Re: [TLS] security levels for TLS

Eric Rescorla <ekr@networkresonance.com> Thu, 11 October 2007 16:03 UTC

Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Ig0V5-0007Ic-7Z; Thu, 11 Oct 2007 12:03:03 -0400
Received: from tls by megatron.ietf.org with local (Exim 4.43) id 1Ig0V3-0007HH-Po for tls-confirm+ok@megatron.ietf.org; Thu, 11 Oct 2007 12:03:01 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Ig0V3-00075R-G6 for tls@lists.ietf.org; Thu, 11 Oct 2007 12:03:01 -0400
Received: from [74.95.2.169] (helo=delta.rtfm.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Ig0Up-0008Rm-Iq for tls@lists.ietf.org; Thu, 11 Oct 2007 12:02:56 -0400
Received: from delta.rtfm.com (localhost.rtfm.com [127.0.0.1]) by delta.rtfm.com (Postfix) with ESMTP id 965C733C28; Thu, 11 Oct 2007 08:58:29 -0700 (PDT)
Date: Thu, 11 Oct 2007 08:58:27 -0700
From: Eric Rescorla <ekr@networkresonance.com>
To: Mike <mike-list@pobox.com>
Subject: Re: [TLS] security levels for TLS
In-Reply-To: <470E4399.3010008@pobox.com>
References: <c331d99a0710080621g7c0ec91et35c46553c23f4402@mail.gmail.com> <p0624082fc331b0ed0ecc@[192.168.1.100]> <FA998122A677CF4390C1E291BFCF59890849871E@EXCH.missi.ncsc.mil> <470D0243.3050009@pobox.com> <20071010180324.7ABC533C21@delta.rtfm.com> <470E4399.3010008@pobox.com>
User-Agent: Wanderlust/2.14.0 (Africa) Emacs/21.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20071011155829.965C733C28@delta.rtfm.com>
X-Spam-Score: 0.1 (/)
X-Scan-Signature: cd26b070c2577ac175cd3a6d878c6248
Cc: tls@lists.ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

At Thu, 11 Oct 2007 08:39:05 -0700,
Mike wrote:
> 
> I think there is good reason to try to solve this problem
> in the TLS layer.  The alternative is to force every TLS-
> enabled application to solve it (and likely they won't
> solve it and be less secure).  Wouldn't it be ideal if an
> application could just say:
> 
>      TLS::SetSecurityLevel (3);

No, it would not, because, I've now said several times, security is
not expressible via a single metric, making this a complete rathole.


> Currently an application has to do the following:
> 
>     1) configure TLS layer with acceptable cipher suites
>     2) connect to server
>     3) negotiate a TLS session
>        (many applications will stop here)
>     4) check that the negotiated parameters meet the
>        application's idea of good security
>     5) if not, abort TLS session, disconnect, remove
>        some cipher suites from the acceptable list and
>        goto step 1

Again, do you have any evidence this is a problem in practice.
I appreciate it's a potential problem *in theory* but that's
not the same thing.


> It would be much better if all that was needed was to
> replace the TLS library with an updated version.  Or
> better yet, the TLS library may have a plain text
> configuration file for its security levels that could
> be replaced, and all you need to do is restart your
> applications.

And again, this is an API/local isssue. IETF doesn't do
those.


> > Absent some significant evidence that this is a problem in 
> > practice, I'm against the TLS WG doing anything along these
> > lines.
> 
> The folks at Opera Software have expressed how difficult
> it was to secure their browser, and how insecure some
> servers are (256-bit DH parameters!).

Yes that's interesting but irrelevant. Those are pretty
clearly mistakes on the server side, as are RSA e values
of 1. Neither is likely to be fixed by specifying security
levels in the way you suggest.


> Another issue I've been meaning to bring up is that
> if you want forward secrecy, you need to use Diffie-
> Hellman; however, there is no way to tell the server
> the size of the parameter p you want.  Increasing the
> size of p has significant performance implications,
> so servers will typically use 1024 bits.  On my Windows
> machine, it takes 0.02 seconds to generate a public key
> and another 0.02 seconds to compute the secret using
> 1024-bit parameters.  Moving to 2048-bit parameters,
> the computation time increases to 0.15 seconds each.
> 4096-bit computations take 1.1 seconds.  No server
> operator will decrease throughput by a factor of 50
> for everyone, just to accommodate the few who want
> this level of security.  It would be better if those
> who want to use 4096 bits could ask for it.

Again, please present some evidence that this is a real
practical issue outside of a very small population of 
keylength fetishists.

-Ekr



_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls