Re: [TLS] Another IRINA bug in TLS

Jeffrey Walton <noloader@gmail.com> Thu, 21 May 2015 21:55 UTC

Return-Path: <noloader@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 528F31A8AA4 for <tls@ietfa.amsl.com>; Thu, 21 May 2015 14:55:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oBN7ncRaAEer for <tls@ietfa.amsl.com>; Thu, 21 May 2015 14:54:59 -0700 (PDT)
Received: from mail-ie0-x22d.google.com (mail-ie0-x22d.google.com [IPv6:2607:f8b0:4001:c03::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 805671A89A7 for <tls@ietf.org>; Thu, 21 May 2015 14:54:59 -0700 (PDT)
Received: by iepj10 with SMTP id j10so18587166iep.3 for <tls@ietf.org>; Thu, 21 May 2015 14:54:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=gE07isbtZ36tkQYI90YBo4nRKOkQg+DIa4sSx0KalPw=; b=b8a9YYAuLJWHMqX2tmSaQWDELnCtt026GJ3jJOSobNK/SywV7NiBk02JbwsSJ3MaVP 0vGsQA00Ih9FxMIqLdgAfbR0KZ6GbgPrWUhi+73uPwtkbS4J+UDJwb+SjhXucx8cRPtJ HRgvmYq6PK1VRIB18fxR71QRyaXPNtugU0y797SXutt9b5r33IvAde9yNmDQ0f1A4ov4 QcGMOFdFKZKVuPom6CdAFu2uasCD0/cf5xHJNj0HW8DqXT8abzs0btFHyQfU92A0VIOA ltyMnuahvLiQn6NF1Jnm7jRNPCu3dDHOMjEX7LCxh9jSDrXabdLOIZ8Uo1Aqa0MlQFV2 2Qiw==
MIME-Version: 1.0
X-Received: by 10.50.78.100 with SMTP id a4mr1188590igx.34.1432245299009; Thu, 21 May 2015 14:54:59 -0700 (PDT)
Received: by 10.36.77.15 with HTTP; Thu, 21 May 2015 14:54:58 -0700 (PDT)
In-Reply-To: <810C31990B57ED40B2062BA10D43FBF5DDF130@XMB116CNC.rim.net>
References: <CACsn0ckaML0M_Foq9FXs5LA2dRb1jz+JDX7DUej_ZbuSkUB=tQ@mail.gmail.com> <1432134170.2926.9.camel@redhat.com> <9A043F3CF02CD34C8E74AC1594475C73AB027EED@uxcn10-tdc05.UoA.auckland.ac.nz> <555D90F6.10103@redhat.com> <1432195799.3243.18.camel@redhat.com> <555DBCE6.7080308@redhat.com> <1432206909.3243.45.camel@redhat.com> <555DBF7E.9050807@redhat.com> <1432207863352.27057@microsoft.com> <555DC498.2000109@redhat.com> <1432209104.3243.65.camel@redhat.com> <1432219967072.32353@microsoft.com> <810C31990B57ED40B2062BA10D43FBF5DDDDEB@XMB116CNC.rim.net> <CACsn0c=HuipCG20HGO+uLfBcm+bOEZQFdFdyKWsA1d5D3W0ZCA@mail.gmail.com> <810C31990B57ED40B2062BA10D43FBF5DDF130@XMB116CNC.rim.net>
Date: Thu, 21 May 2015 17:54:58 -0400
Message-ID: <CAH8yC8mjvXzFm038bXKJr=cnavJ8JGTV4Cufepvv8fXAXp041w@mail.gmail.com>
From: Jeffrey Walton <noloader@gmail.com>
To: Dan Brown <dbrown@certicom.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/irPVapQKjJ7MjOg4hoOqYIFMlbA>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Another IRINA bug in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: noloader@gmail.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 May 2015 21:55:01 -0000

On Thu, May 21, 2015 at 4:45 PM, Dan Brown <dbrown@certicom.com>; wrote:
>> -----Original Message-----
>> From: Watson Ladd [mailto:watsonbladd@gmail.com]
>>
>> On Thu, May 21, 2015 at 12:51 PM, Dan Brown <dbrown@certicom.com>;
>> wrote:
>> > In the Imperfect Forward Secrecy paper, Section 5 Recommendations, the
>> > medium term recommendation to avoid fixed-prime DHE groups seems to
>> > conflict with the current direction TLS is taking towards named only
>> > groups.
>>
>> Is that *really* what the recommendation says? It's true that using the same
>> group repeatedly enables an attacker who does an L(1/3) calculation to
>> quickly
>> compute all discrete logarithms together. But instead of making
>> countermeasures to this, it's far easier to ensure that the price this
>> precomputation is large, by using larger groups.
>
> [DB] That's how I read their medium term recommendation.  I agree with them,
> and you, that larger groups should be the first defense (they call it short
> term).  I guess that by "medium term", they mean to apply it in addition to
> the short term, perhaps at a later date.  I think such countermeasures should
> be optional.

I think the authors felt the same. But in Section 4 of the paper, they said:

    In this section we address the following
    question: how secure is Diffie-Hellman in broader practice,
    as used in other protocols that do not suffer from downgrade,
    and when applied with stronger groups?

    To answer this question we must first examine how the
    number field sieve for discrete log scales to 768- and 1024-bit...

    Unfortunately, our measurements also indicate that it
    may be very difficult to sunset the use of fixed 1024-bit Diffie-
    Hellman groups that have long been embedded in standards
    and implementations.

I think they are politely saying standard groups should do away with
anything at 1024-bits or below.