Re: [TLS] Safe ECC usage

Yaron Sheffer <yaronf.ietf@gmail.com> Sat, 12 October 2013 09:15 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62AB521E8150 for <tls@ietfa.amsl.com>; Sat, 12 Oct 2013 02:15:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.449
X-Spam-Level:
X-Spam-Status: No, score=-102.449 tagged_above=-999 required=5 tests=[AWL=-0.150, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0ZPSVFW176Qp for <tls@ietfa.amsl.com>; Sat, 12 Oct 2013 02:15:18 -0700 (PDT)
Received: from mail-wi0-x236.google.com (mail-wi0-x236.google.com [IPv6:2a00:1450:400c:c05::236]) by ietfa.amsl.com (Postfix) with ESMTP id 7E18221E8140 for <tls@ietf.org>; Sat, 12 Oct 2013 02:15:16 -0700 (PDT)
Received: by mail-wi0-f182.google.com with SMTP id ez12so2115507wid.9 for <tls@ietf.org>; Sat, 12 Oct 2013 02:15:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=7bjGQzp54Zn5wwprr8ZSKvmJv3GHuJDH1Ki0OKOUq/Y=; b=i8j90omB2F20JgzbvP529KqVAwSnGXZTE8tbYPoglHk8HNBjbPG81DAewK8qq8N292 z5+Csxr3nsx7h1pfQVH27nvZ7LD+uUs5crpjlx5yAP43hQ1Zkdh5q+e9xmANhQklvOXq tuQFRq0NwomrsdPOaJN7E4KT5aS4ximkgBfyPFC4FsGFZ3iMKT1zu742e1FLbK8FB6aV JuKv/rm5kqz4EYVD7tdc7W4RJx/BNrjFgkFxZ6gGE3N5gsS1FiqnR2CUDqUanQXtrJFK URoYnnbBQN3dWGd+bXHRhCbiQSaTsO5Ez022NQwrY7dDVO5WrJbedM36ImKHeVm80sWl XqNw==
X-Received: by 10.194.250.6 with SMTP id yy6mr20967029wjc.13.1381569310874; Sat, 12 Oct 2013 02:15:10 -0700 (PDT)
Received: from [10.0.0.8] ([109.65.223.20]) by mx.google.com with ESMTPSA id y20sm12758689wib.0.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 12 Oct 2013 02:15:10 -0700 (PDT)
Message-ID: <5259131C.8040201@gmail.com>
Date: Sat, 12 Oct 2013 12:15:08 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0
MIME-Version: 1.0
To: mrex@sap.com, Manuel Pégourié-Gonnard <mpg@elzevir.fr>
References: <20131012045001.94DFA1A9F9@ld9781.wdf.sap.corp>
In-Reply-To: <20131012045001.94DFA1A9F9@ld9781.wdf.sap.corp>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Safe ECC usage
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Oct 2013 09:15:18 -0000

Hi Martin,

I like conspiracy theories as much as the next one, but the truth is, we 
simply don't know if NIST P-256 and friends are bugged. OTOH we do know 
that DHE-1024 is too weak.

Luckily, TLS negotiates ECDHE curves. So on the server side you can 
prefer Brainpool and fall back to P-256. Or you can allow *only* 
Brainpool (or DJB's latest, or whatever) and switch to DHE or to plain 
RSA if the client doesn't have your favorite curve. The point is, ECDHE 
was engineered correctly with built-in crypto agility, so if we move to 
it we have a way forward.

Thanks,
	Yaron

On 10/12/2013 07:50 AM, Martin Rex wrote:
>>>
[...]
>
> Really, the best that could happen to the NSA is that everyone starts
> using ECDHE with Nist curves, aka Suite B.  It just would not make sense
> (and amount to a huge waste of tax dollars) if these were _not_ bugged!
>
> The defects in (EC)DSA look rather accidental to me, and EC_Dual_DRNG was
> deliberatly set up to deceive folks on what was _really_ subverted.
> Considering how it is being used, ECDHE as part of Suite B is the
> single point of failure that is by far the most convenient, because
> it will work for large-scale passive eavesdropping.
>
>
[...]
>
> -Martin