Re: [TLS] Another IRINA bug in TLS

Santiago Zanella-Beguelin <santiago@microsoft.com> Sat, 23 May 2015 13:11 UTC

Return-Path: <santiago@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5971A1ACDF6 for <tls@ietfa.amsl.com>; Sat, 23 May 2015 06:11:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h0-Kp9glQMrf for <tls@ietfa.amsl.com>; Sat, 23 May 2015 06:10:59 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0116.outbound.protection.outlook.com [65.55.169.116]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7AE2A1ACDFB for <tls@ietf.org>; Sat, 23 May 2015 06:10:58 -0700 (PDT)
Received: from CO2PR03CA0013.namprd03.prod.outlook.com (10.141.194.140) by DM2PR03MB302.namprd03.prod.outlook.com (10.141.54.13) with Microsoft SMTP Server (TLS) id 15.1.166.22; Sat, 23 May 2015 13:10:54 +0000
Received: from BY2FFO11FD019.protection.gbl (2a01:111:f400:7c0c::132) by CO2PR03CA0013.outlook.office365.com (2a01:111:e400:1414::12) with Microsoft SMTP Server (TLS) id 15.1.166.22 via Frontend Transport; Sat, 23 May 2015 13:10:53 +0000
Authentication-Results: spf=pass (sender IP is 206.191.250.196) smtp.mailfrom=microsoft.com; ietf.org; dkim=none (message not signed) header.d=none;
Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 206.191.250.196 as permitted sender) receiver=protection.outlook.com; client-ip=206.191.250.196; helo=064-smtp-out.microsoft.com;
Received: from 064-smtp-out.microsoft.com (206.191.250.196) by BY2FFO11FD019.mail.protection.outlook.com (10.1.14.107) with Microsoft SMTP Server (TLS) id 15.1.172.14 via Frontend Transport; Sat, 23 May 2015 13:10:50 +0000
Received: from DB4PR30MB032.064d.mgd.msft.net (141.251.50.216) by DB4PR30MB032.064d.mgd.msft.net (141.251.50.216) with Microsoft SMTP Server (TLS) id 15.1.112.16; Sat, 23 May 2015 13:10:48 +0000
Received: from DB4PR30MB032.064d.mgd.msft.net ([141.251.50.216]) by DB4PR30MB032.064d.mgd.msft.net ([141.251.50.216]) with mapi id 15.01.0112.000; Sat, 23 May 2015 13:10:48 +0000
From: Santiago Zanella-Beguelin <santiago@microsoft.com>
To: Kurt Roeckx <kurt@roeckx.be>, Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
Thread-Topic: [TLS] Another IRINA bug in TLS
Thread-Index: AQHQkwYvDdHZ+lmQNUW54l67jurcrZ2E9gcAgAD9fwCAAB8/AIAAAj6AgAAyIwCAAAGZgIAAAX4AgAACGWGAAAP8AIAAAqUAgAAvugSAACP5AIAAEpwAgAAutACAABOIAIABfImAgAEFNgCAAA/ZBw==
Date: Sat, 23 May 2015 13:10:47 +0000
Message-ID: <1432386647254.97150@microsoft.com>
References: <555DBF7E.9050807@redhat.com> <1432207863352.27057@microsoft.com> <555DC498.2000109@redhat.com> <1432209104.3243.65.camel@redhat.com> <1432219967072.32353@microsoft.com> <810C31990B57ED40B2062BA10D43FBF5DDDDEB@XMB116CNC.rim.net> <CACsn0c=HuipCG20HGO+uLfBcm+bOEZQFdFdyKWsA1d5D3W0ZCA@mail.gmail.com> <810C31990B57ED40B2062BA10D43FBF5DDF130@XMB116CNC.rim.net> <CAH8yC8mjvXzFm038bXKJr=cnavJ8JGTV4Cufepvv8fXAXp041w@mail.gmail.com> <B515FE85-F5C2-4609-A673-936354CEB066@gmail.com>, <20150523121151.GA18846@roeckx.be>
In-Reply-To: <20150523121151.GA18846@roeckx.be>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [109.216.4.228]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Microsoft-Exchange-Diagnostics: 1; BY2FFO11FD019; 1:DBY1kumyq/MgZNWRbU40Xd4nAlJgihY8oANPTamFwwUq1dizZXilvk7MsoctpO6f2OfzCYcTOVihlgvyU+jXW9rEozLGHcpqBFLI7nPNCxWX+v73tVTfuh9N7b0HPL0b+QhVZrB1yxjvmZDXnVkq0B+cGpuru/c4LjGxEl9FIr/V7+CJAWI2JeNsH8CuPd+Dy7nD5LgRsycXaVUGoEUDGSPAXmixpTfkLGtF3wXOutzSGHd1Te+vhxVDNvq2kv0+FMJh6mVEUIwkP562YUVKEMtwYuNlnoVfyzmpxKuGmb0eHTe6IV7p+cHSLl+RBQzK
X-Forefront-Antispam-Report: CIP:206.191.250.196; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(438002)(377454003)(24454002)(51704005)(199003)(189002)(102836002)(15975445007)(46102003)(2950100001)(19580405001)(2900100001)(86146001)(6806004)(117636001)(68736005)(86612001)(5001770100001)(5001960100002)(5001830100001)(92566002)(77156002)(62966003)(5001860100001)(76176999)(69596002)(54356999)(50986999)(189998001)(4001540100001)(97736004)(81156007)(16796002)(93886004)(86362001)(2656002)(19580395003)(87936001)(106116001)(106466001)(23756003)(64706001)(36756003)(50466002)(66066001)(47776003); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR03MB302; H:064-smtp-out.microsoft.com; FPR:; SPF:Pass; PTR:ErrorRetry; A:1; MX:1; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1; DM2PR03MB302; 2:6EV8oaOv3fu0LuQubCkCLjARQEtK9mcBN/mJo+I9wB54vuf7WV35xuRDofXTV353; 2:LTDjczdkDxJSzzhAOo4HsPQSZ6Qctn5hC2NjVCkNBnl7lNXxhMwOBTc9ga184G3W0TntfwK09k4FsGQYrc7cE3AIyFmXhH9/FL9z9nsKAb4uGoD4JZ0Dfo9rLFBuQNO08OXJ/lx0Zn04AzM+vxmnp/AFXRPejBDht6onYUSzkas6DBSHvGhpydE3vrAGoo18ZJqGF5O/OK5dgGZztwwXi7SyGCQlfwoPxhNHy+FYY44edCNg9DmFRePabyTSU7bD; 6:BOWDeQ0dgjziP+WjW1GJ9QAdkzyYCW0Iv8jUqtWCwIHC7Nc97Y33HlygWzfNiX4FZaMotGnSLXRDTOn3UJ8wdHP2oyteZH7oO/BCb6feLWYyLcPLNx8t4/59c+HJLy4b5jM9XehMGccDIx+XwBQuBBIjpZawJYJ09I7Pu8W9Doy1f5ReJn6Rm5oFUpXU0lSRfXcYC5b1Yb8HtM1d2m0Q/0HyYg3TR9o/QjzknUWXFjqkt1EMZPJ5H+n/dv1Bweqt6ZxkwM60r8svCzNb0mzIA9JphOAOL9PkxVjSFJoB/sN2O0OrinJ/FxPUE7nGt2kDKVE4b9WWVKgIQ71R1unmli1I8R77ApwIWikngcbEjTXIy7W1ahZryW0WecRZtSAeCUY2JIG3HKq8ZU8P/xvD494qD5IDrtpyO+Isq/eE779qsAsJ1zZex9Yuvps0JU7G5gFU6lo3vAaofU0ZtAwBG5Usatu3x0I2pT0mVOL4Tm6dJGsHD6Gf6Zrhp5NmDhM4
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DM2PR03MB302;
X-Microsoft-Antispam-PRVS: <DM2PR03MB302BDE591A25D3FCC734AD3C9CF0@DM2PR03MB302.namprd03.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(520002)(3002001); SRVR:DM2PR03MB302; BCL:0; PCL:0; RULEID:; SRVR:DM2PR03MB302;
X-Microsoft-Exchange-Diagnostics: 1; DM2PR03MB302; 3:n/f1ltz4/LbWdpJqCsSM7odu9D686gtTui5Y+nFuWWXajRp9w4oO5IT1jsseErWUWUoGREebiY8od/a2Wze72/cWPkgCshatdimWS6C5vo04UaYHDLixSoe5I1Aozce0CLC+fNlBm8wSeYTjsokQVwN21ia2hMdnR7YT77eCoKhelUlIpwD322QGp43BJSMM1o8BcUeqRzBZ3RnxAkBeq9b3Ig/PTkgBHYb1q5kVnMsbwROVGeqlLMDbdFj5p1UsW7y30RY5FdxktD9MYA3MoEpgVc+COxSE7YQDLvgBezNqniicZEoG/KKqKd3BNpMvMy4hdPLL5En/t07TNyMwuA==
X-Forefront-PRVS: 0585417D7B
X-Microsoft-Exchange-Diagnostics: 1; DM2PR03MB302; 9:81/+wR42unKzovkJw8zv30Sgp38IdSpt8+xEELw1lOkmrGYOhZ6f4mrDZH4GyFvUELZ8F21EggkNgya5FnZnNWu7c5RLVeQhwKYvgdVcS7U38odtQKhw9CTBRAyYy5FnJlg4otcIzFo+chBoS+uETDQbQuOJtPTcp5Lpdl0S9kGjHOgFl9UkgAIKUw4ORQDWG2aQg/UysHOAWatx2zyxjeOk6B6jeeIinXs73bUui/b2y5/Y3T9jx3WYqOeMINMJWT1VaJH73tLlCejEgFQGBZD7XEvROjv2id/VlEVT6GLrvh9FHyrTrh5SJ6e3Tq4ppq//WY3T8Bbcu6WIt1HnCrc93Xiz1A5N2aVhKVjxUkMU7+5XqZVua5pVR12/58f0UMOL96R15PWN6dYGqUrrx0gLOS+xAuv2h/dpQWLU8Rhodx7mOZvvU9IQzNpwJvfxulvb9Mt2R5FAIZuGRi2DGiu4EwfRg0QpceXQSjA0gtZAbmZn/nsLoIfU28nOrbl/KmsyWcZgNou7T9w2UwYSG3sfj41gm/TSz3DxNn/Oh5mym7gt4CFDETiPSguoTQ8s9LDsXM3lsmysJYzViKxmWYLIvlZo/V5mIGrYWTgOwt3CHlhOodlX63aWqOwXTvKohPnL7DkbDmbzVr6Sm1FqNnqgjMdc8XQjfl1H9LHl2sCYQCzw9PWv4UtPjxUbxgA28Cf1ySdsSnestWsHIUyBFWEXxfcmZUsS1OjSuAnLzcTn5Z7xh4z4NC+vlyZn8cTLSBySm/Nb6+7xeNLsxHQlWVqMQhi+7x+5nD4sR/aG5/kY4GHQqP5WRgIaXRYl+wYxKj9SyfAzPMIjjmzEeYl/ewOId3VieFUzQwQO2FV9pUa5Jen7pLqyBw+G9RhVpzI9CfL/VUjXbyYJoIliVX7nW2UfE0au5QOOXqBmStzwVjLCwBwa4TxHUg7xg909BZLjctvbzR5EupFlEPFX48MQM5qMYHnPalN3wkWa9aQ0/Px9WugXkL3HVQlYKUuAau8npzrkYk30vQ4U3nlcMLu4cNJLJ72+Oqr3epgaRsCto977ikI31ppeJJJmOXZ7KLLexbjRGB1pSKmUJbYfvtstBiAOj9kOFL8sMwxoqQvRmF3eEFwAHaNRa/FM9LB9mUU3mVNajhr4btZbIk/yXcrtDe5jMu3yodkEbXGzyG91AEaVBs3iGQcFQimx6viuXlnL6daULsfJXKyOoAILGHlasQ==
X-Microsoft-Exchange-Diagnostics: 1; DM2PR03MB302; 3:mOnDGkqcqy5dLmT+1xchBdXSVE1wp3ENOFUGgF+tIzE2+KwkSWCOZEGV7utPD5a9NnrxEtnm4v6PwQAqN5PidpOhNHpcTDbi5u7V2zU0HyooRrDN2k0Hp9PFtZx5vZjQcdAbF4H6vj3toHAHUolgKw==; 10:kdRzN3lZIHFSxQC6+l5Vy4C90ixnJfL+tovGHUE5Toxo4lBLp2Da8/VlpLf7ScK9l31CquJGeHHFuwOh6XkFKBUOvf41FIafT73CjXpE6e4=; 6:OXmSNJuyNWOv+OjBmYxgOzj0m49eNViI9SMkXc+50bY3iJdI3imViaQECdXEo+um
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 May 2015 13:10:50.9264 (UTC)
X-MS-Exchange-CrossTenant-Id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=72f988bf-86f1-41af-91ab-2d7cd011db47; Ip=[206.191.250.196]; Helo=[064-smtp-out.microsoft.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR03MB302
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/YYX7HPEBoYOxA20FXvTFcBT2LiI>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Another IRINA bug in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 May 2015 13:11:03 -0000

> Should that be changed to "and use a 2048-bit Diffie-Hellman
> group"?

It should. We'll soon update the website and the report to clarify this.

________________________________________
From: TLS <tls-bounces@ietf.org> on behalf of Kurt Roeckx <kurt@roeckx.be>
Sent: Saturday, May 23, 2015 1:11 PM
To: Karthikeyan Bhargavan
Cc: tls@ietf.org
Subject: Re: [TLS] Another IRINA bug in TLS

On Fri, May 22, 2015 at 10:36:57PM +0200, Karthikeyan Bhargavan wrote:
>
> > I think the authors felt the same. But in Section 4 of the paper, they said:
>
> As one of the authors of the paper, let me try to clarify our recommendations a little bit.
> First, we only know what is broken, and can only make precise recommendations for avoiding the attacks in the paper.
> Figuring out what's a good long-term alternative is for a community forum like this to decide.
>
> If we were to make a recommendation for TLS, at least as it is used on the web, it would be as follows,
> in decreasing order of preference:
>
> 1) Switch to ECDHE.
>     It is faster, and the kinds of attacks discussed in our paper have not (yet) been shown to be effective for the common curves.
>     As usual, we need to be wary of weak curves (160-bit) or curves that may have been generated maliciously.
>     We leave it to the EC folks to tell us what are good curves to use.
>
> 2) Switch to stronger (>=2048-bit) DHE groups.
>     If ECDHE is unavailable, we are happy (today) with >= 2048 groups as suggested in the FF-DHE draft.
>     As usual, we have to be wary of how these groups are generated, since there is the possibility of trapdoors being built in.
>     Using well known constants such as pi or e as the basis for prime generation (e is used in FF-DHE) is, as far as we know,
>     a safe technique for generating a group with a low probability of a trapdoor.

The weakdh.org site currently says:
| If you run a server...
|
| If you have a web or mail server, you should disable support for
| export cipher suites and generate a unique 2048-bit Diffie-Hellman
| group.

Should that be changed to "and use a 2048-bit Diffie-Hellman
group"?


Kurt

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls