IETF Logo Mail Archive

Re: [TLS] Adoption call for Deprecating FFDH(E) Ciphersuites in TLS

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Wed, 18 August 2021 13:24 UTC

Return-Path: <prvs=48643fdc11=uri@ll.mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FF133A1923 for <tls@ietfa.amsl.com>; Wed, 18 Aug 2021 06:24:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Av3YUX1UJEkv for <tls@ietfa.amsl.com>; Wed, 18 Aug 2021 06:24:05 -0700 (PDT)
Received: from MX3.LL.MIT.EDU (mx3.ll.mit.edu [129.55.12.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A06A3A1922 for <tls@ietf.org>; Wed, 18 Aug 2021 06:24:04 -0700 (PDT)
Received: from LLE2K16-HYBRD02.mitll.ad.local (lle2k16-hybrd02.llan.ll.mit.edu [172.25.5.146]) by MX3.LL.MIT.EDU (8.16.1.2/8.16.1.2) with ESMTPS id 17IDO0cG225397 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 18 Aug 2021 09:24:00 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=XlRvsuRShlE9V4c1cOvyq4wCIIy5OfQUM+PyhmqvUyWD1ENywyJpr7/ShXL++EdJ2FuLEWO5PALMBrIjUsA7ZuyL/WEw/HZNE16t4XU7AMy/RV9I0R9tLG5QvMCUw76NxMU97QJiEhRQ+Cf7ZyEY8viLot/I374F50xpRmdO+v7EUb3+ViVzOR2PjdF3+6YVVZQksI7F/IV1wRUwdyngd//h26kERUu9/Bx5aieYPot2gxsjQpfHfB35d6s8le+RQ5U4vRvv30bJJL2Ch1gXGUBYGn4OKIz82l0v8KpTQtEWLGzdm7NiI8zFL2pWvXtuRIizdvccS0i6GQdDnhsNmA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=usJthOc1URzZXkShnl7FW8X9wa2uhNy4S94K7EZs8qU=; b=ma26EWntSmtf8OCwiWO13P+Q2ajh1TcO6oD9IHjshoR516hApealMPX+Bufd5C1TMax9s1wRjoP9mqMqv01/aFWyIhPqTYsF+SU+tE8bfvjfzx2vfpuIjVRmWdjeacdB/Mt2kXjfdH7HpXAdDEGy3DeBSyGZh/WpZgNiSAfbT53uX0F4PTFRFuGzH0VesntwftTRWA0D4KvyWd9ZZdC5V7xNKO5ZH/eYvaq3bdlDDHr6Ntf0r1QYnKjjPFV3eT2KQds64MVjudiagFOJM2Rc4psAMNcLgI1kN5EUT6onSsoy6i+uzE1FBxyS29tuvO9x/3yd7SVf1LpY5H7tTTP8Nw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Benjamin Kaduk <bkaduk@akamai.com>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Adoption call for Deprecating FFDH(E) Ciphersuites in TLS
Thread-Index: AQHXhMPxpzrCMsaNt0Kem/sQDBKbl6txjJmA///1ygCABYc1gIAAxF8AgAAoHQCAADmlgIAAAgWAgAAOCgCAANw4gA==
Date: Wed, 18 Aug 2021 13:23:58 +0000
Message-ID: <AD7E9DB1-76D2-44B6-84F5-6721E4F439C0@ll.mit.edu>
References: <3AAA4B88-0D58-4A88-B0B5-F5C8EA37B44D@akamai.com> <79E3AACE-9228-4069-8D7C-D6AA194D375F@ll.mit.edu> <20210817201544.GR19992@akamai.com>
In-Reply-To: <20210817201544.GR19992@akamai.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.50.21061301
authentication-results: akamai.com; dkim=none (message not signed) header.d=none;akamai.com; dmarc=none action=none header.from=ll.mit.edu;
x-originating-ip: [129.55.200.20]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2a44628b-65a4-42c2-e0e8-08d9624b6feb
x-ms-traffictypediagnostic: BN1P110MB0939:
x-microsoft-antispam-prvs: <BN1P110MB09394C46B3F861135F04160F90FF9@BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:7691;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: QCdXHp4nL59iQwAY7kpeJFYSbkLqa9bV0l7lARyjElL5wS7iqsfqHd2hRECdaitos/INFxBivmrLePRmAHyc4O/2rUeOFx9B7MAiO1dN3pVeL6mAjDGdKoND22XPaoa3ETzwrv/InIGazaG92TF4vICzQuQG8MoklB4VFaf46XoIMbwQwCFD/dIQuuh4pjNc4j5GPGQ1iFGhZ7LSDu2wIgyAITa8eqgU5dJMTeSMrXejm+h8b8IwNov7dSw7caUVpDQ25Gw8owPX8qYGU9Mn2JSRgx+1tPxfWyegqkdR3ggAzdspB6VvNB4pUdw/dLMJs4QYW2vTrdbPc3dntCVmT0yGwRqFiiR4XOS6ahlDejBULrauGeGTUor96GUv9u1KEdZpLYhjjmx36NWvI9VGmF+2r6qlITI0NzR5SR4ljVxHltkZMfXOASZ8Nq6vCD89m2bM9NKpHbO20EnJWxFDLChtKLo7atl6/s98BneZlKKfcI/8sbPVDBw/Me2ygk+EcpNEQB5MVTEPcXSI5PV+1gBFjIHZYMOVbJDCxGPD1xxlSwgBkUxmqX01PW0lG+/Eskx5g0NNO1dPEcpRQWdJpXi2mxlo4K7kku95R/1iUhBjGI4VWO8gcRTXRu72aSBcXMn2I6BFhXcwD52dPfRmG6IDtHZFdXKHRojbLt36+PQ=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN1P110MB0706.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(366004)(6512007)(6916009)(38070700005)(8936002)(122000001)(75432002)(26005)(83380400001)(2906002)(498600001)(6486002)(5660300002)(4326008)(76116006)(71200400001)(66556008)(64756008)(38100700002)(86362001)(2616005)(66946007)(66616009)(66476007)(8676002)(186003)(53546011)(6506007)(99936003)(33656002)(66446008)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: hdCttd5qwcXXwfvEM9vdC0ECn6Itg4jbm/hkb90GZide+eLqoqJhiJtWbNNqssTtDh4cSTIDB0CsjWlrVlttyiA4Uz/URNiMzCJniW+SYdnWlUnivJmu8GQG5cnPJkCQmtMjFgdXVz47xlh79JzWvKKR0JO2+qaq6V175iO9+bK7Ak4Y26rJvBexH/DImuFuG1jwnQIaEPBPrZnqsgHGcTfOvdnez2gahtRv2HOR1nGoQa221E6sfqL9DRtWkDHWJHqMRzNX9hAgan4rh+ibXI3bqI1/apKJhI5lsuK2KSs9394inELIhR/nOctC+gHyBJyyL+zhrqk1Jv9ucXhwfpSTzKLN/ukLURnCJb2PFo8do/QjbbEJdH4jWn8heGgqCL7THjWogGVRRgXYeEXSBCYZp3PasEfWGeOBjTGOPuc+etf9kqsCwPgdVw6alovjaBKdJi89KiLevCTTnQQuqoXFCjE90563A7f3ZVAF2NV+N6hAN6R0oxzrVu7mLtBa6ImdgLI+3JnJnSlhmlkXCsPZeXMaRdVfmNuV6jzmR6KOyBI4AIVymsCl8smndY7nkA4uYXEVVx6zwm2IuGaWCJxRTUUPeP6vo2CTTrZ496Tg5b4gbWuJuZy2vWHOS4uJUdkjdq1gaBqvZYa2xxscOCNGnwGuqQF6Sq1RrMEI0apnCUfIcV8Zt9p4QqRfWWE/yBxqzbWLd3109GGs6KOJJA==
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3712123435_1288197895"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN1P110MB0706.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 2a44628b-65a4-42c2-e0e8-08d9624b6feb
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Aug 2021 13:23:58.7465 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1P110MB0939
X-Proofpoint-ORIG-GUID: soU0Uik8ROkwcQXxwAb1uNiZj61ht6_d
X-Proofpoint-GUID: soU0Uik8ROkwcQXxwAb1uNiZj61ht6_d
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790 definitions=2021-08-18_04:2021-08-17, 2021-08-18 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 phishscore=0 adultscore=0 suspectscore=0 mlxscore=0 mlxlogscore=999 malwarescore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108180083
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/PqUf74DNN5MGkd_qHhT0usmTcPQ>
Subject: Re: [TLS] Adoption call for Deprecating FFDH(E) Ciphersuites in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Aug 2021 13:24:10 -0000

On 8/17/21, 16:16, "Benjamin Kaduk" <bkaduk@akamai.com> wrote:
>    On Tue, Aug 17, 2021 at 07:25:33PM +0000, Blumenthal, Uri - 0553 - MITLL wrote:
>    > I see absolutely nothing wrong with using FFDH(E) and ECDH, 
>    > as long as at least one of the keys is ephemeral.
>    > There is no need to “warn away”, IMHO. 

>    That's an interesting position to take.  Let me see if I understand it correctly.
>    (I will just write "DH" even though I mean (EC)DH.)

And a very nice analysis, thank you!

>    Static-static DH results in re-generating the same derived key on multiple protocol
>    instantiations, which is in some sense reusing a single key for multiple things and
>    thus disrecommended. .  .  .  . So there's plenty of risk here and reasons to stay away.

Correct. Agreed.

>    Ephemeral-static DH makes a new derived key for each protocol instantiation and
>    simplifies the analysis  .  .  .  but anyone armed with a protocol transcript
>    who discovers the secret part of the static DH value can recover the derived
>    key and deprotect the application data.  Forward secrecy is not obtained until
>    the "static" private value is discarded, leaving risk of loss
>    of confidentiality due to endpoint compromise.

Correct. Relative risks and concerns of client vs. server security are out of scope for
this discussion.

>    Ephemeral-ephemeral DH also makes a new derived key for each protocol instantiation,
>    but also allows the private DH values to be discarded "immediately",  .  .  .  .  .

I'd say, "*requires* the private DH values to be discarded 'immediately'".

>    This provides the strongest kind of forward secrecy (provided that endpoints
>    actually discard the private ephemeral values), and is again a step up from
>    the ephemeral-static case.

It certainly is, and IMHO it's the preferred way, unless realities (of the environment, etc.) disallow it.

>    In light of the above, it seems that your concerns are more focused on "key reuse" than
>    forward secrecy.  Is that correct?

Ha! Both are important, but absolutely - "key reuse" is a much bigger (and immediate!) concern.
In my environment there are other ways to mitigate (not alleviate completely!) the threat to
forward secrecy.

>    I have heard a lot of people saying that forward secrecy is important to them, so it's
>    not clear that your stance is the consensus position.

I cannot claim consensus. Forward secrecy is probably as important to me as it is to the next guy - it's about the price I'd have to pay for it, the relative (not necessarily monetary) cost, and the willingness to consider other mitigation methods.

Thanks!

v2.43.4 | Report a Bug | By Email | System Status