Re: [TLS] I-D Action: draft-ietf-tls-ecdhe-psk-aead-00.txt

John Mattsson <> Sun, 09 October 2016 06:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 057C61294B2 for <>; Sat, 8 Oct 2016 23:59:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hBEvW7QMeeht for <>; Sat, 8 Oct 2016 23:59:25 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E94811294AD for <>; Sat, 8 Oct 2016 23:59:24 -0700 (PDT)
X-AuditID: c1b4fb30-b87ff70000000cb2-6c-57f9eaca608a
Received: from (Unknown_Domain []) by (Symantec Mail Security) with SMTP id 1C.87.03250.ACAE9F75; Sun, 9 Oct 2016 08:59:23 +0200 (CEST)
Received: from ([]) by ([]) with mapi id 14.03.0319.002; Sun, 9 Oct 2016 08:59:21 +0200
From: John Mattsson <>
To: Dan Harkins <>, Sean Turner <>, Nikos Mavrogiannopoulos <>
Thread-Topic: [TLS] I-D Action: draft-ietf-tls-ecdhe-psk-aead-00.txt
Thread-Index: AQHR2pj1k3z3BfHf+k6el32lv2/tSKATLaCAgABguQCAjLIjAA==
Date: Sun, 09 Oct 2016 06:59:20 +0000
Message-ID: <>
References: <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-ID: <>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrAIsWRmVeSWpSXmKPExsUyM2K7q+7pVz/DDe5OErdY+u8Li8WPo1tZ LK6samS2+HS+i9GBxWPJkp9MHs92v2TxeL/vKpvHwYOMASxRXDYpqTmZZalF+nYJXBlTXj1n KbiiWHFo+W72BsYnCl2MnBwSAiYStzbfYQWxhQTWM0q83+bfxcgFZC9ilLh67RAbSIJNwEBi 7p4GMFtEoEji+sYdLCA2s4CixPtL88BsYQFniRmnbrN3MbID1bhI3BWGqHaSmPP1Cth4FgEV id3bJ4NN4RUwl7jw4hUTxKr3jBKNNxczgyQ4Bbwllh3cyQhiMwqISXw/tYYJYpW4xK0n85kg bhaQWLLnPDOELSrx8vE/sAWiAnoSzz4/Z4eIK0msPbwd6DQOoF5NifW79CHGWEtsf3iPDeb6 Kd0P2SHuEZQ4OfMJywRG8VlIts1C6J6FpHsWku5ZSLoXMLKuYhQtTi1Oyk03MtJLLcpMLi7O z9PLSy3ZxAiMx4NbfhvsYHz53PEQowAHoxIPb0LOz3Ah1sSy4srcQ4wSHMxKIrwTnwGFeFMS K6tSi/Lji0pzUosPMUpzsCiJ85qtvB8uJJCeWJKanZpakFoEk2Xi4JRqYIxMVfC98fZCelF9 aGtGkFqBZUHCT8tOLoZdNzJzd2x8Xu/4+f0E4WWadybdff/xNcfu6xJXq/+kXfPlfTbzPduP 6GeWBZM62+olDpZ9eb9VfWpNwpKm0onGqn6LX3s3rLqSHz3z3o0TiTf2sC739Z3y2aVTMyr2 rL7rzffrnjb8uqUcEnvj5W0lluKMREMt5qLiRAC9Sc7uwwIAAA==
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-ecdhe-psk-aead-00.txt
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 09 Oct 2016 06:59:27 -0000

Hi Dan, Sean, Nikos,

First, let me state that I think requiring 128-bit key management for
AES-128 is quite reasonable.

HTTP/2 [RFC7540] also has some related text in Section 9.2.1 that applies
when TLS is used for HTTP/2. "Endpoints MAY treat negotiation of key sizes
smaller than the lower limits as a connection error (Section 5.4.1
<>) of type

I think this is a question for TLS in general,
draft-ietf-tls-ecdhe-psk-aead should just follow what the TLS WG decides
as the general way forward. Wether that is MAY/SHOULD/SHALL treat groups
with insufficient security as an error.

I think the real problem here are TLS libraries supporting 1024 MODP and
160 ECC at all, support for these should have been removed before 2010.
Nikos [0] recommends a RCF forbidding weak elliptic curves from TLS 1.2
(i.e. WeakDH DieDieDie!!!). I think this is a great idea and much better
than bundling it into a code-point assignment RFC. (My current plans for
the next update of 3GPP’s TLS and DTLS profiles is simply to forbid
support of anything weaker than 2048 MODP and 255-bit ECC).



On 11/07/16 22:26, "TLS on behalf of Dan Harkins" < on
behalf of> wrote:

>  I'm glad I have to opportunity to make you happy Sean :-)
>On Mon, July 11, 2016 7:40 am, Sean Turner wrote:
>> I think I can take this bit:
>> On Jul 10, 2016, at 06:51, Peter Dettman
>> wrote:
>>> I'm also curious whether there is a precedent in other RFCs for an
>>> explicit minimum curve bits, or perhaps a de facto implementer's rule?
>> I'd be happy to be wrong here. but to my knowledge no there's not been
>> an explicit minimum for curve bits.  There have however been similar (at
>> least in my non-cryptographer mind) for RSA key sizes so if we wanted to
>> define an explicit minimum curve bits then we could.
>  draft-ietf-tls-pwd-07 includes a RECOMMENDED practice of ensuring
>the curves used provide commensurate strength with the ciphersuite
>negotiated. Section 10, "Implementation Considerations", says:
>   It is RECOMMENDED that implementations take note of the strength
>   estimates of particular groups and to select a ciphersuite providing
>   commensurate security with its hash and encryption algorithms.  A
>   ciphersuite whose encryption algorithm has a keylength less than the
>   strength estimate, or whose hash algorithm has a blocksize that is
>   less than twice the strength estimate SHOULD NOT be used.
>  And I would like to take this opportunity to remind everyone that
>the only difference between TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256
>and TLS_ECCPWD_WITH_AES_128_GCM_SHA256 is that the latter is resistant
>to dictionary attack and the former is not.
>  regards,
>  Dan.
>TLS mailing list