Re: [TLS] Requiring that (EC)DHE public values be fresh
Adam Langley <agl@imperialviolet.org> Thu, 29 December 2016 19:36 UTC
Return-Path: <alangley@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14E76129614 for <tls@ietfa.amsl.com>; Thu, 29 Dec 2016 11:36:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QI3AdA-IcKgT for <tls@ietfa.amsl.com>; Thu, 29 Dec 2016 11:36:10 -0800 (PST)
Received: from mail-io0-x244.google.com (mail-io0-x244.google.com [IPv6:2607:f8b0:4001:c06::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 52786129488 for <tls@ietf.org>; Thu, 29 Dec 2016 11:36:10 -0800 (PST)
Received: by mail-io0-x244.google.com with SMTP id j76so22221142ioe.0 for <tls@ietf.org>; Thu, 29 Dec 2016 11:36:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=K7flfoqkZHvS5vWknHKurKDPYnPqDCH6z8kUjB/ln5A=; b=jN8OPhpOPpNnauax5bMgfVV0NNzZPU5pYQ3PDDc2XqD3PrM3A9g9y8GnHwbZtdOFky rx4E23T5UbPHw5qLHzQSIBcPsSPBvgikli4oKbl35rtZ9NBeIPzKFuMdVYD8cgzbKes4 9OHj+AHYBTEcjAe2i66lW73dOief87MRdQAUqKTTD/ypOcoC7iKhqVljxCL+kTjWyVOG 6aMgl52Z49cX1LD2+qhZrywoxtAmhTPMVNMoUL2dgTON6Z5owi8tp65wG+oq6J3jk+P5 sFkgUjvmF2f/9IEWRKqcThbn1Wxxo7UA1msgxG5Wgz6vUiwBNqNuRSNutAvdUZ0S3jMX V0cQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=K7flfoqkZHvS5vWknHKurKDPYnPqDCH6z8kUjB/ln5A=; b=TR9UWqI77fBr39vnMvIy5cvp1/mYPINuHRyzsgSgkQf1sVvhE+ZRgLqS2w+TK9j+Kd mP2IqSTo4Q1EDgbxZt0b5TVSlhIuuM9jy6nGOVjexYxOnzgG79T3HEv/+0jW0hj15KsA Z5bRTdlhDp+/Xwiq2hhGI7vGLmelBapltIclIJI8Q6hZHEdsAgiSFLeFrF0lZOPrL305 FaxGOEWAxUpDDw4H+msmnkjfAe8jRzXCGa7AlNHXFUoC9zo+gin3xZKJBofSIqX+QE/x q5JBOH/t0pEWjxbjah8p3/lxYULmBKV+7nI2ID1FGxsKiPoUL7CXIsjQ+a3sF2sd3RI4 DmTw==
X-Gm-Message-State: AIkVDXLMLvfqS6oZraMOUj3ZSFxWkkFAgTYku4EN+JeMo0dsIxLRBauzQv1eCQodoxNLDyuWarT+zdJ/h81ZpQ==
X-Received: by 10.107.134.131 with SMTP id q3mr24587240ioi.168.1483040169563; Thu, 29 Dec 2016 11:36:09 -0800 (PST)
MIME-Version: 1.0
Sender: alangley@gmail.com
Received: by 10.36.22.83 with HTTP; Thu, 29 Dec 2016 11:36:09 -0800 (PST)
In-Reply-To: <20161229192845.201121A5D4@ld9781.wdf.sap.corp>
References: <CAMfhd9Urd1DWF9yhMdhvx1AcKyB4-E7Qy+tzqz_-1RpXR+Wp1w@mail.gmail.com> <20161229192845.201121A5D4@ld9781.wdf.sap.corp>
From: Adam Langley <agl@imperialviolet.org>
Date: Thu, 29 Dec 2016 11:36:09 -0800
X-Google-Sender-Auth: F3jegHnlLQy3hXxXjXACZiPAHy0
Message-ID: <CAMfhd9U5Hb6nviALf1W4QK3ZVdh18QZfRCMM-Zgs1gJoC6Y3WQ@mail.gmail.com>
To: mrex@sap.com
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/O64hoJqQIZU0YFgXLPbk7ZKSNSs>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Requiring that (EC)DHE public values be fresh
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Dec 2016 19:36:12 -0000
On Thu, Dec 29, 2016 at 11:28 AM, Martin Rex <mrex@sap.com> wrote: > First of all, forward secrecy is equally defeated by TLS session caching > (traditional as well as session tickets), and the effect of rfc5077 > TLS session tickets is likely at least a magnitude worse--and cannot > be "fixed" by clients purging the tickets earlier. That is true in TLS 1.2, but one of the things that have been addressed in 1.3. > Reuse of DHE values should not come as a surprise, PFS with DHE is > prohibitively expensive with 2048+ bit ephemeral keys. DHE in TLS has > been well known to be fatally flawed (publicly known since the issue > was raised by Yngve on the TLS ietf mailing list in 2007). > https://www.ietf.org/mail-archive/web/tls/current/msg01647.html > > Since Sun/Oracle hardwired DHE to at most 1024 bits up to JavaSE 7, > i.e. on Billions on devices out there, DHE in TLS is a very dead horse. Again, true in 1.2 but 1.3 has fixed the groups to stronger values. Also, the key-generation of DHE is significantly cheaper than the key-agreement so ephemeral values might be more reasonable then benchmarks suggest. As noted, I think specifying a maximum caching duration is plausible. (Google servers cache QUIC X25519 values for 60-seconds, for example.) But I'm worried about an endless discussion about how long is too long (or long enough). > Now what does it mean when a _client_ that happens to connect to one > of these 14.4% Alexa top 1M sites that reuse ECDHE values, notices a > reuse of ECDHE on a repeated full handshake (which will not happen > immediately due to session caching&resumption). This would result > is random handshake failures (client aborting the TLS handshake). > The server doesn't know why the client chokes, only the client can > decided to retry, but this is unlikely to affect the servers approach > to reusing the (EC)DHE value at all. The idea is to establish this in clients early in the life of 1.3 so that the pressure is enough to keep the ecosystem clean. I don't think that enforcing it in versions prior to 1.3 is viable. Cheers AGL
- Re: [TLS] Requiring that (EC)DHE public values be… Martin Rex
- [TLS] Requiring that (EC)DHE public values be fre… Adam Langley
- Re: [TLS] Requiring that (EC)DHE public values be… Stephen Farrell
- Re: [TLS] Requiring that (EC)DHE public values be… Eric Rescorla
- [TLS] cross-domain cache sharing and 0rtt (was: R… Stephen Farrell
- Re: [TLS] cross-domain cache sharing and 0rtt (wa… Eric Rescorla
- Re: [TLS] Requiring that (EC)DHE public values be… Adam Langley
- Re: [TLS] cross-domain cache sharing and 0rtt (wa… Adam Langley
- Re: [TLS] Requiring that (EC)DHE public values be… Brian Smith
- Re: [TLS] cross-domain cache sharing and 0rtt (wa… Ilari Liusvaara
- Re: [TLS] cross-domain cache sharing and 0rtt (wa… Richard Barnes
- Re: [TLS] cross-domain cache sharing and 0rtt Stephen Farrell
- Re: [TLS] cross-domain cache sharing and 0rtt Eric Rescorla
- Re: [TLS] cross-domain cache sharing and 0rtt Stephen Farrell
- Re: [TLS] cross-domain cache sharing and 0rtt Ilari Liusvaara
- Re: [TLS] cross-domain cache sharing and 0rtt Eric Rescorla
- Re: [TLS] cross-domain cache sharing and 0rtt Bill Frantz
- Re: [TLS] cross-domain cache sharing and 0rtt Stephen Farrell
- Re: [TLS] Requiring that (EC)DHE public values be… Scott Schmit
- Re: [TLS] Requiring that (EC)DHE public values be… Adam Langley
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Hugo Krawczyk
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Dan Brown
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Ilari Liusvaara
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Peter Gutmann
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Hugo Krawczyk
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Yoav Nir
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Eric Rescorla
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Ilari Liusvaara
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Eric Rescorla
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Yoav Nir
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Colm MacCárthaigh
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Adam Langley
- Re: [TLS] cross-domain cache sharing and 0rtt Benjamin Kaduk
- Re: [TLS] cross-domain cache sharing and 0rtt Ilari Liusvaara
- Re: [TLS] cross-domain cache sharing and 0rtt Martin Thomson
- Re: [TLS] cross-domain cache sharing and 0rtt Benjamin Kaduk
- Re: [TLS] cross-domain cache sharing and 0rtt Ilari Liusvaara
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Adam Langley
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Kurt Roeckx