IETF Logo Mail Archive

Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-02.txt

Stephen Checkoway <s@pahtak.org> Fri, 24 October 2014 22:44 UTC

Return-Path: <s@pahtak.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7196A1A19FE for <tls@ietfa.amsl.com>; Fri, 24 Oct 2014 15:44:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_72=0.6, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wWLrQoSo0zZT for <tls@ietfa.amsl.com>; Fri, 24 Oct 2014 15:44:07 -0700 (PDT)
Received: from mail-qg0-f52.google.com (mail-qg0-f52.google.com [209.85.192.52]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 337AC1A1A24 for <tls@ietf.org>; Fri, 24 Oct 2014 15:44:07 -0700 (PDT)
Received: by mail-qg0-f52.google.com with SMTP id q108so1678721qgd.25 for <tls@ietf.org>; Fri, 24 Oct 2014 15:44:06 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:content-transfer-encoding:message-id:references:to; bh=8GY4lI4ejZYVrUBWJVbqjF1SCrjA4TG2Tcg8lWXJvrA=; b=D0m9m5Ji9xj2dMOmUDaGLUTceC8TBm+OAEyZzSyyOj4Mkta47bjjC1toCvNXCW3xeq RN2MKJPvc0gvdYfrHkLlR16EOxIaU56LWr0W4bbh/ZsApvrJI65+EjRO7ui7NS9JX1MY O0sH/X9MDuQyochrSb5SyXRyqpO54xhLyPEC0Wuvrq8TCWoJOBlYb6mR9e+dA9ZdoUB3 tY7cvSz+V6bmaOr/4yoywBpNnawXgO7LFNdUX19TMlig2GedD4WeWT66H7CtoFYf/5vd 0wn6DwpBq9H2EoqyzZFp5OhPrIvEdD1TBZoqwTuMuFrUSSTbtHQUJVgVS0HBZ6DzBYK3 lJpA==
X-Gm-Message-State: ALoCoQleWzKwNV2hO/C1JXh4xpb8wnH5ov4N2JFT9y0xbq3kpfJErG6YFTFEBRPil+U44kMQeOtE
X-Received: by 10.224.79.146 with SMTP id p18mr10018021qak.67.1414190646334; Fri, 24 Oct 2014 15:44:06 -0700 (PDT)
Received: from zbox.pahtak.org (c-68-48-196-126.hsd1.md.comcast.net. [68.48.196.126]) by mx.google.com with ESMTPSA id n46sm5278546qgn.9.2014.10.24.15.44.04 for <tls@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 24 Oct 2014 15:44:05 -0700 (PDT)
Received: from mba.hsd1.md.comcast.net (router [192.168.1.1]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by zbox.pahtak.org (Postfix) with ESMTPSA id 64AB9AC28CC for <tls@ietf.org>; Fri, 24 Oct 2014 18:44:03 -0400 (EDT)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Stephen Checkoway <s@pahtak.org>
In-Reply-To: <544ABF21.6030005@akr.io>
Date: Fri, 24 Oct 2014 18:44:03 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <257004DB-5165-43AF-9A62-9D3D981E6599@pahtak.org>
References: <9A043F3CF02CD34C8E74AC1594475C739B9D77B4@uxcn10-5.UoA.auckland.ac.nz> <544ABF21.6030005@akr.io>
To: "tls@ietf.org" <tls@ietf.org>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/eopNPKJ0LRMd9CBYLmYmtYaCpeY
Subject: Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-02.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Oct 2014 22:44:09 -0000

The arguments against including small groups seem clear:

1. New things shouldn't be using small groups.
2. Old things that can't/won't be updated _won't be updated_ no matter what a new RFC says.
3. This doesn't prohibit arbitrary groups so anything that needs to keep using small groups can keep using small groups.

The argument for including small groups seems to be (and correct me if I've missed something):

Old things can't/won't be updated except for (maybe) small tweaks and this extension is a small tweak that would enable these devices to keep doing what they're already doing: using small groups.

Particularly in light of 3, I don't find the argument for including them compelling.

S

On Oct 24, 2014, at 5:05 PM, Alyssa Rowan <akr@akr.io> wrote:

> Signed PGP part
> On 24/10/2014 15:55, Peter Gutmann wrote:
> 
> > Re-doing the crypto to implement and support ECC may happen in five
> >  to ten years, if there's enough code space in the flash.
> 
> So, you want to use 768-bit groups… for five to ten years… yeah, I'm
> not too comfortable with that.
> 
> >> No, it's blessing them even to list them. People will probably
> >> implement what we specify.
> > So put in a note saying that use isn't recommended.
> 
> …or, you could not put it in.
> 
> Intentionally specifying something new, in a security-oriented RFC,
> that by the way you absolutely shouldn't use because it's insecure,
> seems a bit reckless to me.
> 
> > ("it works, don't touch it any more").
> 
> I think we really ought to be getting rid of skeletons in the closet,
> not adding new ones - despite Hallowe'en being next week, and that
> phrase being appropriately spine-chilling! ;)
> 
> (BTW: Lost, embedded devices; too small to use a 2048-bit group for…
> some reason? RAM?; yet negotiate (768|1024|1536) DHE…
> 
> …wild guess here: RSA key signing this exchange is totally
> minty-fresh? …and actually checked? With something that isn't MD5? And
> the DHE keys aren't generated with 2 bits of entropy and a potato
> because the $2.50 intern lunch budget didn't cover an RNG? <g>)
> 
> >> 768 and 1024 are crackable today by any reasonably well-funded
> >> adversary with access to a chip fab, as you well know;
> > ... who probably won't be using that capability to attack a power
> > meter, or a flow monitor
> 
> …or a centrifuge? ¬_¬
> 
> SCADA security - or lack thereof - is a very big problem. I don't
> agree that specifying groups for future use that we _know_ are too
> small, helps do anything but make it worse.
> 
> --
> /akr
> 
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

-- 
Stephen Checkoway

v2.23.0 | Report a Bug | By Email