Re: [TLS] security levels for TLS

Eric Rescorla <ekr@networkresonance.com> Sat, 13 October 2007 00:41 UTC

Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IgV4f-0004mM-8x; Fri, 12 Oct 2007 20:41:49 -0400
Received: from tls by megatron.ietf.org with local (Exim 4.43) id 1IgV4e-0004m5-F0 for tls-confirm+ok@megatron.ietf.org; Fri, 12 Oct 2007 20:41:48 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IgV4e-0004ll-4C for tls@lists.ietf.org; Fri, 12 Oct 2007 20:41:48 -0400
Received: from [209.213.211.195] (helo=delta.rtfm.com) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1IgV4d-0007qw-MV for tls@lists.ietf.org; Fri, 12 Oct 2007 20:41:48 -0400
Received: from delta.rtfm.com (localhost.rtfm.com [127.0.0.1]) by delta.rtfm.com (Postfix) with ESMTP id E4C6D33C21; Fri, 12 Oct 2007 17:37:37 -0700 (PDT)
Date: Fri, 12 Oct 2007 17:37:37 -0700
From: Eric Rescorla <ekr@networkresonance.com>
To: Mike <mike-list@pobox.com>
Subject: Re: [TLS] security levels for TLS
In-Reply-To: <47100EE5.9070103@pobox.com>
References: <20071010180324.7ABC533C21@delta.rtfm.com> <470E4399.3010008@pobox.com> <20071011155829.965C733C28@delta.rtfm.com> <470EF76B.5050102@pobox.com> <20071012045718.DE16033C21@delta.rtfm.com> <470FB525.7010308@pobox.com> <20071012180445.1D22D33C21@delta.rtfm.com> <470FC52E.6080707@pobox.com> <p06240828c3357a914a76@[192.168.1.3]> <470FEA1F.7030500@pobox.com> <20071012215901.GR24532@Sun.COM> <47100EE5.9070103@pobox.com>
User-Agent: Wanderlust/2.14.0 (Africa) Emacs/21.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20071013003737.E4C6D33C21@delta.rtfm.com>
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 4adaf050708fb13be3316a9eee889caa
Cc: tls@lists.ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

At Fri, 12 Oct 2007 17:18:45 -0700,
Mike wrote:
> >>   - knowing exactly what the client is looking for helps the
> >>     server select the appropriate cipher suite without the need
> >>     for the client to renegotiate the connection; for example,
> >>     if the server only supports 1024-bit DH parameters, and the
> >>     client asks for 1536-bit, the server can skip past the DHE_*
> >>     cipher suites and select maybe an RSA-based cipher suite
> >>     that the client would accept
> > 
> > The server and client already know how to negotiate properly.
> 
> No, they don't.  If a server sees a DHE_* cipher suite in the
> ClientHello, but doesn't know that the client wants 1536-bit
> (or larger) parameters, it may select it, even though it only
> has 1024-bit parameters.  The client would have to renegotiate
> the session without including the DHE cipher suites, which is
> an avoidable waste of computing resources.

Look, this scenario is basically bogus now, and I suspect
in the future.

Nearly all servers have 1024-bit RSA keys signed by 1024-bit
RSA CA keys. If they have DHE, then that's 1024-bit too.
If the client wants 1536-bit anything, it's SOL, and neither
asking for it in its ClientHello nor dropping DHE from its
cipher suites and reconnecting will help. And even if the
server *did* have multiple DHE groups, why would it be
OK from the client's perspective to have those authenticated
with a long-term 1024-bit RSA key? That's part of what 
people have been trying to tell you about absolute security
levels.

Now, one could certainly argue that in the future servers
may have a variety of ephemeral DH parameters, but they're
going to in general want to use the weakest one that's
acceptable to them. Either this extension is mandatory
to comply with (like ECC groups), in which case the client
basically can't set it above 1024 or he won't be able to
talk to most servers, or it's optional, in which case
I would expect servers to ignore it, since it will reduce
their performance and if they wanted stronger keys they
would just use them.

-Ekr



_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls