Re: [TLS] draft-sheffer-tls-bcp: DH recommendations

Yaron Sheffer <yaronf.ietf@gmail.com> Tue, 17 September 2013 13:05 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5708311E824D for <tls@ietfa.amsl.com>; Tue, 17 Sep 2013 06:05:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2SbFAD9agZGm for <tls@ietfa.amsl.com>; Tue, 17 Sep 2013 06:05:53 -0700 (PDT)
Received: from mail-bk0-x234.google.com (mail-bk0-x234.google.com [IPv6:2a00:1450:4008:c01::234]) by ietfa.amsl.com (Postfix) with ESMTP id ED93611E823F for <tls@ietf.org>; Tue, 17 Sep 2013 06:05:46 -0700 (PDT)
Received: by mail-bk0-f52.google.com with SMTP id e11so2177902bkh.11 for <tls@ietf.org>; Tue, 17 Sep 2013 06:05:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=ghCcKfQnm3K1IAvScbYf4G0YPzatl2E/LsQxYx0yAE4=; b=BNJuGHeavvUWapGUKQSZFC4vdryHFwUugX5x5a+/in+zs5oMUn4yw/kf0VGtxG44F6 CKT1xv20yRA4jp6gLvrs01P1jRGxLDpfmGyDC4Qh23RHmqWQWVXA+XxOxlDbcHl1cFRz fjxei9CzM3DBU58ZzAzDVrD43gn+GBmj+/5hGjzhyEiAcnuCZUbTyzonLMRvWL8mmdmm ccai/hKQq8J1/y3IyMy/bPblc0PdY7yKkvDBRihtRAPFT7hHwXnKNc44icLy4YRrOrKd /Pw463fkPkuJVp3c91YoPhPyeDWHc0c6NgrgU5zV/tknJ7Jvyjq3CrH6eJ8Y04oztjws kpcQ==
X-Received: by 10.204.68.142 with SMTP id v14mr28689294bki.18.1379423145677; Tue, 17 Sep 2013 06:05:45 -0700 (PDT)
Received: from [10.0.0.141] (93-173-253-212.bb.netvision.net.il. [93.173.253.212]) by mx.google.com with ESMTPSA id jt14sm10113691bkb.0.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 17 Sep 2013 06:05:45 -0700 (PDT)
Message-ID: <523853A7.3070002@gmail.com>
Date: Tue, 17 Sep 2013 16:05:43 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130803 Thunderbird/17.0.8
MIME-Version: 1.0
To: Yoav Nir <ynir@checkpoint.com>
References: <20130916211725.6E5E21A971@ld9781.wdf.sap.corp> <5238200E.70500@gmail.com> <07AC3415-536F-4260-B726-476DFFE57F8F@checkpoint.com>
In-Reply-To: <07AC3415-536F-4260-B726-476DFFE57F8F@checkpoint.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] draft-sheffer-tls-bcp: DH recommendations
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Sep 2013 13:05:58 -0000

So yes, I agree. Here's from our work-in-progress -01 version:

As currently specified and implemented, elliptic curve groups are 
preferable over modular DH groups: they are easier and safer to use 
within TLS.

[...]

[RFC4492] allows clients and servers to negotiate ECDH parameters 
(curves). We recommend that clients and servers prefer verifiably random 
curves (specifically Brainpool P-256, brainpoolp256r1 
[I-D.merkle-tls-brainpool]), and fall back to the commonly used NIST 
P-256 (secp256r1) [RFC4492].

Thanks,
	Yaron

On 09/17/2013 03:41 PM, Yoav Nir wrote:
> Hi Yaron
>
> OK, so on the one hand we have DHE with 2048 bits which, (a) doubles the cost of a handshake with an 2048-bit RSA key, and (b) doesn't work in Apache and Windows.
> On the other hand with have ECDH with P-256, which (a) far less than doubles the cost of the handshake, and (b) is implemented everywhere but disabled in a few places (clients running on RedHat)
>
> To get DHE-2048, we'd need to patch Apache, change Windows, get everyone to use the new Windows, probably some more I forgot.
>
> To get ECDH we need to change a compilation option of RedHat (and probably some other distributions).
>
> I think the choice is pretty much a no-brainer.
>
> And if you're worried about NIST curves, there are people pushing brainpool and other curves on the TLS list.
>
> Yoav
>
> On Sep 17, 2013, at 12:25 PM, Yaron Sheffer <yaronf.ietf@gmail.com>;
>   wrote:
>
>> Hi Martin,
>>
>> you are right about Windows of course.
>>
>> More generally, the draft is not trying to make recommendations that are actually implemented today by all browsers. We all know that implementation of TLS 1.2 is patchy to say the least. But we also know that the industry is in fact moving there. My personal goal is to make recommendations that will be useful (using real production software) mid-2014 or so, for people who are willing to update to the latest product releases.
>>
>> Thanks,
>> 	Yaron
>>
>> On 09/17/2013 12:17 AM, Martin Rex wrote:
>>> Yaron Sheffer wrote:
>>>>
>>>> Problem #1 goes away if we say that the server only sends 2048-bit DH
>>>> parameters to "new" clients (those that offer TLS 1.2), and assume these
>>>> can all deal with DH of any length. Our draft recommends a TLS 1.2-only
>>>> cipher suite anyway. And since new clients are still rare, this could work.
>>>>
>>>> This partial solution is complicated by IE10, which (AFAIK) supports TLS
>>>> 1.2, but has this support off by default, and does not support larger
>>>> than 1024-bit DH.
>>>
>>> IE10 is an awkward way to refer to an implementation.
>>> What matters is what Microsoft's SChannel from the underlying OS supports.
>>> And Microsoft seems to not support DHE with RSA
>>> (only DHE_DSA, ECDHE_RSA and ECDHE_ECDSA).
>>>
>>>
>>> Windows 7 & 2008R2
>>> http://msdn.microsoft.com/en-us/library/windows/desktop/aa374757%28v=vs.85%29.aspx
>>>
>>> Windows Vista & 2008:
>>> http://msdn.microsoft.com/en-us/library/windows/desktop/ff468651%28v=vs.85%29.aspx
>>>
>>> Windows XP & 2003
>>> http://msdn.microsoft.com/en-us/library/windows/desktop/aa380512%28v=vs.85%29.aspx
>>>
>>>
>>>
>>> -Martin
>>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>