[TLS] Short Ephermal Diffie-Hellman keys

"Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com> Mon, 14 May 2007 07:42 UTC

Return-path: <tls-bounces@lists.ietf.org>
Received: from [] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HnVCe-0008QL-NT; Mon, 14 May 2007 03:42:44 -0400
Received: from [] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HnVCc-0008QF-Lu for tls@lists.ietf.org; Mon, 14 May 2007 03:42:42 -0400
Received: from sam.opera.com ([]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HnVCb-0002yj-7U for tls@lists.ietf.org; Mon, 14 May 2007 03:42:42 -0400
Received: from nimisha.oslo.opera.com (pat-tdc.opera.com []) (authenticated bits=0) by sam.opera.com (8.13.4/8.13.4/Debian-3sarge3) with ESMTP id l4E7gY2Z011175 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT) for <tls@lists.ietf.org>; Mon, 14 May 2007 07:42:39 GMT
Date: Mon, 14 May 2007 09:41:59 +0200
To: tls@lists.ietf.org
From: "Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com>
Organization: Opera Software AS
Content-Type: text/plain; format=flowed; delsp=yes; charset=iso-8859-15
MIME-Version: 1.0
Message-ID: <op.tsa3n9ttqrq7tp@nimisha.oslo.opera.com>
User-Agent: Opera Mail/9.20 (Win32)
X-Virus-Scanned: ClamAV 0.90.1/3242/Mon May 14 04:57:51 2007 on sam.opera.com
X-Virus-Status: Clean
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by sam.opera.com id l4E7gY2Z011175
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 0ddefe323dd869ab027dbfff7eff0465
Subject: [TLS] Short Ephermal Diffie-Hellman keys
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

Hello all,

I have recently started to see an increasing number of reports about  
SSL/TLS servers using short Ephermal Diffie-Hellman keys, in some cases  
very short ones.

Opera's SSL/TLS client will display warnings to users if the server is  
using RSA/DH/DSA keys shorter than (currently) 900 bits. All keys used in  
the chain, including the CA certificates are included in this evaluation,  
as well as the ephermal key, if the server selects a cipher with an  
ephermal key.

The short DHE keys I have seen have usually been 512 bits, but I have seen  
servers sending keys as short as 256 bits.

I have seen these keys on both normal webservers and mail servers, but I  
have an impression that there are more reports about the mail servers.

I think it might be an idea for TLS specification to include  
recommendations about how such keys should be selected.

My preference for such a recommendation is that the ephermal key should be  
as long, or as strong, as the key used to sign the ephermal key. I don't  
think the specification should mention specific keylengths, because what  
is secure is likely to change over time.


As far as Opera is concerned, I am considering a few options, including  
automatically disabling the ephermal ciphersuites or re-sorting the cipher  
suite list toplace them last, and renegotiate the connection.

Yngve N. Pettersen
Senior Developer                     Email: yngve@opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01

TLS mailing list