IETF Logo Mail Archive

Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-02.txt

Henrick Hellström <henrick@streamsec.se> Mon, 27 October 2014 10:58 UTC

Return-Path: <henrick@streamsec.se>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 061671A6F2E for <tls@ietfa.amsl.com>; Mon, 27 Oct 2014 03:58:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.25
X-Spam-Level:
X-Spam-Status: No, score=-1.25 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ru5Q7I0OhaPL for <tls@ietfa.amsl.com>; Mon, 27 Oct 2014 03:58:22 -0700 (PDT)
Received: from vsp5.ballou.se (vsp5.ballou.se [91.189.40.84]) by ietfa.amsl.com (Postfix) with SMTP id 521AF1A1AB2 for <tls@ietf.org>; Mon, 27 Oct 2014 03:58:21 -0700 (PDT)
Received: from nmail1.ballou.se (unknown [10.0.0.116]) by vsp5.ballou.se (Halon Mail Gateway) with ESMTP; Mon, 27 Oct 2014 11:58:18 +0100 (CET)
Received: from [192.168.0.195] (c-21cfe555.06-134-73746f39.cust.bredbandsbolaget.se [85.229.207.33]) (Authenticated sender: henrick@streamsec.se) by nmail1.ballou.se (Postfix) with ESMTPSA id B0B4F1DE4C; Mon, 27 Oct 2014 11:58:18 +0100 (CET)
Message-ID: <544E254A.3020501@streamsec.se>
Date: Mon, 27 Oct 2014 11:58:18 +0100
From: Henrick Hellström <henrick@streamsec.se>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: Nikos Mavrogiannopoulos <nmav@redhat.com>
References: <20141011044948.27553.93984.idtracker@ietfa.amsl.com> <5438B82B.6090600@fifthhorseman.net> <544BD3BF.9030702@streamsec.se> <1682594903.63043.1414266713793.JavaMail.zimbra@redhat.com> <544C1BC3.5060204@streamsec.se> <1749574094.84536.1414307373087.JavaMail.zimbra@redhat.com> <544E0682.30804@streamsec.se> <1414405551.2543.8.camel@dhcp-2-127.brq.redhat.com>
In-Reply-To: <1414405551.2543.8.camel@dhcp-2-127.brq.redhat.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/lyXOyv8kFvlXoJaJ7pLJet8zClQ
Cc: tls@ietf.org
Subject: Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-02.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: henrick@streamsec.se
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Oct 2014 10:58:25 -0000

On 2014-10-27 11:25, Nikos Mavrogiannopoulos wrote:
> On Mon, 2014-10-27 at 09:46 +0100, Henrick Hellström wrote:
>> Suppose a client offers both ECDHE and FFDHE cipher suites, and does
>> send the NamedCurve extension, but with no identifiers the server
>> recognizes as FFDHE groups, but with a few identifiers the server
>> doesn't recognize at all.
>> How is the server supposed to tell if:
>>     1. The client doesn't support named FFDHE groups at all and expects
>> the arbitrary encoding of FFDHE server key exchange messages, or
>
> All the server needs to know is the common FFDHE groups they support.
> And that it apparent in that case. None.
>
> If they have no common groups the server SHOULD NOT negotiate DHE
> according to the current draft, so no dilemma here.

That is NOT what the draft says. The draft does NOT prohibit the server 
to negotiate an FFDHE cipher suite, when negotiating with a 
non-compatible client. All the draft says is that the server shouldn't 
send specially formatted server_key_exchange messages to non-compatible 
clients, which makes sense.-


>>     2. The client supports only a few named FFDHE groups defined in a
>> later revision of the standard that the server hasn't yet implemented,
>> meaning the server ideally MUST NOT use the arbitrary encoding of FFDHE
>> groups, but rather pick other cipher suites?
>
> I think the situation is similar as above.

Perhaps I wasn't clear. This isn't a second situation. It is just a 
second way the server might interpret the SAME ambiguous situation.


> A client though will have to decide on whether a legacy server is seen,
> or a compliant to ffdhe draft, based on the format of ServerKeyExchange.
> That's why I suggested to make them sufficiently distinct.

FWIW, the real problem here is RFC 4492. There was no ambiguity in TLS 
1.0, because the ServerKeyExchange could only contain two kinds of 
messages, one with two large integers (a ServerRSAParams) or one with 
three large integers (a ServerDHParams). RFC 4492 introduced the 
ambiguity. Can anyone think of a way to fix it, without forcing Named 
FFDHE compatible servers to negotiate RSA cipher suites instead of DHE 
cipher suites with legacy clients? Is that even a good idea? (That was a 
rhetorical question.)

v2.23.0 | Report a Bug | By Email