Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re: Confirming Consensus on removing RSA key Transport from TLS 1.3)
Andrei Popov <Andrei.Popov@microsoft.com> Mon, 31 March 2014 17:34 UTC
Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A04D61A6EF9 for <tls@ietfa.amsl.com>; Mon, 31 Mar 2014 10:34:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LrNGLWNKfrc0 for <tls@ietfa.amsl.com>; Mon, 31 Mar 2014 10:34:50 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1lp0142.outbound.protection.outlook.com [207.46.163.142]) by ietfa.amsl.com (Postfix) with ESMTP id 6A6671A07C3 for <tls@ietf.org>; Mon, 31 Mar 2014 10:34:50 -0700 (PDT)
Received: from BL2PR03MB419.namprd03.prod.outlook.com (10.141.92.18) by BY2PR03MB074.namprd03.prod.outlook.com (10.255.241.154) with Microsoft SMTP Server (TLS) id 15.0.898.11; Mon, 31 Mar 2014 17:34:45 +0000
Received: from BL2PR03MB419.namprd03.prod.outlook.com ([10.141.92.18]) by BL2PR03MB419.namprd03.prod.outlook.com ([10.141.92.18]) with mapi id 15.00.0908.008; Mon, 31 Mar 2014 17:34:44 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Rob Stradling <rob.stradling@comodo.com>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Marsh Ray <maray@microsoft.com>, Martin Thomson <martin.thomson@gmail.com>
Thread-Topic: [TLS] Nuking DHE in favour of ECDHE (Was: Re: Confirming Consensus on removing RSA key Transport from TLS 1.3)
Thread-Index: AQHPShlAQ7PNLxYPxkG9wW1NfjsVj5r1ogCAgADcR4CAAFgTMIAEL3OAgABv6EA=
Date: Mon, 31 Mar 2014 17:34:44 +0000
Message-ID: <e99c17b918b94998917ef731b02d4538@BL2PR03MB419.namprd03.prod.outlook.com>
References: <CABkgnnX=KM4YVf1+znp_HS+Pu6DSw64q1adDC4EOPqRLuTDZKQ@mail.gmail.com> <31dba3a928d145c6835d4bbcfa603354@BY2PR03MB074.namprd03.prod.outlook.com> <5335785F.2070104@fifthhorseman.net> <368f5b8e9f9b49d1b8b1e2600a1b8a49@BL2PR03MB419.namprd03.prod.outlook.com> <5339450D.3060306@comodo.com>
In-Reply-To: <5339450D.3060306@comodo.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e0:ee43::2]
x-forefront-prvs: 0167DB5752
x-forefront-antispam-report: SFV:NSPM; SFS:(10009001)(6009001)(428001)(189002)(199002)(13464003)(377454003)(479174003)(51444003)(51704005)(24454002)(56816005)(85306002)(50986001)(49866001)(47976001)(47736001)(95416001)(4396001)(20776003)(63696002)(77982001)(79102001)(92566001)(59766001)(95666003)(15202345003)(74366001)(74876001)(1511001)(99286001)(87266001)(90146001)(87936001)(2656002)(83072002)(15974865002)(33646001)(74706001)(15975445006)(80022001)(65816001)(54356001)(97186001)(81342001)(81542001)(97336001)(76482001)(94316002)(51856001)(56776001)(80976001)(93516002)(81816001)(94946001)(86612001)(86362001)(54316002)(83322001)(19580405001)(53806001)(81686001)(19580395003)(69226001)(93136001)(76576001)(98676001)(85852003)(76796001)(46102001)(74662001)(74502001)(31966008)(3826001)(24736002); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR03MB074; H:BL2PR03MB419.namprd03.prod.outlook.com; FPR:C8EFF125.AEF39FE2.FDD63EB3.C307CB4B.204E4; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (: microsoft.com does not designate permitted sender hosts)
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/l6xuQyfbG2gPkwjQkOcLp5dSKlk
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re: Confirming Consensus on removing RSA key Transport from TLS 1.3)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Mar 2014 17:34:53 -0000
Hi Rob, No, this update does not add new ECDHE_RSA cipher suites. However, I would not rule out the possibility of implementing TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 and TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA*384* in a future update. (In any case, I would not read too much into "Historically we have opted to provide ECDHE *in place of* classic DHE". IMHO, both DHE and ECDHE have their place and we'll keep adding support for the cipher suites our customers need.) Cheers, Andrei -----Original Message----- From: Rob Stradling [mailto:rob.stradling@comodo.com] Sent: Monday, March 31, 2014 3:36 AM To: Andrei Popov; Daniel Kahn Gillmor; Marsh Ray; Martin Thomson Cc: tls@ietf.org Subject: Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re: Confirming Consensus on removing RSA key Transport from TLS 1.3) On 28/03/14 19:03, Andrei Popov wrote: >> did SChannel ever support classic DHE with RSA authentication? > > "Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 update spring 2014" adds a couple of DHE_RSA cipher suites: > TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 Andrei, may we therefore assume that "Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 update spring 2014" will also add these 2 ciphers... TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA256 ? (Marsh wrote "Historically we have opted to provide ECDHE *in place of* classic DHE". I'm trying to figure out if this is still your approach, or if you're now doing the opposite!) Thanks. > Without this update, schannel supports DHE_DSS (admittedly, not the most widely used auth). > > Cheers, > > Andrei > > -----Original Message----- > From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Daniel Kahn > Gillmor > Sent: Friday, March 28, 2014 6:26 AM > To: Marsh Ray; Martin Thomson > Cc: tls@ietf.org > Subject: Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re: Confirming > Consensus on removing RSA key Transport from TLS 1.3) > > On 03/27/2014 08:17 PM, Marsh Ray wrote: >> From: Martin Thomson [mailto:martin.thomson@gmail.com] >>> >>> On 27 March 2014 16:55, Marsh Ray <maray@microsoft.com> wrote: >>>> From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Alyssa Rowan >>>>> >>>>> Show of hands: who *really* wants to deploy 2048-bit (or above) DHE, when they could have curve25519 instead? >>>> >>>> The general consensus at Microsoft is that we like ECDHE much better than the classic DHE. >>> >>> I think that this is the general trend, but is it so bad that you would want to prohibit DHE? >> >> Historically we have opted to provide ECDHE *in place of* classic DHE. > > did SChannel ever support classic DHE with RSA authentication? > > > http://msdn.microsoft.com/en-us/library/windows/desktop/aa380512%28v=v > s.85%29.aspx > > suggests that XP and win2003 (which, afaict, were what immediately preceded vista) does not have DHE. So it looks like ECDHE was just added, but "classic DHE" wasn't in SChannel in the first place, which doesn't sound like ECDHE is "in place of" DHE to me. > > or am i misreading the documentation? > > --dkg > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online Office Tel: +44.(0)1274.730505 Office Fax: +44.(0)1274.730909 www.comodo.com COMODO CA Limited, Registered in England No. 04058690 Registered Office: 3rd Floor, 26 Office Village, Exchange Quay, Trafford Road, Salford, Manchester M5 3EQ This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by COMODO for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software.
- [TLS] Nuking DHE in favour of ECDHE (Was: Re: Con… Martin Thomson
- Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re:… Watson Ladd
- Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re:… Marsh Ray
- Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re:… Henrick Hellström
- Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re:… Karthikeyan Bhargavan
- Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re:… Daniel Kahn Gillmor
- Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re:… Eric Rescorla
- Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re:… Watson Ladd
- Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re:… Andrei Popov
- Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re:… Paul Hoffman
- Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re:… Peter Gutmann
- Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re:… Rob Stradling
- Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re:… Andrei Popov
- Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re:… Andrei Popov