Re: [TLS] draft-deprecate-obsolete-kex - Comments from WG Meeting
Peter Gutmann <pgut001@cs.auckland.ac.nz> Fri, 29 July 2022 14:00 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDC77C14CF0C for <tls@ietfa.amsl.com>; Fri, 29 Jul 2022 07:00:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Level:
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5T81v06fsORU for <tls@ietfa.amsl.com>; Fri, 29 Jul 2022 07:00:09 -0700 (PDT)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [103.96.21.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E60A8C14F74F for <tls@ietf.org>; Fri, 29 Jul 2022 07:00:08 -0700 (PDT)
Received: from AUS01-ME3-obe.outbound.protection.outlook.com (mail-me3aus01lp2238.outbound.protection.outlook.com [104.47.71.238]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id au-mta-111-nyMb2Ix3PCqHWYolJq-Jhw-1; Sat, 30 Jul 2022 00:00:00 +1000
X-MC-Unique: nyMb2Ix3PCqHWYolJq-Jhw-1
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com (2603:10c6:10:10b::10) by SYZPR01MB7667.ausprd01.prod.outlook.com (2603:10c6:10:16e::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5458.19; Fri, 29 Jul 2022 13:59:58 +0000
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::9ce9:9bf2:308b:8a40]) by SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::9ce9:9bf2:308b:8a40%3]) with mapi id 15.20.5482.011; Fri, 29 Jul 2022 13:59:58 +0000
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Nimrod Aviram <nimrod.aviram@gmail.com>, "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] draft-deprecate-obsolete-kex - Comments from WG Meeting
Thread-Index: AQHYopA/+RKpIcmIc0CaPTkmFAPHpa2VYTol
Date: Fri, 29 Jul 2022 13:59:58 +0000
Message-ID: <SY4PR01MB6251B80C4F35F6921854DC72EE999@SY4PR01MB6251.ausprd01.prod.outlook.com>
References: <CABiKAoSvJqewOs=pqS+ggyWBCasoQYU9GoGMMOq6V4HZqmUH+Q@mail.gmail.com>
In-Reply-To: <CABiKAoSvJqewOs=pqS+ggyWBCasoQYU9GoGMMOq6V4HZqmUH+Q@mail.gmail.com>
Accept-Language: en-NZ, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 1ee6d00a-04fc-4faa-96fe-08da716a9fac
x-ms-traffictypediagnostic: SYZPR01MB7667:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: AeyOweF2x+C6p2HEDTbb1rrB+5djCDvbIHGfhgqvm30QfXBUdsDcr33nOkM2jTpqsYORw1PcKdKPAli+FYsMADTBzSJDadPJ28Wr4WnoOpuDciURNEyj1m45vYcQ0/VfnKO4xrwbkklDerCnKYtwZExNhGQM3o9XolUcvxoLEzuWaAfNOFeh6qLVUl6lj9+R29Dih1UGJNI/mqkkKVn9NQlLhmhSsnX+j+viFFcIaf/eH8YZL5PuzL0y6pXO6jitXdkKBEPCKA3iaBWX21yOPn9nKAa6r5BIE5Nq+J8IIK+03MiH4gLfZGsYG4lA/l7Y9GvwbCaft6SUOouUX3n8um2J27YXlB/BLj1DiI+PuNMNDhjtb1l2UmrCDyE5GtzYF6l142veIm5FC41muJ8VKmUWj6pSPmTRXou6uOFMDuc6g6Rsxh1U9ajBbMFnJHX2qt21V1dfGuRUokzo4DTaYkTXW42DY+GpwE8QnXfjEmafxJ+G3Jtlwl7aWOFxo8S2FfklO1yUmf+L+acfC8QDzOuD7ex8piKn3gL9e+m68ZrXIzsxmH0IsxqTsIsgxz/KKqJ7oEfd1A2KfoCyvagjv7ZQnjQPW+nPDXiwuIhNsLSWKtl4Wbqb2AREzUG5TdYA2bTWN1cDfWMxyqzLt3MdmhW2ozl1NU1HjoNvB0TQUs7pASD5XpqWpPeq8aOSx6DUSFUJJjA72/wqQV2lfpp7Yg3yWmEt85WwJtdFKqUjs7Ikouu0oKx90G4J9TjHn/FW0aIhjZWW+rKfM9h+eNFTFkUWytX1AE5QdgQKGg1gwXW5GPn48IBItQmoCDttwYZAmIydo9uHyYc2Bpb7lw9jHiURqOd+sy0Litzqn6Ys7V4=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SY4PR01MB6251.ausprd01.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(376002)(366004)(39860400002)(136003)(396003)(346002)(2906002)(5660300002)(110136005)(71200400001)(966005)(33656002)(86362001)(52536014)(8936002)(9686003)(786003)(55016003)(83380400001)(186003)(478600001)(76116006)(66946007)(66556008)(66476007)(316002)(7696005)(6506007)(8676002)(64756008)(66446008)(53546011)(41300700001)(26005)(38070700005)(122000001)(38100700002)(491001); DIR:OUT; SFP:1101
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 4piPiGcJcDFmhvvVbGWlKCtJCpU5XWfopEm69l2JU4SYnvZwGVsyYl/RrO1fhpVeXOVc/Dvds6frPFnA9R1CEUVAJ3PDeDFYheZJXwczBg3jtKfl7gQrEe4biv9AQbZO1XxMbr37m+HmZF/n5/9iLAa8S0xsI/yvUQQCljheq717LyTOesrZrFk1Z76BWK9e+ydBUeZx5i3KvqYPiUcPJlSHW0HKv9dATJF4BjgWMvGMSdJ7EHzTB9Tq6zAxDU1cmnHz4T1xLMYcq7f7oNpBfVghcGh7fr7R0w88ISL7E20GFvEvpLZ2xxXMCsTSkKOwvbb/oU/f4TuMyDmnW+j/L8jQ9t3WvHQ6DPECAQ4+KYaNlStvOavSrcq49vW+bxnyzCGrp9TBU4ymJ2UaAVvH3h+ZHzcWPYWI+N1SNO+pMgYwqIivw7H12k2nnes1/vfUjxS79lEKg8thTFXJl2yyLXDeOOw8T/vixZtyM/XMRgeqyNsp+nUTFy80yXHM+5vL2uzjgJUH4IqkmD3iUYLdDG2oQNpoiOS7MRAZpVLsU4RP9mfJWL4IsEFVpc8Mc39xZkxRVaCdhGoetJqiTOx7JD8VqNy8Jt+ko9ksxKBprk9Nl57ExOKHu3uc1V+jpN2RmifZtngE3eI0QQZIEKMWM0nCgOqh2AkPtYUggDqVoWfMTOQ483Mmb2wwlnJnVT7GHyx2OnRL8apsXSDIHQpo0bFL30x1kK+a1PjMaif6nBTE4LSFJ13ZHdiqv9yqfof8f9CnYYunepwvzW7PAIpjNa39FKbv7nQFJYi1RuTkFpW0ao7kxwl1j11ZfR14uV0hrfUiusaptW17f+doiRKEIjPN5NfaOMTWVRFCiveAmIvj/d7VMyKtMP/q19JPqsEGqx9k9sQfhFiIbdR8fykGYnFbjk1IJBCII9bkdSJVkFc9D3aUy+BT3MK32a/g4jXQOo+ojsqWCWVhr20JOmwGxbfT65NUDfcMg/sXFjTWWvvE9eGRvQy+7FpfSBoLSuNrKOD+MCPTVhGo9pGzA0i/Gt68oYIwqU/JhZ6p08An51vjDQgiCc3SLWCY0c2hK/MU4YDNHZg7RdmMKoXwe9P1Bam3ZPCUHaRdV+DJXivjsbwiy4m3/4223LWTl9p6kgm2ob5TZCECSlL5OImm4xzF9xCCyjMucgkczMbVasqBqmqijuDULAnwZu68EFIAibO672V7DM2bvI5pTfbQYioopawLpwpGP8392NLnt5IXUFSHAYhWWExLFbVUWYTTHaQ3uYtONirxn03ntHQPfHSPK9q4lhXi8PfHZNPa/vqYd6Wgmwm6AMh2O34cwCc4G+Z08rXi0CGoVprgivPlA17a2cglcx3q5vN2lIrvbA0CHDYdV1uqaSr6hwCQ2IhL4xLS5tP6N0B1pW+1AmNImo0wbaSR6LDn+9JBoGz344a/9Pqja9BEzefTkIVl6O3oLwwk1lLazu+dBepZF435WaA1rr3zAjyni3Z5thyxLNp6TSvV4K+VJ5GlcSPxRSQsQ27Hq/wbBpGBEINfJwnaMe73cakKkHzjmOn7p828K2zoSHp9vSx7rmdcS0mRAsHoZCjyTGBWM7ahViqRGW3qVblwhw==
MIME-Version: 1.0
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SY4PR01MB6251.ausprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1ee6d00a-04fc-4faa-96fe-08da716a9fac
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Jul 2022 13:59:58.5394 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 0lWE1ZoM5S31z4DCq4eP7R2hsZhvwPk3By/riRkEFBfbLZg9n5hIfH221EXuNSo6T++SrIpG/V5LBG4X/lJzuxXsadihK0HTZB88ytcAn+E=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SYZPR01MB7667
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CAU17A13 smtp.mailfrom=pgut001@cs.auckland.ac.nz
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Language: en-NZ
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/VP39mZeeK5ddN5k1Np8vZuN02YU>
Subject: Re: [TLS] draft-deprecate-obsolete-kex - Comments from WG Meeting
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jul 2022 14:00:12 -0000
An additional comment on this, a pretty straightforward solution is to use the TLS-LTS one:
TLS-LTS sends the full set of DH parameters, X9.42/FIPS 186 style,
not p and g only, PKCS #3 style. This allows verification of the DH
parameters, which the current format doesn't allow:
o TLS-LTS implementations MUST send the DH domain parameters as { p,
q, g } rather than { p, g }. This makes the ServerDHParams field:
struct {
opaque dh_p<1..2^16-1>;
opaque dh_q<1..2^16-1>;
opaque dh_g<1..2^16-1>;
opaque dh_Ys<1..2^16-1>;
} ServerDHParams; /* Ephemeral DH parameters */
Note that this uses the standard DLP parameter order { p, q, g },
not the erroneous { p, g, q } order from the X9.42 DH
specification.
o The domain parameters MUST either be compared for equivalence to a
set of known-good parameters provided by an appropriate standards
body or they MUST be verified as specified in FIPS 186 [9].
Examples of the former may be found in RFC 3526 [32].
That pretty much solves the problem once and for all without needing magic-number groups or similar.
Peter.
________________________________________
From: TLS <tls-bounces@ietf.org> on behalf of Nimrod Aviram <nimrod.aviram@gmail.com>
Sent: Friday, 29 July 2022 02:41
To: <tls@ietf.org>
Subject: [TLS] draft-deprecate-obsolete-kex - Comments from WG Meeting
Hi Everyone,
Thank you for chiming in with comments and suggestions regarding draft-deprecate-obsolete-kex :-)
I've tried to summarize everyone's comments below, hopefully grouped by subject.
Apologies in advance if I missed anything (or misspelled names...), please do reply to this thread :-)
My intent here is only to make sure we have a good record of the comments made. I hope to follow up soon with a suggested way forward for the draft.
thanks,
Nimrod
===============
Scott Fluhrer: We can only check for group structure if it's a safe prime, and even for a safe prime it's too expensive. Suggest limiting groups to a safelist.
Mike Ounsworth: Automated scanning tools routinely flag standardized FFDHE groups.
Daniel Kahn Gillmor and Thom Wiggers: This is because of the Logjam paper and precomputation. But they missed that the advice to generate your own DH params was for 1024 bit parameters for sofware that didn't support anything else.
Daniel Kahn Gillmor: Would be good to discourage non-standard groups, while acknowledging the original argument for non-standard groups and explaining why it doesn't motivate non-standard groups today.
Viktor Dukhovni: Postfix is far from the only one with non-standardized, built-in default groups. Even for Postfix there are several groups, depending on the version. Would be hard to build a list of widespread groups.
Ben Kaduk: Can we start a registry for safe, widespread groups?
Martin Thomson: We tried using a safelist (that included only 7919 groups? - Nimrod) but people use weird groups, and we couldn't turn that on.
David Benjamin: Agree, better to turn off FFDHE entirely.
The deployability issue with 7919 is also documented in
https://mailarchive.ietf.org/arch/msg/tls/bAOJD281iGc2HuEVq0uUlpYL2Mo/
https://mailarchive.ietf.org/arch/msg/tls/DzazUXCUZDUpVgBPVHOwatb65dA/
Uri Blumenthal: We should neither recommend or discourage non-standard groups. Leave it to each operator to decide for themselves, they likely know what they're doing.
Jonathan Hoyland and Martin Thomson: The pen-testing comment provides a counterargument.
Uri Blumenthal: The draft is unnecessarily strict, from both deployment and security points of view. Examples of stuff that should be retained: RSA, FFDHE. PQ implications: all the NIST PQC winners and finalists are KEMs, not KA - aka, similar to RSA rather than DH.
- [TLS] draft-deprecate-obsolete-kex - Comments fro… Nimrod Aviram
- Re: [TLS] draft-deprecate-obsolete-kex - Comments… Peter Gutmann
- Re: [TLS] draft-deprecate-obsolete-kex - Comments… Ilari Liusvaara
- Re: [TLS] draft-deprecate-obsolete-kex - Comments… Peter Gutmann
- Re: [TLS] draft-deprecate-obsolete-kex - Comments… David Benjamin
- Re: [TLS] draft-deprecate-obsolete-kex - Comments… Peter Gutmann