IETF Logo Mail Archive

Re: [TLS] Regarding draft-bartle-tls-deprecate-ffdhe

Carrick Bartle <cbartle891@icloud.com> Mon, 08 March 2021 20:28 UTC

Return-Path: <cbartle891@icloud.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AA303A16F7 for <tls@ietfa.amsl.com>; Mon, 8 Mar 2021 12:28:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Level:
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=icloud.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WS4cU1zHlftO for <tls@ietfa.amsl.com>; Mon, 8 Mar 2021 12:28:01 -0800 (PST)
Received: from mr85p00im-zteg06011601.me.com (mr85p00im-zteg06011601.me.com [17.58.23.186]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7AD073A16E6 for <tls@ietf.org>; Mon, 8 Mar 2021 12:28:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=icloud.com; s=1a1hai; t=1615235281; bh=VazBln/rK43Tlyfx1Fx2F6A1DvkUkq1ys4w/Bl7xVi8=; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:To; b=vT2+c/w+2bnRYki6XMJD0fvYUhTCBU+FysKZ2tsu6JG9HB5Of7m8FKdumcKupwFQu mp3YTyVpKG2AZ2Y48H/oPWaDS53xHeY6uTatfMl9YScdyWBogt/Nu68bkQPVPR+7zW Lcvw7U4DyO8KLV+hLigwcYJLaky0LTje+K6PtlYVYnGZMd6MzLbaUrIOezoVGjBbde LAOdQ6aankw+zoMgfBy9q9kq46XKxV+G/gK06yE7v0/AQQc3BC5x66GRdkT8lb+h3K a2K9lm30bVUAWv0DBy0QQjh9cCB3Fp2v7JIuDWplcMI4K/GAMsoKYdi/PsVFMIogYP /LjvgAsoUBO7A==
Received: from [17.234.121.155] (unknown [17.234.121.155]) by mr85p00im-zteg06011601.me.com (Postfix) with ESMTPSA id D78329205BF; Mon, 8 Mar 2021 20:28:00 +0000 (UTC)
From: Carrick Bartle <cbartle891@icloud.com>
Message-Id: <E0568EB0-DA18-4496-AD68-766FEAA647DE@icloud.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_6E9A05EF-56CF-47B3-ADC0-DF7F8C2E7103"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.40.0.2.32\))
Date: Mon, 08 Mar 2021 12:28:00 -0800
In-Reply-To: <CAF8qwaAANPA1zT9e=UULY9k_9xizu+mx0wo7a3WC3Y3COm+nPg@mail.gmail.com>
Cc: Martin Thomson <mt@lowentropy.net>, Carrick Bartle <cbartle891=40icloud.com@dmarc.ietf.org>, "<tls@ietf.org>" <tls@ietf.org>
To: David Benjamin <davidben@chromium.org>
References: <426843f6-9cc8-4807-b4f7-79c0685fd140@www.fastmail.com> <220B49E4-A194-4514-A7FE-D1FA6C593A3A@icloud.com> <CAF8qwaA2grxOS8SEfPa2Lnoq0OBW1Zb2Tne5+g_A=UEXvDeadg@mail.gmail.com> <fd981993-5163-4f6b-b270-560708654c19@www.fastmail.com> <34ACCD66-3833-4400-AB93-1362AB0B9C0A@icloud.com> <CAF8qwaAANPA1zT9e=UULY9k_9xizu+mx0wo7a3WC3Y3COm+nPg@mail.gmail.com>
X-Mailer: Apple Mail (2.3654.40.0.2.32)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.761 definitions=2021-03-08_17:2021-03-08, 2021-03-08 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-2006250000 definitions=main-2103080107
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/kBO50rfiT6UFus7l96aUJ3XLqtc>
Subject: Re: [TLS] Regarding draft-bartle-tls-deprecate-ffdhe
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Mar 2021 20:28:10 -0000

Great, sounds good to me then.

> On Mar 8, 2021, at 11:24 AM, David Benjamin <davidben@chromium.org> wrote:
> 
> I guess it's a question of what the goal of this draft is. I don't particularly care as long as it's self-consistent. :-)
> 
> We've got the title, "FFDH(E)", which would suggest targeting TLS_DH_*, TLS_DHE_*, and even NamedGroup.ffdhe*, and not anything around ECDH(E).
> We've got the contents, which are targeting non-PFS flows, EC or FF. That is, TLS_DH_*, TLS_ECDH_*, and uses of (EC)DHE that aren't actually ephemeral.
> We've got the Raccoon citation, which would suggest[*] targeting TLS_DH_* and TLS_DHE_*, due to the buggy construction, and possibly also the non-PFS modes of both 1.3 FFDHE and 1.2/1.3 ECDHE because key reuse is more fragile.
> 
> [*] From the conclusion of the paper: "The most straightforward mitigation against the attack is to remove support for TLS-DH(E) entirely, as most major client implementations have already stopped supporting them"
> 
> On Mon, Mar 8, 2021 at 2:06 PM Carrick Bartle <cbartle891@icloud.com <mailto:cbartle891@icloud.com>> wrote:
> I'm not opposed to expanding the scope of this document to include deprecating DHE. Is there a major advantage to that being its own draft?
> 
> 
> > On Mar 8, 2021, at 10:09 AM, Martin Thomson <mt@lowentropy.net <mailto:mt@lowentropy.net>> wrote:
> > 
> > One thing at a time?
> > 
> > On Tue, Mar 9, 2021, at 05:05, David Benjamin wrote:
> >> I'd suggest we also deprecate TLS 1.2 TLS_DHE_*, even when ephemeral:
> >> 
> >> - The construction is broken. The leak itself in the Raccoon attack 
> >> comes from TLS 1.2 removing leading zeros. We can't change the meaning 
> >> of the existing code points, so any fix there would involve dropping 
> >> them.
> >> 
> >> - It lacks group negotiation, which makes it very difficult to migrate 
> >> away from small groups. At least in the web, it's already no longer 
> >> supported by most implementations.
> >> https://groups.google.com/a/chromium.org/g/blink-dev/c/AAdv838-koo/m/bJv17voIBAAJ <https://groups.google.com/a/chromium.org/g/blink-dev/c/AAdv838-koo/m/bJv17voIBAAJ>
> >> https://bugzilla.mozilla.org/show_bug.cgi?id=1496639 <https://bugzilla.mozilla.org/show_bug.cgi?id=1496639>
> >> https://weakdh.org/ <https://weakdh.org/>
> >> 
> >> On Mon, Mar 8, 2021 at 12:52 PM Carrick Bartle 
> >> <cbartle891=40icloud.com@dmarc.ietf.org <mailto:40icloud.com@dmarc.ietf.org>> wrote:
> >>> Agreed. I'll change the title to reflect that.
> >>> 
> >>>> On Mar 8, 2021, at 7:33 AM, Martin Thomson <mt@lowentropy.net <mailto:mt@lowentropy.net>> wrote:
> >>>> 
> >>>> Well overdue.  We should do this.
> >>>> 
> >>>> The title "Deprecating FFDH(E) Ciphersuites in TLS" doesn't seem to match the document content.  I only see static or semi-static DH and ECDH key exchange being deprecated (in the document as non-ephemeral).
> >>>> 
> >>>> _______________________________________________
> >>>> TLS mailing list
> >>>> TLS@ietf.org <mailto:TLS@ietf.org>
> >>>> https://www.ietf.org/mailman/listinfo/tls <https://www.ietf.org/mailman/listinfo/tls>
> >>> 
> >>> _______________________________________________
> >>> TLS mailing list
> >>> TLS@ietf.org <mailto:TLS@ietf.org>
> >>> https://www.ietf.org/mailman/listinfo/tls <https://www.ietf.org/mailman/listinfo/tls>
> > 
> > _______________________________________________
> > TLS mailing list
> > TLS@ietf.org <mailto:TLS@ietf.org>
> > https://www.ietf.org/mailman/listinfo/tls <https://www.ietf.org/mailman/listinfo/tls>
>

v2.23.0 | Report a Bug | By Email