IETF Logo Mail Archive

Re: [TLS] Unifying tickets and sessions

Richard Fussenegger <richard@fussenegger.info> Wed, 22 October 2014 18:42 UTC

Return-Path: <richard@fussenegger.info>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD5481ACFA1 for <tls@ietfa.amsl.com>; Wed, 22 Oct 2014 11:42:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NqFHrOQJSnp1 for <tls@ietfa.amsl.com>; Wed, 22 Oct 2014 11:42:41 -0700 (PDT)
Received: from mx205.easyname.com (mx205.easyname.com [212.232.28.126]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 857F01ACFC2 for <tls@ietf.org>; Wed, 22 Oct 2014 11:42:41 -0700 (PDT)
Received: from 89-26-76-175.goll.dyn.salzburg-online.at ([89.26.76.175] helo=[192.168.0.11]) by mx.easyname.eu with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <richard@fussenegger.info>) id 1Xh0rl-00044l-25; Wed, 22 Oct 2014 20:42:39 +0200
Message-ID: <5447FA87.40007@fussenegger.info>
Date: Wed, 22 Oct 2014 20:42:15 +0200
From: Richard Fussenegger <richard@fussenegger.info>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: Ryan Carboni <ryacko@gmail.com>, "tls@ietf.org" <tls@ietf.org>
References: <CAO7N=i38zutXpmuMKuv1CHrc3hO-zm6U+nsGgE6NF4YmC54tDQ@mail.gmail.com>
In-Reply-To: <CAO7N=i38zutXpmuMKuv1CHrc3hO-zm6U+nsGgE6NF4YmC54tDQ@mail.gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms070004000802040608090805"
X-ACL-Warn: X-DNSBL-v4bl
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/bqQtPLTsLF79yz_SzAc6v8ngyQU
Subject: Re: [TLS] Unifying tickets and sessions
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Oct 2014 18:42:45 -0000

I noticed that you all try to dictate your believes of security to 
others, which is actually very interesting to read so please don't stop 
(there's **really** no sarcasm in this sentence, but maybe you should 
rename the thread then because this discussion is otherwise not going 
anywhere). But you just mentioned a *very* important thing: 128-bit are 
sufficient today for generic web applications.

Do we want a fully encrypted web? **Yes!**
When do we want it? **Now!**

The essence of my previous message (partly quoted below) was, that it is 
important to ensure within the RFC that a ticket that is storing the 
state of a SUPER-CRYPTO-9999 cipher isn't going to be encrypted with a 
GENERIC-CIPHER-128 key. This would simply downgrade the security of the 
whole agreed upon cipher. But on the other hand if an administrator 
decided that his web service is only delivering cat photos and that 
GENERIC-CRYPTO-128 is sufficient in terms of computing power for his 
server and for his clients, than it doesn't make sense to encrypt the 
ticket with SUPER-CRYPTO-9999.

Of course if the same administrator decided to support both, 
GENERIC-CRYPTO-128 and SUPER-CRYPTO-9999, then he'll require the 
SUPER-CRYPTO-9999 for all tickets. Viktor Dukhovni already mentioned 
that OpenSSL is actually supporting different key strengths, but for 
instance nginx isn't exposing this setting to administrators. But the 
RFC would most certainly compel them to do so in the future, which is a 
good thing. After all, the cat-photo-admin may continue to use fast and 
insecure ciphers (but still protecting clients and his services from 
script kiddies) and the nice whistleblower from our neighborhood may use 
the best available cipher available.

Rich Salz said that the RFC should stay silent on which crypto to use 
and I agree for above reasons and everything you guys brought up. 
Stating that crypto-X is sufficiently secure is like saying that god is 
for real; maybe it is true but science and research will eventually 
prove the opposite in the future. I stated that (the former not the 
latter, I'd never say such a thing) and made a mistake by doing so. But 
I hope that this message clarifies my intentions and also that some of 
you have an opinion about the actual proposal of mine.

Regards
Richard

On 10/22/2014 6:44 PM, Ryan Carboni wrote:
>
> From: "Richard Fussenegger, BSc"
>
>     [*] Better would be 'from all ciphers in use' otherwise one ends
>     up with
>     a (insert ridiculous high value here) bit key while only using 128 bit
>     ciphers in the configuration. Dropping the key if a new stronger
>     configuration is loaded seems like a good idea to me at this
>     point. I'm
>     looking at this from a performance perspective and glimpsing over
>     to the
>     fact that the cryptography community agrees that 128 bit security will
>     be enough for the next 10 to 20 years.[2] I really can't tell if this
>     would be problematic from an implementation point of view. I think
>     that
>     single hosts won't have a problem here and I guess that it wouldn't be
>     for clusters as well. The cluster configuration should be in sync
>     but it
>     could become a problem if one node has a differing configuration (for
>     whatever reason). What opinion/insights do you have on this?
>
>
>  Quantum computers are reaching 512-qubits now. 
> http://www.bbc.com/news/science-environment-27632140
>
> Quantum cryptography would result in key-sizes effectively being 
> halved, and in 15 to 40 years a quantum computer could potentially be 
> built by a nationstate to enhance known cryptographic attacks and 
> reduce keyspaces substantially.
>
> It's unlikely though that the NSA will devote quantum computing to 
> breaking the encryption of cat videos.
>
> I suggest an advisory that for unauthenticated encryption, 128-bits 
> are used, and for authenticated encryption 256-bits or more are used. 
> The only issue is that browsers tell you the whole page is encrypted 
> the same way even though elements of the page use different sorts of 
> encryption than the body of the page.
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email