IETF Logo Mail Archive

Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-02.txt

Nikos Mavrogiannopoulos <nmav@redhat.com> Mon, 27 October 2014 11:07 UTC

Return-Path: <nmav@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D62BF1A8A61 for <tls@ietfa.amsl.com>; Mon, 27 Oct 2014 04:07:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t8dn9SqYC1VG for <tls@ietfa.amsl.com>; Mon, 27 Oct 2014 04:07:05 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BFF421A89FF for <tls@ietf.org>; Mon, 27 Oct 2014 04:07:05 -0700 (PDT)
Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s9RB74KE023828 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 27 Oct 2014 07:07:04 -0400
Received: from [10.34.2.127] (dhcp-2-127.brq.redhat.com [10.34.2.127]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s9RB71aj017754 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Mon, 27 Oct 2014 07:07:03 -0400
Message-ID: <1414408020.2543.13.camel@dhcp-2-127.brq.redhat.com>
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
To: henrick@streamsec.se
Date: Mon, 27 Oct 2014 12:07:00 +0100
In-Reply-To: <544E254A.3020501@streamsec.se>
References: <20141011044948.27553.93984.idtracker@ietfa.amsl.com> <5438B82B.6090600@fifthhorseman.net> <544BD3BF.9030702@streamsec.se> <1682594903.63043.1414266713793.JavaMail.zimbra@redhat.com> <544C1BC3.5060204@streamsec.se> <1749574094.84536.1414307373087.JavaMail.zimbra@redhat.com> <544E0682.30804@streamsec.se> <1414405551.2543.8.camel@dhcp-2-127.brq.redhat.com> <544E254A.3020501@streamsec.se>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/PIY3ClxrPQbL6cnF9hzgF6sXd0Y
Cc: tls@ietf.org
Subject: Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-02.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Oct 2014 11:07:09 -0000

On Mon, 2014-10-27 at 11:58 +0100, Henrick Hellström wrote:
> On 2014-10-27 11:25, Nikos Mavrogiannopoulos wrote:
> > On Mon, 2014-10-27 at 09:46 +0100, Henrick Hellström wrote:
> >> Suppose a client offers both ECDHE and FFDHE cipher suites, and does
> >> send the NamedCurve extension, but with no identifiers the server
> >> recognizes as FFDHE groups, but with a few identifiers the server
> >> doesn't recognize at all.
> >> How is the server supposed to tell if:
> >>     1. The client doesn't support named FFDHE groups at all and expects
> >> the arbitrary encoding of FFDHE server key exchange messages, or
> >
> > All the server needs to know is the common FFDHE groups they support.
> > And that it apparent in that case. None.
> >
> > If they have no common groups the server SHOULD NOT negotiate DHE
> > according to the current draft, so no dilemma here.
> 
> That is NOT what the draft says. The draft does NOT prohibit the server 
> to negotiate an FFDHE cipher suite, when negotiating with a 
> non-compatible client.

We may be referring to different versions of the draft. The current
draft says:
"If the extension is present, none of the client's offered groups are
   acceptable by the server, and none of the client's proposed non-FFDHE
   ciphersuites are acceptable to the server, the server SHOULD end the
   connection with a fatal TLS alert of type insufficient_security."

This does explicitly prohibit the server to negotiate an FFDHE cipher
suite if the extension is present.

> > A client though will have to decide on whether a legacy server is seen,
> > or a compliant to ffdhe draft, based on the format of ServerKeyExchange.
> > That's why I suggested to make them sufficiently distinct.
> FWIW, the real problem here is RFC 4492. There was no ambiguity in TLS 
> 1.0, because the ServerKeyExchange could only contain two kinds of 
> messages, one with two large integers (a ServerRSAParams) or one with 
> three large integers (a ServerDHParams). RFC 4492 introduced the 
> ambiguity. Can anyone think of a way to fix it, without forcing Named 
> FFDHE compatible servers to negotiate RSA cipher suites instead of DHE 
> cipher suites with legacy clients? Is that even a good idea? (That was a 
> rhetorical question.)

A way to fix that for the ffdhe draft would be to introduce a two-byte
type that is on purpose large (eg. values like 0xff 0xfa).

regards,
Nikos

v2.23.0 | Report a Bug | By Email