Re: [TLS] Adoption call for Deprecating FFDH(E) Ciphersuites in TLS

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Fri, 27 August 2021 13:54 UTC

Return-Path: <prvs=4873d77cf9=uri@ll.mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 822513A1919 for <tls@ietfa.amsl.com>; Fri, 27 Aug 2021 06:54:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kcswyptGqEYw for <tls@ietfa.amsl.com>; Fri, 27 Aug 2021 06:54:06 -0700 (PDT)
Received: from MX2.LL.MIT.EDU (mx2.ll.mit.edu [129.55.12.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 920C03A1916 for <tls@ietf.org>; Fri, 27 Aug 2021 06:54:06 -0700 (PDT)
Received: from LLE2K16-HYBRD02.mitll.ad.local (lle2k16-hybrd02.llan.ll.mit.edu [172.25.5.146]) by MX2.LL.MIT.EDU (8.16.1.2/8.16.1.2) with ESMTPS id 17RDs3Ue450247 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Fri, 27 Aug 2021 06:54:03 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=nCHp++sk4vxiYCiA82hwCuQPdA9RfeoeuzwZpx0RVhmkPvRrOa9DvJoWqmOeoOuRzNMn1EgxDoAoglnTp/XREBmk9HnxKZYpge6A77q/hsK3o+pqFp/tYZiVSReNTeCYxfAvhJ0/MNy9CtzIkxJW9qJje7HKQzhpNTl2qNVmAntH/O27ULxLrGsmcSxtbv1f/2yxzJ6hoNMEmjwq+Wz/LAaf3gNw7HZ55/JPD8IWW5z69a2IHBc6J8QxbLm1Ue8qZ51vxDOKRJms10hmZQe1RWcbM7MndWwEzFTr2ZHN/zj7XL/EJ9spHVN3XdNZIm0LGvPGfKS4oTYpd4qrwBgsJg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ulXyRv1UfFQjppA31pT3ds3KZ3QD24vqgyrW2z0HiI0=; b=w/W9guxqRbgM40XVbv/D+q9oNp7udjBDGtywvhaUIiXmkmfa0T59+0ctFDpfL4a8j7R6nRtX2M5nS4Cx7vffcmqf4OBfD6YotGfXGUn/ENto2u4ZHi5E3GYlAXyGUxSHrAfrYl7NTSss5Siz8q+FJY83Ngyya4q/CaSIHrVPoGYvpMJncR6yYyvh4AQyuXhx6aGCIAEMtP7jDlp2+6pZvYy6QlaVQsJhhx8LmytjLFCEypKq/bwQuXwj1UqDwxSHlHTejhyQN4ok4+lLhV+FeOPqVlxIcc5+RFxI36NTQkuDsbMqb+v2r0buO09lPMbtCcw3eaYs58toArn1q1VM6A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Filippo Valsorda <filippo@ml.filippo.io>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Adoption call for Deprecating FFDH(E) Ciphersuites in TLS
Thread-Index: AQHXhMPxpzrCMsaNt0Kem/sQDBKbl6txjJmA///1ygCABYc1gIAAx+iAgAjU1YCABjHNgIAAaP2A///8/wCAAEjSAP//wnMA
Date: Fri, 27 Aug 2021 13:54:00 +0000
Message-ID: <EC21C474-0DB1-420A-9631-322E43136C54@ll.mit.edu>
References: <CAOgPGoC4C0bWz0h0iyzGzMPEoDKAPv4euoOkmS+6Uuxncux4Zg@mail.gmail.com> <cc9c9d9f-d6b1-3b93-1231-a9a9c34a7fcd@gmail.com> <67533325-2983-47B7-871C-D90799D09532@ll.mit.edu> <CAOgPGoDAvnFic3VmEsge3i8C2FEfWp74ac_ievtfNo=MQB+C8g@mail.gmail.com> <C8E91D9B-2326-4AAF-9952-69481081E337@ll.mit.edu> <BD109A95-129A-4995-AFCA-FEF10DBD6440@icloud.com> <CAOgPGoBMhhsTupXuWF__zkLuy-4qQhha_Kp1_+ToZrNoaFUsgQ@mail.gmail.com> <13b9e674-9e0b-46aa-b5d6-49798c310d85@www.fastmail.com> <5D5FB49A-7D18-4EC9-B572-BD860479CD5E@ll.mit.edu> <bc91502a-471e-484e-ae5f-d843b703edd6@www.fastmail.com>
In-Reply-To: <bc91502a-471e-484e-ae5f-d843b703edd6@www.fastmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.52.21080801
authentication-results: ml.filippo.io; dkim=none (message not signed) header.d=none;ml.filippo.io; dmarc=none action=none header.from=ll.mit.edu;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: dae4aa49-6440-4568-b6f4-08d969621fd0
x-ms-traffictypediagnostic: BN1P110MB0820:
x-microsoft-antispam-prvs: <BN1P110MB08202CF7196411A1B557EA2090C89@BN1P110MB0820.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:6790;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Pa4eyWYk9pp7Q8ryqYZFVPoL3/MkMb+KA/KZvVaofrhmlW0l6RX1qOsIwejh48jPqV8eLLuvOf+HfKnkBg2kk/lK2bw6FrWSNYaEIO9lTXZI5zAXO7P1/OJrzErgrIpidh+QkRCQycjza1aHeoTOGWuvcW5cSibTPd2COYJz80NKShJeVbRyDgFmTaiFqKaVbXCsSfa8a9Yb2djvRwr2lF65ZPYmMPjuiC/kN3RlblCIwHEJEccmMUqsdrNO8Dhus7Xovf+EUpY4oEtc0u4YUtXAIQA3MRUlVlaJXmkWETghtDgYBP7UEbm1e22oLTN7DlVV2Uq8cauq5uEgTOBcp/vVVyiPNrDmDWTIbLO+6ASDFJER7hOYbnsPffZ5FIac4uvD5d6GW+gjA4w/H17/VdmkH3iy6sHvvoMhMiEfttS0UHrPZWTHBNy2ijBDZidAHspp0YTg4BoctsMjCAnPn+i0ilbjnKldzu3RUEQsEdm1UzWFG9m5Grijx1kU0mL9cgdfUGAXAydKq3Fnc1MgSKBWJhN9ttsKSNy4mXAIWPKudqDKnlragiwMom5lEBpjHP0hpdcIx5EcNg0OIQY+wkX7g7fh3hs4D4T331q6Ql/IT8FoMWLhE2NhMAi/EhPSKjyHkn86jnsVSr+VTALptrf6E2RUs1lQX+3gU7BGjkpc5EeR1MwUEwKe9PD3OzfkvT0PsfL2vhFXD9goCGy6H0JXe7/RCOGJQ13rXQVq7HPl7+wzWbVBnqJbLZmKwyQp
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN1P110MB0706.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(366004)(71200400001)(8676002)(53546011)(2906002)(186003)(83380400001)(66446008)(110136005)(38100700002)(6506007)(33656002)(66476007)(38070700005)(8936002)(75432002)(122000001)(498600001)(6486002)(76116006)(26005)(6512007)(166002)(2616005)(966005)(64756008)(5660300002)(66616009)(86362001)(66946007)(66556008)(99936003)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: g8UltTJrS9UY97cB77ijZWFKrbMfb3Azc0OM1nHY5g9Qr/ZXG4IjLzwQra4B13lIRntclB8bfE10Z1QCgQLWvQxnPIzQ06EnIhXKvyuqqJ9AkozVDiAW+r1u/9Y1ua0xVGe2gMpGR1UmAgeuLq+sxt3kNhAuxFJYCc90hH61YdH9CbuM2f0aGJeYTmaMR8uU//+8+yHDo7nuKDsLGCjDnR/6rBCoqJT1inYe7KlxN4ldII2UgdqqyoQ7ay2/T1AKk1sg+ylFMf38W3jWKzvFUu/z9Z3f7oZgtqSDrtGbokheXnSG0J5IV51mST3LTf+TcN35lycB9yBrjPKpGy2MAQuVdYC6g2w+WebY14cRdzz4gKKf3LeSvZnTwEFqUiNCxqtRR2FpJ4brgO8D7Tjy1c8WJwOycCpbNlHmBCFSJLVEvFP4mdtEnjaRdAr3RbIqiuR5IKTWseYTDPAxuhZywWi4L+pwas1AGbXyrLiGuFR5kNJZpGk/THVeRZdYCsHDhWjVUcBit5Koc90lFKDktok/e4oZipdjy8gq7xm24q8kBAKUmk9fEVGrQ1aCbWkZ44kmTYed8dm6t3/UT85Oqmx/7Q312BRW16moMZlnXD5qwTYLEjDvX45G31/owshaUGKxVfiu/wj4HjF24xcyjBxIS3qu6bmJ3qqzz2EXfK3/Y00sx5f+89LE3qL5xBvi/NYaJG4hG1LhByOu7/gGNQ==
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha256; boundary="B_3712902840_963651370"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN1P110MB0706.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: dae4aa49-6440-4568-b6f4-08d969621fd0
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Aug 2021 13:54:00.9510 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1P110MB0820
X-Proofpoint-GUID: jNC3L9FkrmO4n07BempWtr_IiQrMA9mY
X-Proofpoint-ORIG-GUID: jNC3L9FkrmO4n07BempWtr_IiQrMA9mY
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790 definitions=2021-08-27_04:2021-08-26, 2021-08-27 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 adultscore=0 malwarescore=0 spamscore=0 phishscore=0 mlxscore=0 bulkscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108270088
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/h9FKa6jLXxPOd5_5ItoAkKK9Rtg>
Subject: Re: [TLS] Adoption call for Deprecating FFDH(E) Ciphersuites in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Aug 2021 13:54:13 -0000

Static-ephemeral is not “so unsafe to implement”, not any more than any other mode. It shouldn’t be encouraged, but shouldn’t be killed off either.

 

This is empirically disproved by a number of vulnerabilities that are exploitable (or near-misses for other reasons) only in ephemeral-static mode, such as CVE-2016-0701, CVE-2016-7055, CVE-2017-3732, CVE-2017-3736, CVE-2017-3738, CVE-2019-1551 just in the past 5 years in OpenSSL, and CVE-2017-8932 and CVE-2021-3114 in Go. https://eprint.iacr.org/2011/633 gives a good explanation of how these attacks work, and you might find https://i.blackhat.com/us-18/Wed-August-8/us-18-Valsorda-Squeezing-A-Key-Through-A-Carry-Bit-wp.pdf interesting as well.

 

Anyway, we keep going in circles around what deprecation is. In my opinion, an IETF deprecation doesn't "kill off" anything, it just says it's not encouraged, so it sounds like you support deprecation in those terms.

 

Do we agree on “SHOULD NOT”?

 

 

On Sun, Aug 22, 2021 at 9:32 PM Carrick Bartle <cbartle891@icloud.com> wrote:

>   which is a main reason cited for deprecating RSA in draft-aviram-tls-deprecate-obsolete-kex.

 

Have the authors look at Post-Quantum KEMs?

 

I'm not sure why PQ KEMs are relevant here.

 

 

On Aug 17, 2021, at 10:41 AM, Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu> wrote:

 

>  Regardless of the Raccoon attack, the static DH and ECDH ciphersuites do not provide

>  forward secrecy,

 

Unless you use semi-static exchange, which in many cases makes sense.

 

>   which is a main reason cited for deprecating RSA in draft-aviram-tls-deprecate-obsolete-kex.

 

Have the authors look at Post-Quantum KEMs?

 

>  Do you object to just the citation of the Raccoon attack or do you also feel that we

>  should keep these ciphersuites that do not provide forward secrecy around?

 

I think these suites should stay around. 

 

While static-static indeed do not provide forward secrecy (and many of us – though not everybody! – carry for that), static-ephemeral DH and ECDH are perfectly fine from that point of view.

 

 

 

On Fri, Aug 13, 2021 at 10:20 AM Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu> wrote:

I agree with Rene’s points.

 

-- 

Regards,

Uri

 

 

From: TLS <tls-bounces@ietf.org> on behalf of Rene Struik <rstruik.ext@gmail.com>
Date: Friday, August 13, 2021 at 09:58

Dear colleagues:

 

I think this document should absolutely *not* be adopted, without providing far more technical justification. The quoted Raccoon attack is an easy to mitigate attack (which has nothing to do with finite field groups, just with poor design choices of postprocessing, where one uses variable-size integer representations for a key). There are also good reasons to have key exchanges where one of the parties has a static key, whether ecc-based or ff-based (e.g., sni, opaque), for which secure implementations are known. No detail is provided and that alone should be sufficient reason to not adopt.

 

Rene

 

On 2021-07-29 5:50 p.m., Joseph Salowey wrote:

This is a working group call for adoption for Deprecating FFDH(E) Ciphersuites in TLS (draft-bartle-tls-deprecate-ffdhe-00). We had a presentation for this draft at the IETF 110 meeting and since it is a similar topic to the key exchange deprecation draft the chairs want to get a sense if the working group wants to adopt this draft (perhaps the drafts could be merged if both move forward).  Please review the draft and post your comments to the list by Friday, August 13, 2021.  

 

Thanks,

 

The TLS chairs

 

_______________________________________________

TLS mailing list

TLS@ietf.org

https://www.ietf.org/mailman/listinfo/tls

 

-- 

email: rstruik.ext@gmail.com | Skype: rstruik

cell: +1 (647) 867-5658 | US: +1 (415) 287-3867

_______________________________________________

TLS mailing list

TLS@ietf.org

https://www.ietf.org/mailman/listinfo/tls

_______________________________________________

TLS mailing list

TLS@ietf.org

https://www.ietf.org/mailman/listinfo/tls

 

 

 

Attachments:

·         smime.p7s