Re: [TLS] Another IRINA bug in TLS
Jeffrey Walton <noloader@gmail.com> Thu, 21 May 2015 21:55 UTC
Return-Path: <noloader@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 528F31A8AA4 for <tls@ietfa.amsl.com>; Thu, 21 May 2015 14:55:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oBN7ncRaAEer for <tls@ietfa.amsl.com>; Thu, 21 May 2015 14:54:59 -0700 (PDT)
Received: from mail-ie0-x22d.google.com (mail-ie0-x22d.google.com [IPv6:2607:f8b0:4001:c03::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 805671A89A7 for <tls@ietf.org>; Thu, 21 May 2015 14:54:59 -0700 (PDT)
Received: by iepj10 with SMTP id j10so18587166iep.3 for <tls@ietf.org>; Thu, 21 May 2015 14:54:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=gE07isbtZ36tkQYI90YBo4nRKOkQg+DIa4sSx0KalPw=; b=b8a9YYAuLJWHMqX2tmSaQWDELnCtt026GJ3jJOSobNK/SywV7NiBk02JbwsSJ3MaVP 0vGsQA00Ih9FxMIqLdgAfbR0KZ6GbgPrWUhi+73uPwtkbS4J+UDJwb+SjhXucx8cRPtJ HRgvmYq6PK1VRIB18fxR71QRyaXPNtugU0y797SXutt9b5r33IvAde9yNmDQ0f1A4ov4 QcGMOFdFKZKVuPom6CdAFu2uasCD0/cf5xHJNj0HW8DqXT8abzs0btFHyQfU92A0VIOA ltyMnuahvLiQn6NF1Jnm7jRNPCu3dDHOMjEX7LCxh9jSDrXabdLOIZ8Uo1Aqa0MlQFV2 2Qiw==
MIME-Version: 1.0
X-Received: by 10.50.78.100 with SMTP id a4mr1188590igx.34.1432245299009; Thu, 21 May 2015 14:54:59 -0700 (PDT)
Received: by 10.36.77.15 with HTTP; Thu, 21 May 2015 14:54:58 -0700 (PDT)
In-Reply-To: <810C31990B57ED40B2062BA10D43FBF5DDF130@XMB116CNC.rim.net>
References: <CACsn0ckaML0M_Foq9FXs5LA2dRb1jz+JDX7DUej_ZbuSkUB=tQ@mail.gmail.com> <1432134170.2926.9.camel@redhat.com> <9A043F3CF02CD34C8E74AC1594475C73AB027EED@uxcn10-tdc05.UoA.auckland.ac.nz> <555D90F6.10103@redhat.com> <1432195799.3243.18.camel@redhat.com> <555DBCE6.7080308@redhat.com> <1432206909.3243.45.camel@redhat.com> <555DBF7E.9050807@redhat.com> <1432207863352.27057@microsoft.com> <555DC498.2000109@redhat.com> <1432209104.3243.65.camel@redhat.com> <1432219967072.32353@microsoft.com> <810C31990B57ED40B2062BA10D43FBF5DDDDEB@XMB116CNC.rim.net> <CACsn0c=HuipCG20HGO+uLfBcm+bOEZQFdFdyKWsA1d5D3W0ZCA@mail.gmail.com> <810C31990B57ED40B2062BA10D43FBF5DDF130@XMB116CNC.rim.net>
Date: Thu, 21 May 2015 17:54:58 -0400
Message-ID: <CAH8yC8mjvXzFm038bXKJr=cnavJ8JGTV4Cufepvv8fXAXp041w@mail.gmail.com>
From: Jeffrey Walton <noloader@gmail.com>
To: Dan Brown <dbrown@certicom.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/irPVapQKjJ7MjOg4hoOqYIFMlbA>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Another IRINA bug in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: noloader@gmail.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 May 2015 21:55:01 -0000
On Thu, May 21, 2015 at 4:45 PM, Dan Brown <dbrown@certicom.com> wrote: >> -----Original Message----- >> From: Watson Ladd [mailto:watsonbladd@gmail.com] >> >> On Thu, May 21, 2015 at 12:51 PM, Dan Brown <dbrown@certicom.com> >> wrote: >> > In the Imperfect Forward Secrecy paper, Section 5 Recommendations, the >> > medium term recommendation to avoid fixed-prime DHE groups seems to >> > conflict with the current direction TLS is taking towards named only >> > groups. >> >> Is that *really* what the recommendation says? It's true that using the same >> group repeatedly enables an attacker who does an L(1/3) calculation to >> quickly >> compute all discrete logarithms together. But instead of making >> countermeasures to this, it's far easier to ensure that the price this >> precomputation is large, by using larger groups. > > [DB] That's how I read their medium term recommendation. I agree with them, > and you, that larger groups should be the first defense (they call it short > term). I guess that by "medium term", they mean to apply it in addition to > the short term, perhaps at a later date. I think such countermeasures should > be optional. I think the authors felt the same. But in Section 4 of the paper, they said: In this section we address the following question: how secure is Diffie-Hellman in broader practice, as used in other protocols that do not suffer from downgrade, and when applied with stronger groups? To answer this question we must first examine how the number field sieve for discrete log scales to 768- and 1024-bit... Unfortunately, our measurements also indicate that it may be very difficult to sunset the use of fixed 1024-bit Diffie- Hellman groups that have long been embedded in standards and implementations. I think they are politely saying standard groups should do away with anything at 1024-bits or below.
- [TLS] Another IRINA bug in TLS Watson Ladd
- Re: [TLS] Another IRINA bug in TLS Tom Ritter
- Re: [TLS] Another IRINA bug in TLS Ilari Liusvaara
- Re: [TLS] Another IRINA bug in TLS Nikos Mavrogiannopoulos
- Re: [TLS] Another IRINA bug in TLS Aaron Zauner
- Re: [TLS] Another IRINA bug in TLS Nikos Mavrogiannopoulos
- Re: [TLS] Another IRINA bug in TLS Watson Ladd
- Re: [TLS] Another IRINA bug in TLS Salz, Rich
- Re: [TLS] Another IRINA bug in TLS Santiago Zanella-Beguelin
- Re: [TLS] Another IRINA bug in TLS Martin Rex
- Re: [TLS] Another IRINA bug in TLS Peter Gutmann
- Re: [TLS] Another IRINA bug in TLS Nikos Mavrogiannopoulos
- Re: [TLS] Another IRINA bug in TLS Nikos Mavrogiannopoulos
- Re: [TLS] Another IRINA bug in TLS Yuhong Bao
- Re: [TLS] Another IRINA bug in TLS Karthikeyan Bhargavan
- Re: [TLS] Another IRINA bug in TLS Florian Weimer
- Re: [TLS] Another IRINA bug in TLS Nikos Mavrogiannopoulos
- Re: [TLS] Another IRINA bug in TLS Santiago Zanella-Beguelin
- Re: [TLS] Another IRINA bug in TLS Peter Gutmann
- Re: [TLS] Another IRINA bug in TLS Yngve N. Pettersen
- Re: [TLS] Another IRINA bug in TLS Peter Gutmann
- Re: [TLS] Another IRINA bug in TLS Yoav Nir
- Re: [TLS] Another IRINA bug in TLS Antoine Delignat-Lavaud
- Re: [TLS] Another IRINA bug in TLS Florian Weimer
- Re: [TLS] Another IRINA bug in TLS Nikos Mavrogiannopoulos
- Re: [TLS] Another IRINA bug in TLS Florian Weimer
- Re: [TLS] Another IRINA bug in TLS Santiago Zanella-Beguelin
- Re: [TLS] Another IRINA bug in TLS Florian Weimer
- Re: [TLS] Another IRINA bug in TLS Nikos Mavrogiannopoulos
- Re: [TLS] Another IRINA bug in TLS Santiago Zanella-Beguelin
- Re: [TLS] Another IRINA bug in TLS Santiago Zanella-Beguelin
- Re: [TLS] Another IRINA bug in TLS Aaron Zauner
- Re: [TLS] Another IRINA bug in TLS Aaron Zauner
- Re: [TLS] Another IRINA bug in TLS Santiago Zanella-Beguelin
- Re: [TLS] Another IRINA bug in TLS Nikos Mavrogiannopoulos
- Re: [TLS] Another IRINA bug in TLS Dave Garrett
- Re: [TLS] Another IRINA bug in TLS Aaron Zauner
- Re: [TLS] Another IRINA bug in TLS Watson Ladd
- Re: [TLS] Another IRINA bug in TLS Santiago Zanella-Beguelin
- Re: [TLS] Another IRINA bug in TLS Santiago Zanella-Beguelin
- Re: [TLS] Another IRINA bug in TLS Santiago Zanella-Beguelin
- Re: [TLS] Another IRINA bug in TLS Dan Brown
- Re: [TLS] Another IRINA bug in TLS Watson Ladd
- Re: [TLS] Another IRINA bug in TLS Dan Brown
- Re: [TLS] Another IRINA bug in TLS Jeffrey Walton
- Re: [TLS] Another IRINA bug in TLS Nico Williams
- Re: [TLS] Another IRINA bug in TLS Peter Gutmann
- Re: [TLS] Another IRINA bug in TLS Jeffrey Walton
- Re: [TLS] Another IRINA bug in TLS Santiago Zanella-Beguelin
- Re: [TLS] Another IRINA bug in TLS Kurt Roeckx
- Re: [TLS] Another IRINA bug in TLS Karthikeyan Bhargavan
- Re: [TLS] Another INRIA bug in TLS Daniel Kahn Gillmor
- Re: [TLS] Another INRIA bug in TLS Andrei Popov
- Re: [TLS] Another INRIA bug in TLS Martin Thomson
- Re: [TLS] Another INRIA bug in TLS Martin Thomson
- Re: [TLS] Another IRINA bug in TLS Tony Arcieri
- Re: [TLS] Another INRIA bug in TLS Jeffrey Walton
- Re: [TLS] Another INRIA bug in TLS Tanja Lange
- Re: [TLS] Another IRINA bug in TLS Tanja Lange
- Re: [TLS] Another INRIA bug in TLS Andrey Jivsov
- Re: [TLS] Another IRINA bug in TLS Santiago Zanella-Beguelin
- Re: [TLS] Another INRIA bug in TLS Martin Thomson
- Re: [TLS] Another IRINA bug in TLS Santiago Zanella-Beguelin
- Re: [TLS] Another INRIA bug in TLS Karthikeyan Bhargavan
- Re: [TLS] Another IRINA bug in TLS Kurt Roeckx
- Re: [TLS] Another IRINA bug in TLS Kurt Roeckx
- Re: [TLS] Another INRIA bug in TLS Stephen Farrell
- Re: [TLS] Another IRINA bug in TLS Santiago Zanella-Beguelin
- Re: [TLS] Another INRIA bug in TLS Santiago Zanella-Beguelin
- Re: [TLS] Another IRINA bug in TLS Watson Ladd
- Re: [TLS] Another IRINA bug in TLS Jeffrey Walton
- Re: [TLS] Another IRINA bug in TLS Watson Ladd
- Re: [TLS] Another IRINA bug in TLS Peter Gutmann
- Re: [TLS] Another IRINA bug in TLS Karthikeyan Bhargavan
- Re: [TLS] Another IRINA bug in TLS Peter Gutmann
- Re: [TLS] Another IRINA bug in TLS Tanja Lange
- Re: [TLS] Another IRINA bug in TLS Santiago Zanella-Beguelin
- Re: [TLS] Another IRINA bug in TLS Peter Gutmann
- Re: [TLS] Another IRINA bug in TLS Santiago Zanella-Beguelin
- Re: [TLS] Another IRINA bug in TLS Andrey Jivsov
- Re: [TLS] Another IRINA bug in TLS Hubert Kario
- Re: [TLS] Another IRINA bug in TLS Hubert Kario
- Re: [TLS] Another IRINA bug in TLS Karthikeyan Bhargavan
- Re: [TLS] Another IRINA bug in TLS Karthikeyan Bhargavan
- Re: [TLS] Another IRINA bug in TLS Hubert Kario
- Re: [TLS] Another IRINA bug in TLS Daniel Kahn Gillmor
- Re: [TLS] Another IRINA bug in TLS Jeffrey Walton
- Re: [TLS] Another IRINA bug in TLS Andrei Popov
- Re: [TLS] Another IRINA bug in TLS Nico Williams
- Re: [TLS] Another INRIA bug in TLS Nico Williams