Re: [TLS] I-D Action: draft-ietf-tls-deprecate-obsolete-kex-03.txt
Hubert Kario <hkario@redhat.com> Thu, 28 September 2023 16:33 UTC
Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5204C16952A for <tls@ietfa.amsl.com>; Thu, 28 Sep 2023 09:33:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SjLAy4sCDnEn for <tls@ietfa.amsl.com>; Thu, 28 Sep 2023 09:33:10 -0700 (PDT)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7EC54C169534 for <tls@ietf.org>; Thu, 28 Sep 2023 09:32:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1695918767; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=n7XazeAgxkwoazWPaz50XijyvR1xVQE4Dy7oS/jLQHo=; b=b43TBZAUqWuG+dk6tLKOcJjEgEGzxJ64c4272Xq+t7oZvxTRnWPZaMWtmRPNBbUycYikqG 8IWLOqaHVw8eDGpVP/OOZBnfoPt2kr8yfqx/VV2/e8F2tWFPEOWV9IrLahBHehyua0ne/H Hpt94X1UISj3ZMoBQsR/f12h3BrvkmQ=
Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-609-yW3HbLaxN-iwVht4dO_KNA-1; Thu, 28 Sep 2023 12:32:46 -0400
X-MC-Unique: yW3HbLaxN-iwVht4dO_KNA-1
Received: by mail-wr1-f71.google.com with SMTP id ffacd0b85a97d-3233a13b47eso4163302f8f.1 for <tls@ietf.org>; Thu, 28 Sep 2023 09:32:45 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695918765; x=1696523565; h=content-transfer-encoding:user-agent:organization:references :in-reply-to:message-id:mime-version:date:subject:cc:to:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=QDNLvNtN6zHIWk5CWw+qr1jGukpo04qRMwi3itnabQg=; b=QuxKn9sy1s2WF7B9OholgpeIm2eT4PfiCRXV01HxdDLr0wZ7GzXrThlYHv/5hypRXd RRQqW0qGGZPayuNI4sp5vVwtaEs2xYn9+vVt4DyqmyotOUSsRWZyikeWGKyupHz7YgqX 4blvhdAjZb2iXkNBAQNYUiS9+Xv47OsHcas140Xe30yZBYMEK/CMHSYftwQ/V89N/PC9 T+E/Xi4cLvmCgNMcfcxC2bH/KLH4OlqhHerZ62Fch/KMK7Bx8TnMZWwCE1uNdzK0JD67 S1T1lKpdNZhGItoMRNRAMhonnakiMezVVUkCT6/1SNUtvlkb2+tauf9bWrRCwL5259vu esNg==
X-Gm-Message-State: AOJu0YwrC/LiiA8gVAwf1zrGm3cu40o3xVQC3I0MupS5P31hrV4AdvJk 2+h0Fujz5JYhfqLktmdclvYbuiverZhK9hOAhZszOnJohQ0g/XlQc6iVoNQvmGmI4cy+xfLpIC2 Q8vCa7pbOih0=
X-Received: by 2002:a5d:6683:0:b0:317:6a7c:6e07 with SMTP id l3-20020a5d6683000000b003176a7c6e07mr1568149wru.32.1695918764933; Thu, 28 Sep 2023 09:32:44 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IGT/s7zw39YGqnIpwDYJO+rHWmcXJiAMqZvJoECzgCtNnxF2BOMLK9J1VyzO96h3b3/fiYMiQ==
X-Received: by 2002:a5d:6683:0:b0:317:6a7c:6e07 with SMTP id l3-20020a5d6683000000b003176a7c6e07mr1568133wru.32.1695918764579; Thu, 28 Sep 2023 09:32:44 -0700 (PDT)
Received: from localhost (ip-94-112-165-231.bb.vodafone.cz. [94.112.165.231]) by smtp.gmail.com with ESMTPSA id o5-20020a50c905000000b0053448f23b33sm2673375edh.93.2023.09.28.09.32.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 28 Sep 2023 09:32:44 -0700 (PDT)
From: Hubert Kario <hkario@redhat.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: Thomas Fossati <thomas.fossati@linaro.org>, tls@ietf.org
Date: Thu, 28 Sep 2023 18:32:43 +0200
MIME-Version: 1.0
Message-ID: <dd33c4cd-6aca-47bb-afaa-a32cb9875819@redhat.com>
In-Reply-To: <SY4PR01MB62516C1C9ACF8DFF8E22DCCAEEFFA@SY4PR01MB6251.ausprd01.prod.outlook.com>
References: <169528449088.13369.15448586382120882786@ietfa.amsl.com> <CA+1=6yeGfdLbAYPuvGthJE2YFdcTUNdnYVg+NJrmpeSE1UK_Qg@mail.gmail.com> <SY4PR01MB62516C1C9ACF8DFF8E22DCCAEEFFA@SY4PR01MB6251.ausprd01.prod.outlook.com>
Organization: Red Hat
User-Agent: Trojita/0.7-git; Qt/5.15.9; xcb; Linux; Fedora release 37 (Thirty Seven)
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/isAdHDDa08kzpoCVqnWNibVv9gc>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-deprecate-obsolete-kex-03.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Sep 2023 16:33:12 -0000
On Friday, 22 September 2023 08:08:17 CEST, Peter Gutmann wrote: > This draft still has the same problem that's been pointed out previously: > > Clients MUST NOT offer and servers MUST NOT select FFDHE cipher > suites in TLS 1.2 connections. > > What this means is that if the implementation doesn't support > ECC, as some do, > then it's in effect saying: > > Clients and servers MUST use RSA cipher suites. > > Some people may actually read a bit further and see the MUST NOT RSA, but > that's just as non-useful because now it's saying you can't do > TLS at all. So > it needs to say: > > Unless ECC suites are not available, [Clients MUST NOT ...]. > > Or just something that doesn't end up being MUST RSA as it's currently being > interpreted. > > I'd also go further and say that since FFDHE is allowed in TLS 1.3 it's also > safe with EMS or LTS in effect, so it should really be: > > Clients and servers that do not support TLS-EMS or TLS-LTS MUST NOT offer > and servers MUST NOT select FFDHE cipher suites in TLS 1.2 connections. the "problem" with FFDHE in TLS 1.2 are the parameters provided by the server that the client can't really influence (as most servers that can't do ECC also ignore rfc7919), so there's chance that they are bad. The other is if the server has static key share, then it's vulnerable to Raccoon attack. None of which are fixed by EMS -- Regards, Hubert Kario Principal Quality Engineer, RHEL Crypto team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
- [TLS] I-D Action: draft-ietf-tls-deprecate-obsole… internet-drafts
- Re: [TLS] I-D Action: draft-ietf-tls-deprecate-ob… Thomas Fossati
- Re: [TLS] I-D Action: draft-ietf-tls-deprecate-ob… Thomas Fossati
- Re: [TLS] I-D Action: draft-ietf-tls-deprecate-ob… Peter Gutmann
- Re: [TLS] I-D Action: draft-ietf-tls-deprecate-ob… Nimrod Aviram
- Re: [TLS] I-D Action: draft-ietf-tls-deprecate-ob… Hubert Kario