Re: [TLS] ETSI releases standards for enterprise security and data centre management
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 06 December 2018 20:33 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DDBD131186 for <tls@ietfa.amsl.com>; Thu, 6 Dec 2018 12:33:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.19
X-Spam-Level:
X-Spam-Status: No, score=-4.19 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rhwUSzBcOTN3 for <tls@ietfa.amsl.com>; Thu, 6 Dec 2018 12:33:20 -0800 (PST)
Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D5E5130F7E for <tls@ietf.org>; Thu, 6 Dec 2018 12:33:20 -0800 (PST)
Received: from fifthhorseman.net (41-139-152-102.safaricombusiness.co.ke [41.139.152.102]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id DDA77F99B; Thu, 6 Dec 2018 15:33:18 -0500 (EST)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 664AE20381; Thu, 6 Dec 2018 23:25:04 +0300 (EAT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Andrei Popov <Andrei.Popov@microsoft.com>, "tls@ietf.org" <tls@ietf.org>
In-Reply-To: <SN6PR2101MB1055D37EB2DD393B9DB042238CA90@SN6PR2101MB1055.namprd21.prod.outlook.com>
References: <CADqLbzKd-AgDRv2suZ-0Nz4jNUqKg0RNT8sgQd-n793t+gEN3g@mail.gmail.com> <CAHOTMVKZT1ScvHeP3=Kv2zodVimHkaAtG-2DTq6ojnF+q-OMSQ@mail.gmail.com> <20181202233553.GD15561@localhost> <CAHOTMV+vPkM-=Qsto-8-ipFuGsNKkH_U=BEY_mB=7CM7tto3Mw@mail.gmail.com> <38D10A65-B4EE-4E81-8EA4-D69514F7F47B@gmail.com> <51754d91-c00c-0cad-ecd6-8db74544d26a@cs.tcd.ie> <A7423BAF-398B-4BBE-81AC-364CE748D6B1@gmail.com> <9344c0e1-f484-2b4b-8594-1d29731f6b7a@cs.tcd.ie> <01429BF7-BF1D-4F1C-9E18-D796A5585E62@gmail.com> <2F72F9A9-1556-4F44-8BBA-4D4CDD1A310C@akamai.com> <cd138d5d-37be-acee-297c-011227e98b99@nomountain.net> <SN6PR2101MB1055D37EB2DD393B9DB042238CA90@SN6PR2101MB1055.namprd21.prod.outlook.com>
Date: Thu, 06 Dec 2018 23:25:01 +0300
Message-ID: <87d0qee736.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Xppri_oZ__DgIRffO-hZbCsaV2k>
Subject: Re: [TLS] ETSI releases standards for enterprise security and data centre management
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Dec 2018 20:33:22 -0000
Hi Andrei-- On Thu 2018-12-06 02:10:06 +0000, Andrei Popov wrote: > I like the intent of draft-dkg-tls-reject-static-dh-01, but this part will cost servers some perf: > > "Given the concerns in Section 2 and the necessary client mitigations > in the subsections above, servers need to avoid giving the appearance > of using non-ephemeral DH. Servers MUST NOT reuse ephemeral DH > shares." > > In our tests, we see significant drop in handshakes/sec on a busy TLS > server with ephemeral DH share reuse time < 1 sec. interesting, i'd love to see more details on those tests if you can share them. What kind of load are we talking about? Which server implementation? The cost here is in the fixed-base operation, iiuc, which is the cheapest part of the handshake -- DH share reuse allows you to skip this one step per handshake (or rather, to amortize the one step across multiple handshakes). You mention a cutoff of 1 second. If the amortization is spread across, say, all handshakes within 2 seconds, is the performance impact still significant? If the draft's server guidance were to be amended to suggest avoiding DH reuse for more than 2 seconds, and the guidance for clients to track added a buffer of 2 seconds before rejection, would that satisfy your concerns about performance under load? > Also, won't the "enterprise TLS" server just create a bunch of static > DH shares and send different ones at different times, thereby avoiding > detection by most clients? I don't think that the intent of the ETSI spec is to encourage non-visible use. They've specifically stated visibility to clients as a primary goal, and acknoweldged that "Annex A" servers would be in violation of their own goals. So it's conceivable that truly malicious servers would do this, of course, but they might also just publish the master secret on twitter too, and the client wouldn't know how to detect that inband either. But for the misbehavior that we *can* detect in-band, a responsible client should be aware of it and avoid it, right? --dkg
- [TLS] ETSI releases standards for enterprise secu… Dmitry Belyavsky
- Re: [TLS] ETSI releases standards for enterprise … Tony Arcieri
- Re: [TLS] ETSI releases standards for enterprise … Dmitry Belyavsky
- Re: [TLS] ETSI releases standards for enterprise … Tony Arcieri
- Re: [TLS] ETSI releases standards for enterprise … Christian Huitema
- Re: [TLS] ETSI releases standards for enterprise … Stephen Farrell
- Re: [TLS] ETSI releases standards for enterprise … Christian Huitema
- Re: [TLS] ETSI releases standards for enterprise … Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] ETSI releases standards for enterprise … Nico Williams
- Re: [TLS] ETSI releases standards for enterprise … Jonathan Hoyland
- Re: [TLS] ETSI releases standards for enterprise … Salz, Rich
- Re: [TLS] ETSI releases standards for enterprise … Nico Williams
- Re: [TLS] ETSI releases standards for enterprise … Tony Arcieri
- Re: [TLS] ETSI releases standards for enterprise … Jonathan Hoyland
- Re: [TLS] ETSI releases standards for enterprise … Nico Williams
- Re: [TLS] ETSI releases standards for enterprise … Daniel Kahn Gillmor
- Re: [TLS] ETSI releases standards for enterprise … Bret Jordan
- Re: [TLS] ETSI releases standards for enterprise … Stephen Farrell
- Re: [TLS] ETSI releases standards for enterprise … Daniel Kahn Gillmor
- Re: [TLS] ETSI releases standards for enterprise … Benjamin Beurdouche
- Re: [TLS] ETSI releases standards for enterprise … Bret Jordan
- Re: [TLS] ETSI releases standards for enterprise … Stephen Farrell
- Re: [TLS] ETSI releases standards for enterprise … Bret Jordan
- Re: [TLS] ETSI releases standards for enterprise … Daniel Kahn Gillmor
- Re: [TLS] ETSI releases standards for enterprise … Tony Arcieri
- Re: [TLS] ETSI releases standards for enterprise … Salz, Rich
- Re: [TLS] ETSI releases standards for enterprise … Salz, Rich
- Re: [TLS] ETSI releases standards for enterprise … R duToit
- Re: [TLS] ETSI releases standards for enterprise … Christopher Wood
- Re: [TLS] ETSI releases standards for enterprise … Melinda Shore
- Re: [TLS] ETSI releases standards for enterprise … Andrei Popov
- Re: [TLS] ETSI releases standards for enterprise … Daniel Kahn Gillmor
- Re: [TLS] ETSI releases standards for enterprise … Daniel Kahn Gillmor
- Re: [TLS] ETSI releases standards for enterprise … Andrei Popov
- Re: [TLS] ETSI releases standards for enterprise … Tony Arcieri
- Re: [TLS] ETSI releases standards for enterprise … Viktor Dukhovni
- Re: [TLS] ETSI releases standards for enterprise … Daniel Kahn Gillmor
- Re: [TLS] ETSI releases standards for enterprise … Andrei Popov
- Re: [TLS] ETSI releases standards for enterprise … Nico Williams
- Re: [TLS] ETSI releases standards for enterprise … Tony Arcieri
- Re: [TLS] ETSI releases standards for enterprise … Arnaud.Taddei.IETF
- Re: [TLS] ETSI releases standards for enterprise … Sean Turner
- Re: [TLS] ETSI releases standards for enterprise … Eric Rescorla
- Re: [TLS] ETSI releases standards for enterprise … Sean Turner
- Re: [TLS] ETSI releases standards for enterprise … Kurt Roeckx
- Re: [TLS] ETSI releases standards for enterprise … Daniel Kahn Gillmor
- Re: [TLS] ETSI releases standards for enterprise … Salz, Rich
- Re: [TLS] ETSI releases standards for enterprise … Ryan Sleevi
- Re: [TLS] ETSI releases standards for enterprise … Arnaud.Taddei.IETF