Re: [TLS] Sending Custom DHE Parameters in TLS 1.3

Ilari Liusvaara <ilariliusvaara@welho.com> Mon, 12 October 2020 17:29 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45F943A15C2 for <tls@ietfa.amsl.com>; Mon, 12 Oct 2020 10:29:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.624
X-Spam-Level:
X-Spam-Status: No, score=-1.624 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.274, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nu1WG7Q6yUPW for <tls@ietfa.amsl.com>; Mon, 12 Oct 2020 10:28:58 -0700 (PDT)
Received: from welho-filter1.welho.com (welho-filter1b.welho.com [83.102.41.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 546E43A1374 for <tls@ietf.org>; Mon, 12 Oct 2020 10:28:57 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id 7ADAE222C3; Mon, 12 Oct 2020 20:28:55 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id pyWmJqScRo5t; Mon, 12 Oct 2020 20:28:55 +0300 (EEST)
Received: from LK-Perkele-VII (87-92-140-94.rev.dnainternet.fi [87.92.140.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 0F7D22A0; Mon, 12 Oct 2020 20:28:52 +0300 (EEST)
Date: Mon, 12 Oct 2020 20:28:52 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Michael D'Errico <mike-list@pobox.com>
Cc: TLS List <tls@ietf.org>
Message-ID: <20201012172852.GA2560734@LK-Perkele-VII>
References: <8f57527d-efba-4d03-a3e5-f0ee33463d56@www.fastmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <8f57527d-efba-4d03-a3e5-f0ee33463d56@www.fastmail.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/acjtJNXcKLVyqDxzqKXyskiGPPc>
Subject: Re: [TLS] Sending Custom DHE Parameters in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Oct 2020 17:29:00 -0000

On Mon, Oct 12, 2020 at 12:36:06PM -0400, Michael D'Errico wrote:
> 
> It appears that there may be a need to revert to the
> old way of sending Diffie-Hellman parameters that
> the server generates.  I see that TLS 1.3 removed
> this capability*; is there any way to add it back?

The Diffie-Hellman support in TLS 1.2 is severly broken. There is no
way to use it safely on client side. This has lead to e.g., all the web
browers to remove support for it.

There is no way to ensure that the parameters sent are not totally
broken, e.g.:

- Modulus too small.
- Modulus too large.
- Modulus not prime (has been used as a backdoor!).
- Modulus is weak (possibly backdoored).
- Subgroup order does not have large prime factor.

Even checking the third would require primality test, and primality
tests at relevant sizes are slow. And the fourth and fifth can not be
checked at all in general case.


For ECDHE, TLS 1.2 allowed server to specify custom curve to do the
key exchange with. Rightfully pretty much nobody implemented that.


I think TLS WG should withdraw recommendation (as flawed) on all
TLS_DHE_* ciphersuites.


-Ilari