Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-02.txt
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 27 October 2014 18:22 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AA761A9044 for <tls@ietfa.amsl.com>; Mon, 27 Oct 2014 11:22:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f4-cctzExbiW for <tls@ietfa.amsl.com>; Mon, 27 Oct 2014 11:22:37 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id F20A01A8EA9 for <tls@ietf.org>; Mon, 27 Oct 2014 11:21:01 -0700 (PDT)
Received: from fifthhorseman.net (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id 975F5F984 for <tls@ietf.org>; Mon, 27 Oct 2014 14:20:56 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id ECC50258FB; Mon, 27 Oct 2014 14:20:46 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: tls@ietf.org
In-Reply-To: <544E2E5D.4000805@streamsec.se>
References: <20141011044948.27553.93984.idtracker@ietfa.amsl.com> <5438B82B.6090600@fifthhorseman.net> <544BD3BF.9030702@streamsec.se> <1682594903.63043.1414266713793.JavaMail.zimbra@redhat.com> <544C1BC3.5060204@streamsec.se> <1749574094.84536.1414307373087.JavaMail.zimbra@redhat.com> <544E0682.30804@streamsec.se> <1414405551.2543.8.camel@dhcp-2-127.brq.redhat.com> <544E254A.3020501@streamsec.se> <1414408020.2543.13.camel@dhcp-2-127.brq.redhat.com> <544E2E5D.4000805@streamsec.se>
User-Agent: Notmuch/0.18.1 (http://notmuchmail.org) Emacs/24.3.1 (x86_64-pc-linux-gnu)
Date: Mon, 27 Oct 2014 14:20:43 -0400
Message-ID: <874mupwf0k.fsf@alice.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/fjo3iueH9lLkQXoP4HxFj9uv4D8
Subject: Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-02.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Oct 2014 18:22:43 -0000
On Mon 2014-10-27 07:37:01 -0400, Henrick Hellström wrote: > It does however strike me as odd that, as a consequence, a named FFDHE > compatible server, would still be allowed to negotiate DHE cipher suites > with legacy clients that do not even implement RFC 4492, but not with > legacy clients that implement DHE in the exact same way, but also > support a few weak elliptic curves. hm, yes, i agree that this is a bad outcome, and as of -02 that does appear to be the consequence of the draft. Thanks for pointing this out, Henrick. To be clear, i think the problem is: * a compatible server might see a client send a DHE ciphersuite and the NamedCurves extension, but with at least one identified NamedCurve that the server doesn't know. * In this case, the server cannot distinguish the following two peers: A) the client implements this draft, but only implements an unusual FFDHE that the server has never heard of. B) the client does not implement with this draft and happens to implement an elliptic curve that the server has never heard of. * The right logic here is that the server SHOULD NOT select DHE for client A, but MAY select DHE for client B, as when interoperating with any other legacy client implementation. But the server can't distinguish between these cases. I think there needs to be explicit signalling from the client that it understands known FFDHE groups, so that a server can distinguish between these cases. I see three ways to achieve this goal: 0) reintroduce an explicit (contentless) ClientHello extension that means "i understand FFDHE named groups" 1) allocate a single codepoint in the named groups registry that means "i understand FFDHE named groups" but is not a negotiable group 2) carve out a range of codepoints in the named groups registry that will be used only for FFDHE named groups (and no other codepoints in that registry will have FFDHE). This way, servers can recognize a named FFDHE group, even if they don't know what it is. (0) seems like a simple approach, though it introduces a bit of redundancy that could cause weirdness -- what does it mean if the ClientHello extension is not present, but an FFDHE group exists in the NamedCurves extension, for example? (1) smells a lot like the SCSV approach we've been trying (and failing) to avoid using in other contexts, though it happens in NamedCurves, instead of in the ciphersuite list. I'd really rather avoid this kind of hackery. (2) seems like it might be the simplest approach. For example, if the value is within [256,287]) then the NamedCurve is FFDHE. This wouldn't be the first time that an IANA registry had range registration procedures like this, see e.g. ARP Hardware Types: https://www.iana.org/assignments/arp-parameters/arp-parameters.xhtml#arp-parameters-2 It does place a smaller permanent cap on the number of FFDHE groups we might ever name, but i don't think a limit of 32 FFDHE groups (as in the proposed range above) is particularly troubling. I expect we want fewer, stronger groups, not more. Any thoughts or preferences? --dkg
- [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dh… internet-drafts
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Daniel Kahn Gillmor
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Peter Gutmann
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Daniel Kahn Gillmor
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Peter Gutmann
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Peter Gutmann
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Alyssa Rowan
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Manuel Pégourié-Gonnard
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Geoffrey Keating
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Alyssa Rowan
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Stephen Checkoway
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Henrick Hellström
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Ilari Liusvaara
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Henrick Hellström
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Ilari Liusvaara
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Nikos Mavrogiannopoulos
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Watson Ladd
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Ilari Liusvaara
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Watson Ladd
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Henrick Hellström
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Nikos Mavrogiannopoulos
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Nikos Mavrogiannopoulos
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Henrick Hellström
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Henrick Hellström
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Nikos Mavrogiannopoulos
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Henrick Hellström
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Nikos Mavrogiannopoulos
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Henrick Hellström
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Ilari Liusvaara
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Henrick Hellström
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Daniel Kahn Gillmor
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Peter Gutmann
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Nikos Mavrogiannopoulos
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Hubert Kario