IETF Logo Mail Archive

Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-02.txt

Peter Gutmann <pgut001@cs.auckland.ac.nz> Fri, 24 October 2014 14:55 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 621691A19FB for <tls@ietfa.amsl.com>; Fri, 24 Oct 2014 07:55:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V725zfIb2cn1 for <tls@ietfa.amsl.com>; Fri, 24 Oct 2014 07:55:14 -0700 (PDT)
Received: from mx2.auckland.ac.nz (mx2.auckland.ac.nz [130.216.125.245]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D0931A19F5 for <tls@ietf.org>; Fri, 24 Oct 2014 07:55:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=uoa; t=1414162514; x=1445698514; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=x3uVshf8hqhFGnS7R/7XnDECsn9lP35/DXARIdTpKk4=; b=AING0CzuhelpDwvCsxWgLcRmabXHC0mWLRUzXpnc3nLbGNQ+BKEBNYRa QcHq5Zadex64iC2kmWEICe9LFnv2Qefvi/inKT51F7SFn6qWAF+F5WtUz T04dhch7KV7DJtXxbALidFlKl+tubZobhSgtEGmYY85r+jbEc2rgvEEDS o=;
X-IronPort-AV: E=Sophos;i="5.04,630,1406548800"; d="scan'208";a="285575133"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.106 - Outgoing - Outgoing
Received: from uxchange10-fe2.uoa.auckland.ac.nz ([130.216.4.106]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 25 Oct 2014 03:55:12 +1300
Received: from UXCN10-5.UoA.auckland.ac.nz ([169.254.5.15]) by uxchange10-fe2.UoA.auckland.ac.nz ([169.254.27.86]) with mapi id 14.03.0174.001; Sat, 25 Oct 2014 03:55:11 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-02.txt
Thread-Index: Ac/vmoJJUv7rjslASuKMt2weVdQL5w==
Date: Fri, 24 Oct 2014 14:55:10 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C739B9D77B4@uxcn10-5.UoA.auckland.ac.nz>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/RYhFSzkg_5s7aS4G8r3Y9UPT7u4
Subject: Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-02.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Oct 2014 14:55:21 -0000

Alyssa Rowan <akr@akr.io> writes:

>>Shorter groups are still required for embedded devices.
>
>With respect, no, they aren't. 256-bit ECDHE is --> that way. Don't use 1024-
>bit DHE; use 256-bit ECDHE. More security, more speed, less size;

... and the need to implement an entirely new type of crypto on a constrained
device with a ten-year product cycle for which the crypto development budget,
now that it's already been deployed for several years, is $2.50.  Revving the
firmware on new products to support a new TLS extension for EDH indication
will probably happen at some point.  Re-doing the crypto to implement and
support ECC may happen in five to ten years, if there's enough code space in
the flash.

>No, it's blessing them even to list them. People will probably implement what
>we specify.

So put in a note saying that use isn't recommended.  This isn't a bunch of
Windows PCs with automatic update turned on, its unknown millions of embedded
devices whose firmware is updated when the device falls apart and gets
replaced, and for which you may get away with a small tweak from time to time
but can't do any significant re-engineering once it's type-approved ("it
works, don't touch it any more").

>Technology marches on, I'm afraid; key sizes need to march on too. 768 and
>1024 are crackable today by any reasonably well-funded adversary with access
>to a chip fab, as you well know; 

... who probably won't be using that capability to attack a power meter, or a
flow monitor.  This isn't protecting nuclear weapons launch facilities, it's
for remote monitoring of fluid flows, or power metering, or a million other
SCADA applications that merely need better-than-nothing security.  Being able
to say "only use this DH group" is an improvement on current practice in which
anything is accepted.

>Keep the groups to >= 2048-bit, please.

So you're producing an RFC which will automatically be ignored, in fact which
will *have* to be ignored, by a significant market segment, and they'll stay
with their existing unverified DH.  The RFC will then have completely failed
to achieve what it's intended to achieve.

Peter.

v2.23.0 | Report a Bug | By Email