Re: [TLS] draft-green-tls-static-dh-in-tls13-01

Nick Sullivan <nicholas.sullivan@gmail.com> Sat, 15 July 2017 10:57 UTC

Return-Path: <nicholas.sullivan@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6657912F257 for <tls@ietfa.amsl.com>; Sat, 15 Jul 2017 03:57:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vyR1DVH5jCbu for <tls@ietfa.amsl.com>; Sat, 15 Jul 2017 03:57:26 -0700 (PDT)
Received: from mail-oi0-x231.google.com (mail-oi0-x231.google.com [IPv6:2607:f8b0:4003:c06::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72F0412EC34 for <tls@ietf.org>; Sat, 15 Jul 2017 03:57:26 -0700 (PDT)
Received: by mail-oi0-x231.google.com with SMTP id p188so88664534oia.0 for <tls@ietf.org>; Sat, 15 Jul 2017 03:57:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=eqgwf30YaeU55NAQoWWcd7Qt3UJ7CRFKkgSa4IQgdR4=; b=fdGEReQTIjJfBvofjNzQMvRzpBI6FtLPI6VyaEUkm0hjxy+kcH+PZqb9no4B/MwSQI 2jQDV1ro/Fwudj/3L6y2GDL7uZjEJ02QhqHp7EDKUEwUmOada0G0g4S4ePzQU63Rcuee ktebbEPfNyXls43/SJLf6gFIWFBUqlEJ4qK7kXxTiEewj4Or9oh9bkbaonoqpCT4PQEr QNRw1ylVB6BniMXC0PU+dgELiCYxPlMaCw/ilNjlE5R3LpYKCXxBvzGWFlVjAvz0Z9rO sAQZ0FWLlZI0N5GT+jsoP/z1kptoX+dL5oqhnpPCucoS0YdgV8E5jNXYISdG5p/wjJD1 E3ww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=eqgwf30YaeU55NAQoWWcd7Qt3UJ7CRFKkgSa4IQgdR4=; b=h5/gWDuQ3BG+2GqcPK2fnlEkpZ0ig2vrdsMMW8Bj5qrgrXD2bIxCqElqEM16Ln6gw6 XSeYO+xiDvvCzRVQtGJ5Hc3maDDxJ/LGksngmDxolFGBmqD2faoAN6awppHthK0t+qMC 7n14gyqbSlG24xFZdAnvjBWxbwMwCB4XGZvsgmckmzXMujZKGNPLudZfH/WEMkHCQw21 VrOyUnwCOKnFcmI2oGuYGgWsL23xpKPT33r9w7rATMQhlYXYv4U6y4e0vgFf/Y9tfqf5 LqWpNO7SOmUGtU35AVHhVV8hhLgl3n2ZOlXHgZsZDm/thHaVynnl7p8z0ihLHgHSEVfX BcFw==
X-Gm-Message-State: AIVw1125tInvaro7nyvI4ghEIop5YUM56JZ0v9qokV5hCFe4RYodyydp 00hk45Wks0JN2UfWhkk0FE+RC7hOCQ==
X-Received: by 10.202.93.2 with SMTP id r2mr7311444oib.193.1500116245865; Sat, 15 Jul 2017 03:57:25 -0700 (PDT)
MIME-Version: 1.0
References: <CAPCANN-xgf3auqy+pFfL6VO5GpEsCCHYkROAwiB1u=8a4yj+Fg@mail.gmail.com> <CAL02cgRJeauV9NQ2OrGK1ocQtg-M2tbWm2+5HUc4-Wc8KC3vxQ@mail.gmail.com> <71E07F32-230F-447C-B85B-9B3B4146D386@vigilsec.com> <39bad3e9-2e17-30f6-48a7-a035d449dce7@cs.tcd.ie> <CAJU8_nXBFkpncFDy4QFnd6hFpC7oOZn-F1-EuBC2vk3Y6QKq3A@mail.gmail.com> <f0554055-cdd3-a78c-8ab1-e84f9b624fda@cs.tcd.ie> <A0BEC2E3-8CF5-433D-BA77-E8474A2C922A@vigilsec.com> <87k23arzac.fsf@fifthhorseman.net> <D37DF005-4C6E-4EA8-9D9D-6016A04DF69E@arbor.net> <CAPt1N1nVhCQBnHd_MCm79e7c1gO6CY6vZG_rZSNePPvmmU_Bow@mail.gmail.com> <44AB7CB8-13C1-44A0-9EC4-B6824272A247@arbor.net> <CAPt1N1=rvtssKXCnsNmr1vy4ejb6YDUxO2kDcgh-ZMh5WGjfWg@mail.gmail.com> <D43C7836-9F72-4D3C-A8FA-E536FCBEEB6A@arbor.net> <CAPt1N1m6QNmpHY4Zkm3eJSKjBpTs_xaAy6vv6pZi0ySYej_4Sg@mail.gmail.com> <CF285C9C-9822-4B5F-98FC-C5B2701619D4@arbor.net> <6770F4F3-3793-46F9-B47C-25EBE2E7DF5A@arbor.net>
In-Reply-To: <6770F4F3-3793-46F9-B47C-25EBE2E7DF5A@arbor.net>
From: Nick Sullivan <nicholas.sullivan@gmail.com>
Date: Sat, 15 Jul 2017 10:57:14 +0000
Message-ID: <CAOjisRzaBtWZJrz8rGw+2K_nwb=O2GR4gkYyJq0VEZinJnecQQ@mail.gmail.com>
To: "Dobbins, Roland" <rdobbins@arbor.net>, Ted Lemon <mellon@fugue.com>
Cc: IETF TLS <tls@ietf.org>, Matthew Green <matthewdgreen@gmail.com>
Content-Type: multipart/alternative; boundary="001a113d4becf4ead005545907f6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/_1_n9DmWet4LM_c8k6YevHfOP4M>
Subject: Re: [TLS] draft-green-tls-static-dh-in-tls13-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Jul 2017 10:57:28 -0000

I'd like to raise another point.

Static Diffie-Hellman is a cryptographically problematic construction. Not
only was it found to be fragile to implement in the prime field variant
(LogJam), the Elliptic Curve variant has recently been identified as
troublesome as well (see recent JWE vulnerability
https://blogs.adobe.com/security/2017/03/critical-vulnerability-uncovered-in-json-encryption.html
and CVE-2017-8932). Furthermore, many post-quantum key exchange mechanisms
cannot be secured with repeated key shares (SIDH is one example).

Encouraging (or worse, standardizing) the repeated use of a key share seems
risky and shortsighted.

For this reason, and the fact that there are alternative techniques to
achieve the same goals (put the symmetric key material in a serverhello
extension encrypted with an exfiltration key, for example), I don't think
this proposal should be considered. If alternative proposals come are
presented that don't require key shares to be reused, I am not against
discussing them.

Nick

On Sat, Jul 15, 2017 at 10:16 AM Dobbins, Roland <rdobbins@arbor.net> wrote:

>
>
> > On Jul 15, 2017, at 16:05, Dobbins, Roland <rdobbins@arbor.net> wrote:
> >
> > There is plenty of information on these topics available on the Internet
> today.
>
> At the risk of self-replying, it should also be noted that highly
> informative discussions of these challenges, & detailed presentations
> thereof, have taken place in WG meetings at previous IETF meetings.
>
> There has also been ample time since those discussions & presentations to
> gain additional understanding & insight.
>
> -----------------------------------
> Roland Dobbins <rdobbins@arbor.net>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>