Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-10.txt

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Fri, 05 June 2015 12:46 UTC

Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71A0B1B2D9E for <tls@ietfa.amsl.com>; Fri, 5 Jun 2015 05:46:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5BOQr0SAE5wd for <tls@ietfa.amsl.com>; Fri, 5 Jun 2015 05:46:45 -0700 (PDT)
Received: from emh02.mail.saunalahti.fi (emh02.mail.saunalahti.fi [62.142.5.108]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4B9F1ACEEC for <tls@ietf.org>; Fri, 5 Jun 2015 05:46:44 -0700 (PDT)
Received: from LK-Perkele-VII (a91-155-194-207.elisa-laajakaista.fi [91.155.194.207]) by emh02.mail.saunalahti.fi (Postfix) with ESMTP id 9A8CD81873; Fri, 5 Jun 2015 15:46:41 +0300 (EEST)
Date: Fri, 5 Jun 2015 15:46:41 +0300
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Nikos Mavrogiannopoulos <nmav@redhat.com>
Message-ID: <20150605124641.GA13852@LK-Perkele-VII>
References: <20150601225057.17500.96911.idtracker@ietfa.amsl.com> <CAHOTMVJ1xu+mEaROWKuEtW1E8Ks3r3gKagEM9mJdBOKW3kSZJQ@mail.gmail.com> <CAHOTMVJwrg3Xzj1-dtMm6b1g9_rwn9KK=Wo-Mqxd7DnAygk8Hw@mail.gmail.com> <1433493887.3170.5.camel@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <1433493887.3170.5.camel@redhat.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/lu3qjK_DGI4FRMYP_6mfzbMue7Q>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-10.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jun 2015 12:46:47 -0000

On Fri, Jun 05, 2015 at 10:44:47AM +0200, Nikos Mavrogiannopoulos wrote:
> On Thu, 2015-06-04 at 18:02 -0700, Tony Arcieri wrote:
> > As I expected, one of the major issues seems to be having a backup in 
> > the event of a catastrophic failure of ECC:
> > On Mon, Jun 1, 2015 at 4:02 PM, Tony Arcieri <bascule@gmail.com> 
> > wrote:
> > > I expect the response is going to be "What if there's some 
> > > catastrophic failure of ECC?"
> > > 
> > On Wed, Jun 3, 2015 at 1:05 AM, Dave Garrett <davemgarrett@gmail.com>
> >  wrote:
> > > People want a backup to deal with mistrust of ECC curves
> > On Wed, Jun 3, 2015 at 3:05 AM, Nikos Mavrogiannopoulos <
> > nmav@redhat.com> wrote:
> > > Removing the negotiation option means there there will
> > > be no backup at all in case of a flaw in the existing ECDHE
> > > ciphersuites.
> > When I did a quick straw poll of the CFRG about this, the seemingly 
> > unanimous preference was if we do want to solve the general problem 
> > of an "ECC backup", we should be focusing on post-quantum algorithms, 
> > not shoring up FFDHE.
> 
> I agree, but I don't see any proposals so far. Once we have such an
> algorithm as backup we can drop FFDHE.

Unfortunately, PQ algorithms (and there do seem to be PQ key agreement
algorithms that look sufficiently like Diffie-Hellman) are much less
understood than DH or ECDH.

Some relevant questions:
- How much assurance there is to security of such scheme in general?
- Approximately how fast the scheme runs (at least that it isn't
  hopelessly slow)?
- How does exchange key size scale as function of estimated security
  level (especially as TLS is currently limited to 64kB keys, and PQ
  schemes tend to have very large keys)?
- What mesages does the scheme need (especially, is it one from each
  in either order DH/ECDH has)?
- Can the scheme use fixed sets of public paramters (especially as
  TLS 1.3 key exchange has that limit)?
- How to perform trustworthy generation of the public parameters
  (some schemes have serious problems there)?
- What regions of public parameters to avoid because of security
  issues?


I don't know if this is even CFRG material at this point, let alone
material for TLS WG.


-Ilari