Re: [TLS] draft-sheffer-tls-bcp: DH recommendations

Yoav Nir <ynir@checkpoint.com> Tue, 17 September 2013 12:41 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 171CC11E81C4 for <tls@ietfa.amsl.com>; Tue, 17 Sep 2013 05:41:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.213
X-Spam-Level:
X-Spam-Status: No, score=-10.213 tagged_above=-999 required=5 tests=[AWL=0.386, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6IH9Lq+ilZLe for <tls@ietfa.amsl.com>; Tue, 17 Sep 2013 05:41:27 -0700 (PDT)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 876F011E842B for <tls@ietf.org>; Tue, 17 Sep 2013 05:41:26 -0700 (PDT)
Received: from IL-EX10.ad.checkpoint.com ([194.29.34.147]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id r8HCfNvr014169; Tue, 17 Sep 2013 15:41:23 +0300
X-CheckPoint: {52384DF3-11-1B221DC2-1FFFF}
Received: from DAG-EX10.ad.checkpoint.com ([169.254.3.30]) by IL-EX10.ad.checkpoint.com ([169.254.2.246]) with mapi id 14.02.0347.000; Tue, 17 Sep 2013 15:41:23 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Thread-Topic: [TLS] draft-sheffer-tls-bcp: DH recommendations
Thread-Index: AQHOskdo5dKKYJ0xmEuWRIX4Ztx5/ZnIrW6AgADLcQCAADa7gA==
Date: Tue, 17 Sep 2013 12:41:23 +0000
Message-ID: <07AC3415-536F-4260-B726-476DFFE57F8F@checkpoint.com>
References: <20130916211725.6E5E21A971@ld9781.wdf.sap.corp> <5238200E.70500@gmail.com>
In-Reply-To: <5238200E.70500@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.21.187]
x-kse-antivirus-interceptor-info: protection disabled
Content-Type: text/plain; charset="us-ascii"
Content-ID: <A895A31B80F9574CA317B2A7692A69C1@ad.checkpoint.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] draft-sheffer-tls-bcp: DH recommendations
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Sep 2013 12:41:32 -0000

Hi Yaron

OK, so on the one hand we have DHE with 2048 bits which, (a) doubles the cost of a handshake with an 2048-bit RSA key, and (b) doesn't work in Apache and Windows.
On the other hand with have ECDH with P-256, which (a) far less than doubles the cost of the handshake, and (b) is implemented everywhere but disabled in a few places (clients running on RedHat)

To get DHE-2048, we'd need to patch Apache, change Windows, get everyone to use the new Windows, probably some more I forgot.

To get ECDH we need to change a compilation option of RedHat (and probably some other distributions). 

I think the choice is pretty much a no-brainer.

And if you're worried about NIST curves, there are people pushing brainpool and other curves on the TLS list. 

Yoav

On Sep 17, 2013, at 12:25 PM, Yaron Sheffer <yaronf.ietf@gmail.com>
 wrote:

> Hi Martin,
> 
> you are right about Windows of course.
> 
> More generally, the draft is not trying to make recommendations that are actually implemented today by all browsers. We all know that implementation of TLS 1.2 is patchy to say the least. But we also know that the industry is in fact moving there. My personal goal is to make recommendations that will be useful (using real production software) mid-2014 or so, for people who are willing to update to the latest product releases.
> 
> Thanks,
> 	Yaron
> 
> On 09/17/2013 12:17 AM, Martin Rex wrote:
>> Yaron Sheffer wrote:
>>> 
>>> Problem #1 goes away if we say that the server only sends 2048-bit DH
>>> parameters to "new" clients (those that offer TLS 1.2), and assume these
>>> can all deal with DH of any length. Our draft recommends a TLS 1.2-only
>>> cipher suite anyway. And since new clients are still rare, this could work.
>>> 
>>> This partial solution is complicated by IE10, which (AFAIK) supports TLS
>>> 1.2, but has this support off by default, and does not support larger
>>> than 1024-bit DH.
>> 
>> IE10 is an awkward way to refer to an implementation.
>> What matters is what Microsoft's SChannel from the underlying OS supports.
>> And Microsoft seems to not support DHE with RSA
>> (only DHE_DSA, ECDHE_RSA and ECDHE_ECDSA).
>> 
>> 
>> Windows 7 & 2008R2
>> http://msdn.microsoft.com/en-us/library/windows/desktop/aa374757%28v=vs.85%29.aspx
>> 
>> Windows Vista & 2008:
>> http://msdn.microsoft.com/en-us/library/windows/desktop/ff468651%28v=vs.85%29.aspx
>> 
>> Windows XP & 2003
>> http://msdn.microsoft.com/en-us/library/windows/desktop/aa380512%28v=vs.85%29.aspx
>> 
>> 
>> 
>> -Martin
>> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls