Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re: Confirming Consensus on removing RSA key Transport from TLS 1.3)

Henrick Hellström <> Fri, 28 March 2014 01:16 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id D46081A078D for <>; Thu, 27 Mar 2014 18:16:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.25
X-Spam-Status: No, score=-1.25 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id J9rID5EeZt27 for <>; Thu, 27 Mar 2014 18:16:16 -0700 (PDT)
Received: from ( []) by (Postfix) with SMTP id 6C35F1A0776 for <>; Thu, 27 Mar 2014 18:16:14 -0700 (PDT)
Received: from (unknown []) by (Halon Mail Gateway) with ESMTP for <>; Fri, 28 Mar 2014 02:13:09 +0100 (CET)
Received: from [] ( []) (Authenticated sender: by (Postfix) with ESMTPSA id 048B115A0A0 for <>; Fri, 28 Mar 2014 01:56:25 +0100 (CET)
Message-ID: <>
Date: Fri, 28 Mar 2014 01:56:08 +0100
From: =?UTF-8?B?SGVucmljayBIZWxsc3Ryw7Zt?= <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re: Confirming Consensus on removing RSA key Transport from TLS 1.3)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 28 Mar 2014 01:16:18 -0000

On 2014-03-28 01:09, Watson Ladd wrote:
> On Thu, Mar 27, 2014 at 8:04 PM, Martin Thomson
> <> wrote:
>> (Renaming the thread, since this is what we seem to be talking about)
>> On 27 March 2014 16:55, Marsh Ray <> wrote:
>>> From: TLS [] On Behalf Of Alyssa Rowan
>>>> Show of hands: who *really* wants to deploy 2048-bit (or above) DHE, when they could have curve25519 instead?
>>> The general consensus at Microsoft is that we like ECDHE much better than the classic DHE.
>> I think that this is the general trend, but is it so bad that you
>> would want to prohibit DHE?
> Well, the DHE handshake has validation issues: implementations aren't
> checking they get sensible inputs.
> Fix that, and maybe you have an argument for keeping it. But as it
> stands now the insecure resumption attacks are exploiting behavior in
> DHE that isn't fixable without a DOS vector being introduced.

Pardon for breaking into the conversation, but isn't the attack outlined 
here actually stopped by the 
renegotiation indication extension, contrary to what the author states 
at the page?

1. At the end of the first handshake, the finished messages of the 
connections C/A and A/S will be different.
2. The outline of the attack rests on the assumption that A might simply 
forward the messages during the second handshake, because all parameters 
are the same, and here the finished messages for C/A and A/S will 
consequently also be the same. Well, they will be if no renegotiation 
indication extension is included. If it is, this will however be 
different for C/A and A/S, and hence result in different finished 
messages after the second handshake as well.

Am I missing something obvious?