Re: [TLS] Adoption call for Deprecating Obsolete Key Exchange Methods in TLS

Viktor Dukhovni <ietf-dane@dukhovni.org> Sun, 01 August 2021 19:11 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02F3F3A0755 for <tls@ietfa.amsl.com>; Sun, 1 Aug 2021 12:11:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8_ZFAMb_QH3d for <tls@ietfa.amsl.com>; Sun, 1 Aug 2021 12:11:04 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 948713A0746 for <tls@ietf.org>; Sun, 1 Aug 2021 12:11:04 -0700 (PDT)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id 18E8AC272F; Sun, 1 Aug 2021 15:11:03 -0400 (EDT)
Date: Sun, 1 Aug 2021 15:11:03 -0400
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: "<tls@ietf.org>" <tls@ietf.org>
Message-ID: <YQbxx3tLAr07Aus/@straasha.imrryr.org>
Reply-To: tls@ietf.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <SY4PR01MB625105EC510E42D398BE0467EEEE9@SY4PR01MB6251.ausprd01.prod.outlook.com> <CABiKAoR5U2i4izZmaWYyRXP5PbrAvRuQUAwAJTm+YbLBeO+T5g@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ips72eGsnhWi9AXBWQ-DpF-68ig>
Subject: Re: [TLS] Adoption call for Deprecating Obsolete Key Exchange Methods in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Aug 2021 19:11:09 -0000

On Sun, Aug 01, 2021 at 02:27:22PM +0300, Nimrod Aviram wrote:

> Looks like we have consensus for the following:

IIRC we're not looking for consensus on the substance of the draft at
this point, this just a WG adoption call.  So the issues below do not
need to be resolved at this time...  We just happen to be taking the
opportunity to discuss them...

> - Clients may choose to not support FFDHE, a la Chrome. I don't see
>   consensus for full deprecation of FFDHE, please correct me if I'm wrong.
> - Clients must not connect when the server uses a group of less than 2048 bits.
> - Clients may connect when the server uses a well-known, safe prime group
>   of at least 2048 bits (well-known might mean "from RFC 7919 plus the
>   built-in Postfix group", or other reasonable definitions).
> - Clients may connect when the server uses a custom safe prime group of at
>   least 2048 bits, if the client verifies that the prime is safe.
> 
> The only point where we don't have consensus seems to be:
> - For clients who choose to support FFDHE, when the server uses a custom
>   group of at least 2048 bits, and the client isn't willing to check
>   safe-primality, what should the client do?

And so, with confirmation from Peter Gutmann below that any custom
groups we're likely to encounter are almost certainly safe (given a
sufficiently large prime), I see no need to do anything beyond:

    - Client should set a floor on the FFDHE group size that is appropriate
      for its application ecosystem.  Typically 2048, in ecosystems where
      smaller groups are sufficiently rare to non-existent.

    - A few specific, previously recommended, "standard" groups might now be
      explicitly refused.

    - Given that neither of the above can be negotiated in TLS 1.2, some
      clients and servers might choose to drop support for FFDHE either
      in TLS 1.2 or across the board.

I don't see a realistic scenario in which sufficiently large ad-hoc
server DH parameters are a problem.  Only some specific "standard"
groups (from outdated informational RFCs, ...) of suspect provenance
might reasonably be blacklisted.

On Sun, Aug 01, 2021 at 11:42:22AM +0000, Peter Gutmann wrote:
> Viktor Dukhovni <ietf-dane@dukhovni.org> writes:
> 
> >OK, who goes around bothering to actually generate custom DH parameters, and
> >with what tools, but then does not use a "strong" (Sophie Germain) prime?
> 
> That's better :-).  That was my thought too, every DH/DLP keygen I've seen
> generates either Sophie Germain or FIPS 186 primes/parameters, so on the off
> chance that your server feels like generating custom primes you'd need to go
> out of your way to generate unsuitable ones, i.e. you'd probably need to write
> custom code specifically for bad prime generation, and if you're going to do
> that then all bets are off anyway.

-- 
    Viktor.