IETF Logo Mail Archive

Re: [TLS] sect571r1

Dan Brown <dbrown@certicom.com> Thu, 16 July 2015 02:02 UTC

Return-Path: <dbrown@certicom.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 649191B2D72 for <tls@ietfa.amsl.com>; Wed, 15 Jul 2015 19:02:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wKIfP1XiiNe0 for <tls@ietfa.amsl.com>; Wed, 15 Jul 2015 19:02:29 -0700 (PDT)
Received: from smtp-p01.blackberry.com (smtp-p01.blackberry.com [208.65.78.88]) by ietfa.amsl.com (Postfix) with ESMTP id D12D71B2D0B for <tls@ietf.org>; Wed, 15 Jul 2015 19:02:28 -0700 (PDT)
Received: from smtp-pop.rim.net (HELO XCT104CNC.rim.net) ([10.65.161.204]) by mhs211cnc.rim.net with ESMTP/TLS/AES128-SHA; 15 Jul 2015 22:02:27 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT104CNC.rim.net ([::1]) with mapi id 14.03.0210.002; Wed, 15 Jul 2015 22:02:27 -0400
From: Dan Brown <dbrown@certicom.com>
To: Tony Arcieri <bascule@gmail.com>
Thread-Topic: [TLS] sect571r1
Thread-Index: AQHQv0IwQsvdAJpzLEuyOkTGR5u8jJ3dUfsAgAAHmICAACWHAP//09VmgABENAD//8FFvA==
Date: Thu, 16 Jul 2015 02:02:26 +0000
Message-ID: <20150716020223.5333071.63455.4405@certicom.com>
References: <CAHOTMVJ+Rbvojqsa35ysLy8M1YwWEc2Qm7LDppQj7YKdpr0cfA@mail.gmail.com> <20150716002056.8BD691A1E9@ld9781.wdf.sap.corp> <20150716014248.5333071.47478.4400@certicom.com>, <CAHOTMV+GMT6eLqL22MTBNPbO0QgG_eTJNZ-4TwptB=k8G0UDRA@mail.gmail.com>
In-Reply-To: <CAHOTMV+GMT6eLqL22MTBNPbO0QgG_eTJNZ-4TwptB=k8G0UDRA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: multipart/alternative; boundary="_000_201507160202235333071634554405certicomcom_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/jkyo76G3w4jLcYMrTiukEAc5_-U>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] sect571r1
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jul 2015 02:02:30 -0000

FFDHE with prime field is one big step away from FFDHE with binary field, which has quasipoly time DLP, so that's quite a large risk.
ECDHE with binary field is also one big step away from binary FFDHE, but it's a different type of step: hence diversity.
I agree that diversity risks weakest link. Ideally, the rainy day backups should be disabled by default, but possible to quickly enable, by administrator configuration or patch.
From: Tony Arcieri
Sent: Wednesday, July 15, 2015 9:47 PM
To: Dan Brown
Cc: Martin Rex; <tls@ietf.org>
Subject: Re: [TLS] sect571r1


On Wed, Jul 15, 2015 at 6:42 PM, Dan Brown <dbrown@certicom.com<mailto:dbrown@certicom.com>> wrote:
Even so, there's an argument from Koblitz and Menezes that special curves (e.g. binary curves) may survive some wider collapse. I think it's a weak argument, but for those for whom supporting more curves is easy, it could justify supporting a diversity of curves.

Others are pushing FFDHE in the event of some ECC disaster. I'm not really a fan of that either (all these things add attack surface in addition to being "backups"), but if we're going to keep a little used thing around in our pocket just in case of an ECC disaster, why do we need backup curves in addition to FFDHE?

--
Tony Arcieri

v2.23.0 | Report a Bug | By Email