IETF Logo Mail Archive

Re: [TLS] Adoption call for Deprecating FFDH(E) Ciphersuites in TLS

Rene Struik <rstruik.ext@gmail.com> Fri, 27 August 2021 17:50 UTC

Return-Path: <rstruik.ext@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA7203A0917 for <tls@ietfa.amsl.com>; Fri, 27 Aug 2021 10:50:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nR0xwm6B2z1m for <tls@ietfa.amsl.com>; Fri, 27 Aug 2021 10:50:04 -0700 (PDT)
Received: from mail-qv1-xf34.google.com (mail-qv1-xf34.google.com [IPv6:2607:f8b0:4864:20::f34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6FF4A3A090D for <tls@ietf.org>; Fri, 27 Aug 2021 10:50:04 -0700 (PDT)
Received: by mail-qv1-xf34.google.com with SMTP id u18so1490092qvq.3 for <tls@ietf.org>; Fri, 27 Aug 2021 10:50:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=to:references:from:subject:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=ByQjoecfx5gKvC/mJBTF7xwUhwUTl+6T6h4B45R17+k=; b=FbvOG7H6Paph5fJGm0n0ujA0RNWDy5+K+HhjK9TRdHyTh1k0/bX3i0XvzAWu2ms9uR Unqillb45xchf6C0EkNPtvIkslKo25U87cJyVEq+tWx1hzwZbRBw58WV6aJr7G5HbhV3 iZI0ceWW59iU0RxFrNzXvy2Pndh+V+YXxunmh16xFUdZPMjfLpFkdBMTCt9wX4T6SwpG kaqZRlQxivbPBQhjaTh73tdAyXPaXdYQDe+Hjv3iuU/r2wzAj4Z45ELsCthWcD9ObKMY 1twJ4KfIqbQSpsMGH2yVJoz2hCYP5J474wDtNAaJaRQq9v9KfOW6ExvEbKN9AuyPfwbI btqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:references:from:subject:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=ByQjoecfx5gKvC/mJBTF7xwUhwUTl+6T6h4B45R17+k=; b=NnhWwe0RFVXQmRxZrZIUNGSySs/UwgyCxaFb9XuzBBmBIazuJcXCarbdVWCgvTGlJ4 y56sD/ZvTZ1jXu5doYl/1S6DrluckIVJ17q6zu5e6CwjmhFBkkXsbcub2RZnu168T+zW P32+pq8JQxMDgvq7Ov7vR0Lom6Ed7RXmxzLoJg7lN6Ue679tSO/MAo8FJb02lLHPK48q 8ufKPmIX8Cxg2gnNiYTzXXWifbnJx3UyVR2EHDOiGL/PghaXWRheVnvgO1HjtPPv1CUT mmTuqri/ebtDJhBt7Y+csHlnE3AM1JfKfLNVJSQJflSvVEnFAJiZz19rrOjC75XrW8++ SmIg==
X-Gm-Message-State: AOAM530ph/KyQiQaTrMvfSr38zGpagIfCewqJxMUzJ2BhvrvJTF9sVbF vNfCpzvP7yAXlai8HmKneoXQ4abijzs=
X-Google-Smtp-Source: ABdhPJzy7ClraUDKo+TfEDpyr6KPVTqx8XOTO4XmhKgtR7VJkRS23/T7UbYw6I6AZgtBqKXb3KdjZQ==
X-Received: by 2002:a05:6214:7cf:: with SMTP id bb15mr7255887qvb.9.1630086602204; Fri, 27 Aug 2021 10:50:02 -0700 (PDT)
Received: from ?IPv6:2607:fea8:8a0:1397:fc5f:12b:d173:619a? ([2607:fea8:8a0:1397:fc5f:12b:d173:619a]) by smtp.gmail.com with ESMTPSA id o19sm1146811qtv.85.2021.08.27.10.50.00 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 27 Aug 2021 10:50:01 -0700 (PDT)
To: Nimrod Aviram <nimrod.aviram@gmail.com>, tls@ietf.org
References: <CAOgPGoC4C0bWz0h0iyzGzMPEoDKAPv4euoOkmS+6Uuxncux4Zg@mail.gmail.com> <cc9c9d9f-d6b1-3b93-1231-a9a9c34a7fcd@gmail.com> <67533325-2983-47B7-871C-D90799D09532@ll.mit.edu> <CAOgPGoDAvnFic3VmEsge3i8C2FEfWp74ac_ievtfNo=MQB+C8g@mail.gmail.com> <C8E91D9B-2326-4AAF-9952-69481081E337@ll.mit.edu> <BD109A95-129A-4995-AFCA-FEF10DBD6440@icloud.com> <CAOgPGoBMhhsTupXuWF__zkLuy-4qQhha_Kp1_+ToZrNoaFUsgQ@mail.gmail.com> <13b9e674-9e0b-46aa-b5d6-49798c310d85@www.fastmail.com> <CABiKAoT3rwhXHAm3YeuuMzQMp5hH-N2sL6WPadE5i+bX1hrTjw@mail.gmail.com>
From: Rene Struik <rstruik.ext@gmail.com>
Message-ID: <b5999c2f-2ba9-e136-98ce-c42c5e41a85f@gmail.com>
Date: Fri, 27 Aug 2021 13:49:57 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0
MIME-Version: 1.0
In-Reply-To: <CABiKAoT3rwhXHAm3YeuuMzQMp5hH-N2sL6WPadE5i+bX1hrTjw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------2692E9D41B8F91A06D31093B"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Y0vFZ196wwtwh7-NGCeNOY1QakY>
Subject: Re: [TLS] Adoption call for Deprecating FFDH(E) Ciphersuites in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Aug 2021 17:50:11 -0000

Hi Nimrod:

All the quoted Raccoon attack (of which you are a coauthor) does is 
highlight that poorly designed post-processing of a shared key 
(variable-size bit-string representation) could be used to extract 
secret info by solving an instance of the hidden number problem.

Let us not over-state the importance of this attack, though: the attack 
(for those who care) is easy to mitigate, e.g., as follows:
a) Let K be the derived shared key; let K1, ..., Kt be a set of keys 
including this key K (where this set has keys of byte-size L-1 and L, 
respectively, say L-1 once and L for all others);
b) Compute kj:=kdf(Kj) for all j=1,...,t;
c) Select select kj, where Kj corresponds to K.
Note: (if t:=2) if K has size L-1, set, e.g., K':=K xor random L-byte 
offset; if K has size L, set, e.g., K':=trunc_{L-1}(K) xor random 
{L-1}-byte offset.

Contrary to what you claim, this seems to be easy to implement in 
constant-time, however if not, this would still most likely thwart the 
attack (since one cannot apply the HNP any more {since one has to guess 
which leaks are real (correct j value) and which are spurious).

Bottom line (for me) is that one should not use attacks that are easy to 
mitigate as a pretext for deprecating things. There may be other reasons 
that have more merit, but the draft in the adoption call does not 
provide any of this. Hence, my feedback to reject the individual draft 
as it stands (based on lack of proper detail).

As Peter Gutmann already said in the thread, what problem is one trying 
to solve here???

Contrary to what Filippo suggests, I do think one should query why 
implementors do not heed advice that has been around for a long time (in 
that case, they should rightfully assume some blame). Implementors have 
duty of care too.

[my email of Aug 13, 2021, 9.58am EDT]
I think this document should absolutely *not* be adopted, without 
providing far more technical justification. The quoted Raccoon attack is 
an easy to mitigate attack (which has nothing to do with finite field 
groups, just with poor design choices of postprocessing, where one uses 
variable-size integer representations for a key). There are also good 
reasons to have key exchanges where one of the parties has a static key, 
whether ecc-based or ff-based (e.g., sni, opaque), for which secure 
implementations are known. No detail is provided and that alone should 
be sufficient reason to not adopt.

On 2021-08-27 1:00 p.m., Nimrod Aviram wrote:
> > The implementation guidance to avoid weaknesses in any 
> ephemeral-static exchange is "don't get anything wrong, anything at all
> Agreed that it's not workable. I'm not sure there is existing and 
> suitable implementation guidance.
> To avoid the Raccoon attack, one would have to implement the KDF such 
> that it is constant time, even for variable-length secrets. This is 
> possible, at least in principle, but I'm not aware of any 
> implementation that does it or plans to do it, and neither of any 
> document that describes the complex strategy for achieving this.
>
>
> On Fri, 27 Aug 2021 at 12:26, Filippo Valsorda <filippo@ml.filippo.io 
> <mailto:filippo@ml.filippo.io>> wrote:
>
>     2021-08-27 05:08 GMT+02:00 Joseph Salowey <joe@salowey.net
>     <mailto:joe@salowey.net>>:
>>     Thanks for all the discussion on this topic. There are several
>>     modes that TLS 1.2 can operate with respect to DH.  Below is a
>>     proposal on cases to merge some of the cases covered by this
>>     draft into the obsolete keyex draft.  I'd like to see if there is
>>     some consensus to make this change before we adopt it into the
>>     working group.
>>
>>     1. static-static where both client and server have DH
>>     certificates with long term keys.  I think we have general
>>     consensus that this mode should be a must not.  To deprecate this
>>     mode I think we need to state that clients MUST NOT use
>>     certificates of type rsa_fixed_dh and dsa_fixed_dh and server
>>     MUST NOT request them. Would the working group support merging
>>     this guidance into the obsolete keyex draft?
>>
>>     2. ephemeral-static where the client uses an ephemeral key and
>>     the server uses a long term key.  This mode does not provide
>>     forward secrecy.  I'm not sure we have reached consensus on how
>>     far to deprecate this option.  Would the working group support
>>     MUST NOT use these ciphersuites unless forward secrecy does not
>>     matter for your use case and any implementation guidance provided
>>     to avoid weaknesses is followed?
>
>     The implementation guidance to avoid weaknesses in any
>     ephemeral-static exchange is "don't get anything wrong, anything
>     at all, all the way down to your field arithmetic libraries". I
>     don't think that's a workable recommendation, and I believe we
>     should deprecate modes that are so unsafe to implement.
>
>>     3. ephemeral-ephemeral  - I think these are already covered in
>>     the obsolete keyex draft.
>>
>>     Thanks,
>>
>>     Joe
>>
>>     On Sun, Aug 22, 2021 at 9:32 PM Carrick Bartle
>>     <cbartle891@icloud.com <mailto:cbartle891@icloud.com>> wrote:
>>
>>>         >   which is a main reason cited for deprecating RSA
>>>         in draft-aviram-tls-deprecate-obsolete-kex.
>>>
>>>         Have the authors look at Post-Quantum KEMs?
>>
>>         I'm not sure why PQ KEMs are relevant here.
>>
>>
>>>         On Aug 17, 2021, at 10:41 AM, Blumenthal, Uri - 0553 - MITLL
>>>         <uri@ll.mit.edu <mailto:uri@ll.mit.edu>> wrote:
>>>
>>>         > Regardless of the Raccoon attack, the static DH and ECDH
>>>         ciphersuites do not provide
>>>         > forward secrecy,
>>>
>>>         Unless you use semi-static exchange, which in many cases
>>>         makes sense.
>>>
>>>         >   which is a main reason cited for deprecating RSA
>>>         in draft-aviram-tls-deprecate-obsolete-kex.
>>>
>>>         Have the authors look at Post-Quantum KEMs?
>>>
>>>         > Do you object to just the citation of the Raccoon attack
>>>         or do you also feel that we
>>>         > should keep these ciphersuites that do not provide forward
>>>         secrecy around?
>>>
>>>         I think these suites should stay around.
>>>
>>>         While static-static indeed do not provide forward secrecy
>>>         (and many of us – though not everybody! – carry for that),
>>>         static-ephemeral DH and ECDH are perfectly fine from that
>>>         point of view.
>>>
>>>
>>>
>>>         On Fri, Aug 13, 2021 at 10:20 AM Blumenthal, Uri - 0553 -
>>>         MITLL <uri@ll.mit.edu <mailto:uri@ll.mit.edu>> wrote:
>>>>         I agree with Rene’s points.
>>>>
>>>>         -- 
>>>>         Regards,
>>>>         Uri
>>>>
>>>>
>>>>         *From:*TLS <tls-bounces@ietf.org
>>>>         <mailto:tls-bounces@ietf.org>> on behalf of Rene Struik
>>>>         <rstruik.ext@gmail.com <mailto:rstruik.ext@gmail.com>>
>>>>         *Date:*Friday, August 13, 2021 at 09:58
>>>>
>>>>         Dear colleagues:
>>>>
>>>>         I think this document should absolutely *not* be adopted,
>>>>         without providing far more technical justification. The
>>>>         quoted Raccoon attack is an easy to mitigate attack (which
>>>>         has nothing to do with finite field groups, just with poor
>>>>         design choices of postprocessing, where one uses
>>>>         variable-size integer representations for a key). There are
>>>>         also good reasons to have key exchanges where one of the
>>>>         parties has a static key, whether ecc-based or ff-based
>>>>         (e.g., sni, opaque), for which secure implementations are
>>>>         known. No detail is provided and that alone should be
>>>>         sufficient reason to not adopt.
>>>>
>>>>         Rene
>>>>
>>>>         On 2021-07-29 5:50 p.m., Joseph Salowey wrote:
>>>>>         This is a working group call for adoption for Deprecating
>>>>>         FFDH(E) Ciphersuites in TLS
>>>>>         (draft-bartle-tls-deprecate-ffdhe-00
>>>>>         <https://datatracker.ietf.org/doc/draft-bartle-tls-deprecate-ffdhe/>).
>>>>>         We had a presentation for this draft at the IETF 110
>>>>>         meeting and since it is a similar topic to the key
>>>>>         exchange deprecation draft the chairs want to get a sense
>>>>>         if the working group wants to adopt this draft (perhaps
>>>>>         the drafts could be merged if both move forward). Please
>>>>>         review the draft and post your comments to the list by
>>>>>         Friday, August 13, 2021.
>>>>>
>>>>>         Thanks,
>>>>>
>>>>>         The TLS chairs
>>>>>
>>>>>
>>>>>         _______________________________________________
>>>>>         TLS mailing list
>>>>>         TLS@ietf.org  <mailto:TLS@ietf.org>
>>>>>         https://www.ietf.org/mailman/listinfo/tls  <https://www.ietf.org/mailman/listinfo/tls>
>>>>
>>>>
>>>>         -- 
>>>>         email:rstruik.ext@gmail.com  <mailto:rstruik.ext@gmail.com>  | Skype: rstruik
>>>>         cell: +1 (647) 867-5658 | US: +1 (415) 287-3867
>>>         _______________________________________________
>>>         TLS mailing list
>>>         TLS@ietf.org <mailto:TLS@ietf.org>
>>>         https://www.ietf.org/mailman/listinfo/tls
>>>         <https://www.ietf.org/mailman/listinfo/tls>
>>
>>     _______________________________________________
>>     TLS mailing list
>>     TLS@ietf.org <mailto:TLS@ietf.org>
>>     https://www.ietf.org/mailman/listinfo/tls
>>     <https://www.ietf.org/mailman/listinfo/tls>
>>
>
>     _______________________________________________
>     TLS mailing list
>     TLS@ietf.org <mailto:TLS@ietf.org>
>     https://www.ietf.org/mailman/listinfo/tls
>     <https://www.ietf.org/mailman/listinfo/tls>
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls


-- 
email: rstruik.ext@gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 287-3867

v2.23.0 | Report a Bug | By Email