Re: [TLS] security levels for TLS

Mike <mike-list@pobox.com> Sat, 13 October 2007 01:32 UTC

Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IgVs9-0004iy-39; Fri, 12 Oct 2007 21:32:57 -0400
Received: from tls by megatron.ietf.org with local (Exim 4.43) id 1IgVs7-0004gs-Fn for tls-confirm+ok@megatron.ietf.org; Fri, 12 Oct 2007 21:32:55 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IgVs7-0004gk-5w for tls@lists.ietf.org; Fri, 12 Oct 2007 21:32:55 -0400
Received: from rune.pobox.com ([208.210.124.79]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IgVs2-0006Wi-0v for tls@lists.ietf.org; Fri, 12 Oct 2007 21:32:55 -0400
Received: from rune (localhost [127.0.0.1]) by rune.pobox.com (Postfix) with ESMTP id A1E1C147937 for <tls@lists.ietf.org>; Fri, 12 Oct 2007 21:32:57 -0400 (EDT)
Received: from [192.168.1.8] (wsip-24-234-114-35.lv.lv.cox.net [24.234.114.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by rune.sasl.smtp.pobox.com (Postfix) with ESMTP id 6456B1478AC for <tls@lists.ietf.org>; Fri, 12 Oct 2007 21:32:57 -0400 (EDT)
Message-ID: <471020A0.9080505@pobox.com>
Date: Fri, 12 Oct 2007 18:34:24 -0700
From: Mike <mike-list@pobox.com>
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: tls@lists.ietf.org
Subject: Re: [TLS] security levels for TLS
References: <20071010180324.7ABC533C21@delta.rtfm.com> <470E4399.3010008@pobox.com> <20071011155829.965C733C28@delta.rtfm.com> <470EF76B.5050102@pobox.com> <20071012045718.DE16033C21@delta.rtfm.com> <470FB525.7010308@pobox.com> <20071012180445.1D22D33C21@delta.rtfm.com> <470FC52E.6080707@pobox.com> <p06240828c3357a914a76@[192.168.1.3]> <470FEA1F.7030500@pobox.com> <20071012215901.GR24532@Sun.COM> <47100EE5.9070103@pobox.com> <20071013003737.E4C6D33C21@delta.rtfm.com>
In-Reply-To: <20071013003737.E4C6D33C21@delta.rtfm.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 4adaf050708fb13be3316a9eee889caa
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

>> If a server sees a DHE_* cipher suite in the
>> ClientHello, but doesn't know that the client wants 1536-bit
>> (or larger) parameters, it may select it, even though it only
>> has 1024-bit parameters.  The client would have to renegotiate
>> the session without including the DHE cipher suites, which is
>> an avoidable waste of computing resources.
> 
> Look, this scenario is basically bogus now, and I suspect
> in the future.

Right, and I want to fix that.

> Nearly all servers have 1024-bit RSA keys signed by 1024-bit
> RSA CA keys. If they have DHE, then that's 1024-bit too.
> If the client wants 1536-bit anything, it's SOL, and neither
> asking for it in its ClientHello nor dropping DHE from its
> cipher suites and reconnecting will help. And even if the
> server *did* have multiple DHE groups, why would it be
> OK from the client's perspective to have those authenticated
> with a long-term 1024-bit RSA key? That's part of what 
> people have been trying to tell you about absolute security
> levels.

Everyone uses 1024-bits because everyone else uses 1024-bits,
and they feel a sense of security in numbers.  In other words
they can't be fired if something goes wrong because the whole
industry does it.

> Now, one could certainly argue that in the future servers
> may have a variety of ephemeral DH parameters, but they're
> going to in general want to use the weakest one that's
> acceptable to them. Either this extension is mandatory
> to comply with (like ECC groups), in which case the client
> basically can't set it above 1024 or he won't be able to
> talk to most servers, or it's optional, in which case
> I would expect servers to ignore it, since it will reduce
> their performance and if they wanted stronger keys they
> would just use them.

As we've both noted there are performance/security tradeoffs,
and I believe the client is in a better position to decide
what level of security is desired for any given transaction.
The server doesn't know what operations the client is going
to be requesting until after TLS is negotiated.

Mike


_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls