Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re: Confirming Consensus on removing RSA key Transport from TLS 1.3)

Andrei Popov <Andrei.Popov@microsoft.com> Fri, 28 March 2014 19:03 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A9711A07F2 for <tls@ietfa.amsl.com>; Fri, 28 Mar 2014 12:03:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7_sB0sYymNn2 for <tls@ietfa.amsl.com>; Fri, 28 Mar 2014 12:03:31 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0181.outbound.protection.outlook.com [207.46.163.181]) by ietfa.amsl.com (Postfix) with ESMTP id 840E61A078A for <tls@ietf.org>; Fri, 28 Mar 2014 12:03:30 -0700 (PDT)
Received: from BL2PR03MB419.namprd03.prod.outlook.com (10.141.92.18) by SN2PR03MB077.namprd03.prod.outlook.com (10.255.175.153) with Microsoft SMTP Server (TLS) id 15.0.898.11; Fri, 28 Mar 2014 19:03:27 +0000
Received: from BL2PR03MB419.namprd03.prod.outlook.com ([10.141.92.18]) by BL2PR03MB419.namprd03.prod.outlook.com ([10.141.92.18]) with mapi id 15.00.0908.008; Fri, 28 Mar 2014 19:03:26 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Marsh Ray <maray@microsoft.com>, Martin Thomson <martin.thomson@gmail.com>
Thread-Topic: [TLS] Nuking DHE in favour of ECDHE (Was: Re: Confirming Consensus on removing RSA key Transport from TLS 1.3)
Thread-Index: AQHPShlAQ7PNLxYPxkG9wW1NfjsVj5r1ogCAgADcR4CAAFgTMA==
Date: Fri, 28 Mar 2014 19:03:25 +0000
Message-ID: <368f5b8e9f9b49d1b8b1e2600a1b8a49@BL2PR03MB419.namprd03.prod.outlook.com>
References: <CABkgnnX=KM4YVf1+znp_HS+Pu6DSw64q1adDC4EOPqRLuTDZKQ@mail.gmail.com> <31dba3a928d145c6835d4bbcfa603354@BY2PR03MB074.namprd03.prod.outlook.com> <5335785F.2070104@fifthhorseman.net>
In-Reply-To: <5335785F.2070104@fifthhorseman.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e0:ee43::3]
x-forefront-prvs: 01644DCF4A
x-forefront-antispam-report: SFV:NSPM; SFS:(10009001)(6009001)(428001)(24454002)(377454003)(51704005)(13464003)(189002)(199002)(51444003)(479174003)(98676001)(79102001)(20776003)(63696002)(76482001)(81342001)(49866001)(2656002)(97186001)(97336001)(87266001)(50986001)(90146001)(54316002)(1511001)(47446002)(74662001)(74876001)(51856001)(4396001)(94316002)(80976001)(87936001)(93136001)(92566001)(77982001)(85852003)(74316001)(47736001)(76796001)(33646001)(59766001)(95666003)(19580405001)(19580395003)(69226001)(83322001)(15975445006)(93516002)(81686001)(74366001)(86362001)(85306002)(95416001)(81816001)(74502001)(76576001)(81542001)(31966008)(15202345003)(54356001)(56816005)(74706001)(46102001)(47976001)(94946001)(56776001)(53806001)(65816001)(76786001)(80022001)(83072002)(24736002); DIR:OUT; SFP:1101; SCL:1; SRVR:SN2PR03MB077; H:BL2PR03MB419.namprd03.prod.outlook.com; FPR:B8FFC015.AD1F93C2.6DD23F77.4007880B.202DB; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (: microsoft.com does not designate permitted sender hosts)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/enUL1ww3Ct8HGhuSrdp-PFCNqgg
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re: Confirming Consensus on removing RSA key Transport from TLS 1.3)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Mar 2014 19:03:33 -0000

> did SChannel ever support classic DHE with RSA authentication?

"Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 update spring 2014" adds a couple of DHE_RSA cipher suites:
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

Without this update, schannel supports DHE_DSS (admittedly, not the most widely used auth).

Cheers,

Andrei

-----Original Message-----
From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Daniel Kahn Gillmor
Sent: Friday, March 28, 2014 6:26 AM
To: Marsh Ray; Martin Thomson
Cc: tls@ietf.org
Subject: Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re: Confirming Consensus on removing RSA key Transport from TLS 1.3)

On 03/27/2014 08:17 PM, Marsh Ray wrote:
> From: Martin Thomson [mailto:martin.thomson@gmail.com]
>>
>> On 27 March 2014 16:55, Marsh Ray <maray@microsoft.com> wrote:
>>> From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Alyssa Rowan
>>>>
>>>> Show of hands: who *really* wants to deploy 2048-bit (or above) DHE, when they could have curve25519 instead?
>>>
>>> The general consensus at Microsoft is that we like ECDHE much better than the classic DHE.
>>
>> I think that this is the general trend, but is it so bad that you would want to prohibit DHE?
> 
> Historically we have opted to provide ECDHE *in place of* classic DHE.

did SChannel ever support classic DHE with RSA authentication?

 http://msdn.microsoft.com/en-us/library/windows/desktop/aa380512%28v=vs.85%29.aspx

suggests that XP and win2003 (which, afaict, were what immediately preceded vista) does not have DHE.  So it looks like ECDHE was just added, but "classic DHE" wasn't in SChannel in the first place, which doesn't sound like ECDHE is "in place of" DHE to me.

or am i misreading the documentation?

	--dkg