Re: [TLS] DHE key derivation

Yoav Nir <> Fri, 27 September 2013 21:25 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D5D6311E80DE for <>; Fri, 27 Sep 2013 14:25:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.378
X-Spam-Status: No, score=-10.378 tagged_above=-999 required=5 tests=[AWL=0.221, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id K86sIwKLCH8c for <>; Fri, 27 Sep 2013 14:24:56 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id D3FCC21E8053 for <>; Fri, 27 Sep 2013 14:24:51 -0700 (PDT)
Received: from ([]) by (8.13.8/8.13.8) with ESMTP id r8RLOjE8014286; Sat, 28 Sep 2013 00:24:45 +0300
X-CheckPoint: {5245F79D-0-1B221DC2-1FFFF}
Received: from ([]) by ([]) with mapi id 14.02.0347.000; Sat, 28 Sep 2013 00:24:45 +0300
From: Yoav Nir <>
To: Yaron Sheffer <>
Thread-Topic: [TLS] DHE key derivation
Thread-Index: AQHOu5NbQv44CSd39EaD4bVemn9dSJnZm1OAgABEWwCAAAbYAA==
Date: Fri, 27 Sep 2013 21:24:44 +0000
Message-ID: <>
References: <> <> <op.w30xbev03dfyax@killashandra.invalid.invalid> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
x-kse-antivirus-interceptor-info: protection disabled
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "<>" <>
Subject: Re: [TLS] DHE key derivation
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 27 Sep 2013 21:25:03 -0000

On Sep 28, 2013, at 12:00 AM, Yaron Sheffer <> wrote:
> Hi Hanno,
> Just a few weeks ago we as a community thought the server's private key was generally secure.

Did we? Private keys are just files on a web server. Sometimes they leak ([1])

> Now the entire community seems to assume the private key is easy to steal.

Easy or hard depends on the practices of the web server administrators. I personally (and maybe others feel the same) think it's easier than factoring a 2048-bit number (or even factoring a 1024-bit number, or calculating a discrete logarithm in a 1024-bit MODP group). I understand it's problematic comparing unlike things, like what's easier: peace in the middle east or a manned flight to Mars? But when assessing risks to your website, you do have to figure out where to invest your resources.

> Practically, most private keys will probably not be stolen. OTOH the NSA (and also much smaller organizations) will have a pile of DH-1024 encrypted traffic for years to come just waiting for compute power to enable decryption en masse.

The longer they wait, the less valuable decrypting them becomes. And storing that pile costs them. Also, what do you mean by "en masse". If the entire traffic on the Internet was encrypted with DES (broken by civilians over 18 years ago), could the NSA afford to decrypt it all today?

> I'm sure you're not seriously suggesting that if I have a 3072-bit RSA cert, but my crypto library can only do 2048-bit DH, then I should never do DHE, and instead fall back to simple RSA, are you? Looking forward, there will always be mismatches and we should prefer the best possible TLS "mix", rather than enforce an idealistic policy.

That I agree with, but rather than optimizing mixes, I prefer to think of it as a minimum level for each primitive, and mandating at least that. An RSA ciphersuite has zero bits for PFS. Obviously, 1024-bit DH is better than zero bits (80 bits according to NIST estimates). If for various legal, commercial and BC reasons we can't mandate the 112 bits of 2048-bit DH or the 128 bits of ECDHE with the P-256 or equivalent brainpool curve or some other curve, then we should set the minimum level for now at 1024-bit DHE.