
> variable-size integer representations for a key). There are also good
> reasons to have key exchanges where one of the parties has a static key,
> whether ecc-based or ff-based (e.g., sni, opaque), for which secure
> implementations are known. No detail is provided and that alone should be
> sufficient reason to not adopt.
>
> Rene
>
> On 2021-07-29 5:50 p.m., Joseph Salowey wrote:
>
> This is a working group call for adoption for Deprecating FFDH(E)
> Ciphersuites in TLS (draft-bartle-tls-deprecate-ffdhe-00
> <https://datatracker.ietf.org/doc/draft-bartle-tls-deprecate-ffdhe/>). We
> had a presentation for this draft at the IETF 110 meeting and since it is
> a similar topic to the key exchange deprecation draft the chairs want to
> get a sense if the working group wants to adopt this draft (perhaps the
> drafts could be merged if both move forward).  Please review the draft and
> post your comments to the list by Friday, August 13, 2021.
>
> Thanks,
>
> The TLS chairs
>
>
>
> _______________________________________________
>
> TLS mailing list
>
> TLS@ietf.org
>
> https://www.ietf.org/mailman/listinfo/tls
>
>
>
> --
>
> email: rstruik.ext@gmail.com | Skype: rstruik
>
> cell: +1 (647) 867-5658 | US: +1 (415) 287-3867
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>
>

v2.23.0 | Report a Bug | By Email