IETF Logo Mail Archive

Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-02.txt

Nikos Mavrogiannopoulos <nmav@redhat.com> Sat, 25 October 2014 19:51 UTC

Return-Path: <nmavrogi@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA6CA1A6F0D for <tls@ietfa.amsl.com>; Sat, 25 Oct 2014 12:51:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.989
X-Spam-Level:
X-Spam-Status: No, score=-5.989 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RAZOR2_CHECK=0.922, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vpDZxD5G9SEF for <tls@ietfa.amsl.com>; Sat, 25 Oct 2014 12:51:55 -0700 (PDT)
Received: from mx4-phx2.redhat.com (mx4-phx2.redhat.com [209.132.183.25]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87D5A1A1AB8 for <tls@ietf.org>; Sat, 25 Oct 2014 12:51:55 -0700 (PDT)
Received: from zmail22.collab.prod.int.phx2.redhat.com (zmail22.collab.prod.int.phx2.redhat.com [10.5.83.26]) by mx4-phx2.redhat.com (8.13.8/8.13.8) with ESMTP id s9PJprT8002025; Sat, 25 Oct 2014 15:51:54 -0400
Date: Sat, 25 Oct 2014 15:51:53 -0400
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
To: henrick@streamsec.se
Message-ID: <1682594903.63043.1414266713793.JavaMail.zimbra@redhat.com>
In-Reply-To: <544BD3BF.9030702@streamsec.se>
References: <20141011044948.27553.93984.idtracker@ietfa.amsl.com> <5438B82B.6090600@fifthhorseman.net> <544BD3BF.9030702@streamsec.se>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.5.82.6]
X-Mailer: Zimbra 8.0.6_GA_5922 (ZimbraWebClient - FF29 (Linux)/8.0.6_GA_5922)
Thread-Topic: I-D Action: draft-ietf-tls-negotiated-ff-dhe-02.txt
Thread-Index: QXktS8+7r5wYADvNb06ORXu3YFFUgw==
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/UdP1AHuhLhUfhY_dOl1JCNixTfg
Cc: tls@ietf.org
Subject: Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-02.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Oct 2014 19:51:59 -0000

> It seems to me the the recommended Client Behavior and Server Behavior
> has to be simplified and strengthened, in order for the standard to meet
> the security objectives.

Could you elaborate on which security objectives are you referring to?

> All relevant attacks here https://secure-resumption.com/ seem to involve
> a MITM server that chooses bad ServerDHParams for the server key
> exchange message.
>    * Clearly, a MITM server might simply act as if it doesn't support
> the "elliptic_curves" extension. The server does not include a reply to
> the "elliptic_curves" extension in server_hello, so the client will not
> receive any indication of lack of support, until it receives
> server_key_exchange. At this point, the client might decide to terminate
> the handshake if the ServerDHParams aren't acceptable. Checking an
> arbitrary group by means of a binary compare, is only marginally harder
> than checking a named group.
[...]
> A client that requires the use of FFDHE groups MUST perform a binary
> compare of the ServerDHParams against the FFDHE group with the
> corresponding modulus size, and MUST end the handshake with an
> insufficient_security alert if the parameters do not match.

What is the advantage of that proposal? It is more complex, and a security
protocol should strive for simplicity. I see three disadvantages:
1. More bytes to send in a handshake, especially since we are talking about
large groups (that also results to more memory used by implementations
that have to cache those messages until the handshake is finished).
2. Instead of simple maps to known parameters, checks are needed adding more 
space for errors.
3. There are known attacks against the current ServerKeyExchange format which
remain applicable if we go this path (a sufficiently long DH serverkeyexchange
message can be parsed as an ECDH serverkeyexchage).


Furthermore, I'd like to propose to further simplify the message for ServerDHParams
used by the draft, and convert it to a deliberately incompatible format with the 
ServerDHParams as well ServerECDHParams. That way it can be ensured ensure that there
cannot be any mitm taking advantage of the similarities.

regards,
Nikos

v2.39.1 | Report a Bug | By Email | System Status