Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-02.txt

[Nikos Mavrogiannopoulos <nmav@redhat.com>]

----- Original Message -----
> On 2014-10-25 21:51, Nikos Mavrogiannopoulos wrote:
> >> It seems to me the the recommended Client Behavior and Server Behavior
> >> has to be simplified and strengthened, in order for the standard to meet
> >> the security objectives.
> >
> > Could you elaborate on which security objectives are you referring to?
> 
> Second paragraph of section 6.3 Arbitrary groups:
> 
> >    Note that in several known attacks against TLS and SSL
> >    [SECURE-RESUMPTION] [CROSS-PROTOCOL] [SSL3-ANALYSIS], a malicious
> >    server uses a deliberately broken FFDHE group to impersonate the
> >    client to a different server."
> 
> 
> > What is the advantage of that proposal? It is more complex, and a security
> > protocol should strive for simplicity.
> 
> In my view, the current draft leads to a lot more complex
> implementations, compared to my proposal.

Ok, I now understand your point. You suggest using the extension but then keeping
the exact same server key exchange message. That was the initial approach of the
draft if I remember well. 

To be honest I don't see that to be a lot more complex, and the complexity
on the same level as supporting ECDH with named groups and arbitrary groups,
which was deemed reasonable for ECDH. Consistency (with ECDH) is also another
reason to keep the code paths separated.

Note also, that the current approach will simplify a lot an implementation that
doesn't want to keep the old DHE key exchange with arbitrary groups (and unlike
the other key exchanges in TLS, DHE was the most problematic compatibility-wise so
I guess many small implementations would be more than happy to drop it).

regards,
Nikos