Re: [TLS] DH security issue in TLS

Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 06 December 2019 02:33 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D1D912004C for <tls@ietfa.amsl.com>; Thu, 5 Dec 2019 18:33:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vo5ONhM8rIwN for <tls@ietfa.amsl.com>; Thu, 5 Dec 2019 18:33:12 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1DAB9120018 for <tls@ietf.org>; Thu, 5 Dec 2019 18:33:12 -0800 (PST)
Received: from [10.200.2.180] (sdzac10-108-1-nat.nje.twosigma.com [8.2.105.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by straasha.imrryr.org (Postfix) with ESMTPSA id 485BD30DA8E for <tls@ietf.org>; Thu, 5 Dec 2019 21:33:11 -0500 (EST)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <PU1PR01MB19478C2D4355867979F8C82CA85C0@PU1PR01MB1947.apcprd01.prod.exchangelabs.com>
Date: Thu, 5 Dec 2019 21:33:07 -0500
Content-Transfer-Encoding: quoted-printable
Reply-To: "openssl-users@openssl.org" <openssl-users@openssl.org>
Message-Id: <186747D1-C8A6-43D0-8084-71DD50B91EAE@dukhovni.org>
References: <PU1PR01MB19478C2D4355867979F8C82CA85C0@PU1PR01MB1947.apcprd01.prod.exchangelabs.com>
To: IETF TLS WG <tls@ietf.org>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/PHCegfQ2pd7BIUT-A2jmqoSjmu0>
Subject: Re: [TLS] DH security issue in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Dec 2019 02:33:14 -0000

> On Dec 5, 2019, at 8:37 PM, Nasrul Zikri <nasrulzikri@outlook.com> wrote:
> 
> What must the server do if the client is old and does not support the safe groups in RFC 7919?

Presumably the old client is doing TLS 1.2 (or 1.0), since with TLS 1.3,
the client MUST specify which groups it supports, and no others can be
used.  The server can use any FFDHE group of its choice (provided suitable
DHE ciphers are supported by the client), including one of 7919 groups,
or use ECDHE if that's supported...

> The advice from Mozilla is generate a 1024-bit Diffie-Hellman group.


> Is there good code to generate safe group efficiently?

FFDHE parameter generation is too slow to do on the fly.  Such groups
are pre-generated, and so the efficiency is not a significant concern.

> Will OpenSSL generate safe group?

Yes, if you ask nicely, but that's more of a question for the openssl-users
list than for the TLS WG.

It seems this thread is no longer on topic for this list, perhaps time to
consider moving any residual questions to more appropriate lists.

-- 
	Viktor.