Re: [TLS] security levels for TLS
Eric Rescorla <ekr@networkresonance.com> Sat, 13 October 2007 00:41 UTC
Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IgV4f-0004mM-8x; Fri, 12 Oct 2007 20:41:49 -0400
Received: from tls by megatron.ietf.org with local (Exim 4.43) id 1IgV4e-0004m5-F0 for tls-confirm+ok@megatron.ietf.org; Fri, 12 Oct 2007 20:41:48 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IgV4e-0004ll-4C for tls@lists.ietf.org; Fri, 12 Oct 2007 20:41:48 -0400
Received: from [209.213.211.195] (helo=delta.rtfm.com) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1IgV4d-0007qw-MV for tls@lists.ietf.org; Fri, 12 Oct 2007 20:41:48 -0400
Received: from delta.rtfm.com (localhost.rtfm.com [127.0.0.1]) by delta.rtfm.com (Postfix) with ESMTP id E4C6D33C21; Fri, 12 Oct 2007 17:37:37 -0700 (PDT)
Date: Fri, 12 Oct 2007 17:37:37 -0700
From: Eric Rescorla <ekr@networkresonance.com>
To: Mike <mike-list@pobox.com>
Subject: Re: [TLS] security levels for TLS
In-Reply-To: <47100EE5.9070103@pobox.com>
References: <20071010180324.7ABC533C21@delta.rtfm.com> <470E4399.3010008@pobox.com> <20071011155829.965C733C28@delta.rtfm.com> <470EF76B.5050102@pobox.com> <20071012045718.DE16033C21@delta.rtfm.com> <470FB525.7010308@pobox.com> <20071012180445.1D22D33C21@delta.rtfm.com> <470FC52E.6080707@pobox.com> <p06240828c3357a914a76@[192.168.1.3]> <470FEA1F.7030500@pobox.com> <20071012215901.GR24532@Sun.COM> <47100EE5.9070103@pobox.com>
User-Agent: Wanderlust/2.14.0 (Africa) Emacs/21.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20071013003737.E4C6D33C21@delta.rtfm.com>
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 4adaf050708fb13be3316a9eee889caa
Cc: tls@lists.ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
At Fri, 12 Oct 2007 17:18:45 -0700, Mike wrote: > >> - knowing exactly what the client is looking for helps the > >> server select the appropriate cipher suite without the need > >> for the client to renegotiate the connection; for example, > >> if the server only supports 1024-bit DH parameters, and the > >> client asks for 1536-bit, the server can skip past the DHE_* > >> cipher suites and select maybe an RSA-based cipher suite > >> that the client would accept > > > > The server and client already know how to negotiate properly. > > No, they don't. If a server sees a DHE_* cipher suite in the > ClientHello, but doesn't know that the client wants 1536-bit > (or larger) parameters, it may select it, even though it only > has 1024-bit parameters. The client would have to renegotiate > the session without including the DHE cipher suites, which is > an avoidable waste of computing resources. Look, this scenario is basically bogus now, and I suspect in the future. Nearly all servers have 1024-bit RSA keys signed by 1024-bit RSA CA keys. If they have DHE, then that's 1024-bit too. If the client wants 1536-bit anything, it's SOL, and neither asking for it in its ClientHello nor dropping DHE from its cipher suites and reconnecting will help. And even if the server *did* have multiple DHE groups, why would it be OK from the client's perspective to have those authenticated with a long-term 1024-bit RSA key? That's part of what people have been trying to tell you about absolute security levels. Now, one could certainly argue that in the future servers may have a variety of ephemeral DH parameters, but they're going to in general want to use the weakest one that's acceptable to them. Either this extension is mandatory to comply with (like ECC groups), in which case the client basically can't set it above 1024 or he won't be able to talk to most servers, or it's optional, in which case I would expect servers to ignore it, since it will reduce their performance and if they wanted stronger keys they would just use them. -Ekr _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] security levels for TLS Nikos Mavrogiannopoulos
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Nikos Mavrogiannopoulos
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Yngve Nysaeter Pettersen
- Re: [TLS] security levels for TLS Paul Hoffman
- RE: [TLS] security levels for TLS Kemp, David P.
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Nicolas Williams
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Steven M. Bellovin
- Re: [TLS] security levels for TLS Nicolas Williams
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Paul Hoffman
- Re: [TLS] security levels for TLS Nikos Mavrogiannopoulos
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Nicolas Williams
- Re: [TLS] security levels for TLS Nicolas Williams
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Nicolas Williams
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Paul Hoffman