Re: [TLS] security levels for TLS
Eric Rescorla <ekr@networkresonance.com> Thu, 11 October 2007 16:03 UTC
Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Ig0V5-0007Ic-7Z; Thu, 11 Oct 2007 12:03:03 -0400
Received: from tls by megatron.ietf.org with local (Exim 4.43) id 1Ig0V3-0007HH-Po for tls-confirm+ok@megatron.ietf.org; Thu, 11 Oct 2007 12:03:01 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Ig0V3-00075R-G6 for tls@lists.ietf.org; Thu, 11 Oct 2007 12:03:01 -0400
Received: from [74.95.2.169] (helo=delta.rtfm.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Ig0Up-0008Rm-Iq for tls@lists.ietf.org; Thu, 11 Oct 2007 12:02:56 -0400
Received: from delta.rtfm.com (localhost.rtfm.com [127.0.0.1]) by delta.rtfm.com (Postfix) with ESMTP id 965C733C28; Thu, 11 Oct 2007 08:58:29 -0700 (PDT)
Date: Thu, 11 Oct 2007 08:58:27 -0700
From: Eric Rescorla <ekr@networkresonance.com>
To: Mike <mike-list@pobox.com>
Subject: Re: [TLS] security levels for TLS
In-Reply-To: <470E4399.3010008@pobox.com>
References: <c331d99a0710080621g7c0ec91et35c46553c23f4402@mail.gmail.com> <p0624082fc331b0ed0ecc@[192.168.1.100]> <FA998122A677CF4390C1E291BFCF59890849871E@EXCH.missi.ncsc.mil> <470D0243.3050009@pobox.com> <20071010180324.7ABC533C21@delta.rtfm.com> <470E4399.3010008@pobox.com>
User-Agent: Wanderlust/2.14.0 (Africa) Emacs/21.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20071011155829.965C733C28@delta.rtfm.com>
X-Spam-Score: 0.1 (/)
X-Scan-Signature: cd26b070c2577ac175cd3a6d878c6248
Cc: tls@lists.ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
At Thu, 11 Oct 2007 08:39:05 -0700, Mike wrote: > > I think there is good reason to try to solve this problem > in the TLS layer. The alternative is to force every TLS- > enabled application to solve it (and likely they won't > solve it and be less secure). Wouldn't it be ideal if an > application could just say: > > TLS::SetSecurityLevel (3); No, it would not, because, I've now said several times, security is not expressible via a single metric, making this a complete rathole. > Currently an application has to do the following: > > 1) configure TLS layer with acceptable cipher suites > 2) connect to server > 3) negotiate a TLS session > (many applications will stop here) > 4) check that the negotiated parameters meet the > application's idea of good security > 5) if not, abort TLS session, disconnect, remove > some cipher suites from the acceptable list and > goto step 1 Again, do you have any evidence this is a problem in practice. I appreciate it's a potential problem *in theory* but that's not the same thing. > It would be much better if all that was needed was to > replace the TLS library with an updated version. Or > better yet, the TLS library may have a plain text > configuration file for its security levels that could > be replaced, and all you need to do is restart your > applications. And again, this is an API/local isssue. IETF doesn't do those. > > Absent some significant evidence that this is a problem in > > practice, I'm against the TLS WG doing anything along these > > lines. > > The folks at Opera Software have expressed how difficult > it was to secure their browser, and how insecure some > servers are (256-bit DH parameters!). Yes that's interesting but irrelevant. Those are pretty clearly mistakes on the server side, as are RSA e values of 1. Neither is likely to be fixed by specifying security levels in the way you suggest. > Another issue I've been meaning to bring up is that > if you want forward secrecy, you need to use Diffie- > Hellman; however, there is no way to tell the server > the size of the parameter p you want. Increasing the > size of p has significant performance implications, > so servers will typically use 1024 bits. On my Windows > machine, it takes 0.02 seconds to generate a public key > and another 0.02 seconds to compute the secret using > 1024-bit parameters. Moving to 2048-bit parameters, > the computation time increases to 0.15 seconds each. > 4096-bit computations take 1.1 seconds. No server > operator will decrease throughput by a factor of 50 > for everyone, just to accommodate the few who want > this level of security. It would be better if those > who want to use 4096 bits could ask for it. Again, please present some evidence that this is a real practical issue outside of a very small population of keylength fetishists. -Ekr _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] security levels for TLS Nikos Mavrogiannopoulos
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Nikos Mavrogiannopoulos
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Yngve Nysaeter Pettersen
- Re: [TLS] security levels for TLS Paul Hoffman
- RE: [TLS] security levels for TLS Kemp, David P.
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Nicolas Williams
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Steven M. Bellovin
- Re: [TLS] security levels for TLS Nicolas Williams
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Paul Hoffman
- Re: [TLS] security levels for TLS Nikos Mavrogiannopoulos
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Nicolas Williams
- Re: [TLS] security levels for TLS Nicolas Williams
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Nicolas Williams
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Paul Hoffman