Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-02.txt
Henrick Hellström <henrick@streamsec.se> Mon, 27 October 2014 10:58 UTC
Return-Path: <henrick@streamsec.se>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 061671A6F2E for <tls@ietfa.amsl.com>; Mon, 27 Oct 2014 03:58:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.25
X-Spam-Level:
X-Spam-Status: No, score=-1.25 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ru5Q7I0OhaPL for <tls@ietfa.amsl.com>; Mon, 27 Oct 2014 03:58:22 -0700 (PDT)
Received: from vsp5.ballou.se (vsp5.ballou.se [91.189.40.84]) by ietfa.amsl.com (Postfix) with SMTP id 521AF1A1AB2 for <tls@ietf.org>; Mon, 27 Oct 2014 03:58:21 -0700 (PDT)
Received: from nmail1.ballou.se (unknown [10.0.0.116]) by vsp5.ballou.se (Halon Mail Gateway) with ESMTP; Mon, 27 Oct 2014 11:58:18 +0100 (CET)
Received: from [192.168.0.195] (c-21cfe555.06-134-73746f39.cust.bredbandsbolaget.se [85.229.207.33]) (Authenticated sender: henrick@streamsec.se) by nmail1.ballou.se (Postfix) with ESMTPSA id B0B4F1DE4C; Mon, 27 Oct 2014 11:58:18 +0100 (CET)
Message-ID: <544E254A.3020501@streamsec.se>
Date: Mon, 27 Oct 2014 11:58:18 +0100
From: Henrick Hellström <henrick@streamsec.se>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: Nikos Mavrogiannopoulos <nmav@redhat.com>
References: <20141011044948.27553.93984.idtracker@ietfa.amsl.com> <5438B82B.6090600@fifthhorseman.net> <544BD3BF.9030702@streamsec.se> <1682594903.63043.1414266713793.JavaMail.zimbra@redhat.com> <544C1BC3.5060204@streamsec.se> <1749574094.84536.1414307373087.JavaMail.zimbra@redhat.com> <544E0682.30804@streamsec.se> <1414405551.2543.8.camel@dhcp-2-127.brq.redhat.com>
In-Reply-To: <1414405551.2543.8.camel@dhcp-2-127.brq.redhat.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/lyXOyv8kFvlXoJaJ7pLJet8zClQ
Cc: tls@ietf.org
Subject: Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-02.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: henrick@streamsec.se
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Oct 2014 10:58:25 -0000
On 2014-10-27 11:25, Nikos Mavrogiannopoulos wrote: > On Mon, 2014-10-27 at 09:46 +0100, Henrick Hellström wrote: >> Suppose a client offers both ECDHE and FFDHE cipher suites, and does >> send the NamedCurve extension, but with no identifiers the server >> recognizes as FFDHE groups, but with a few identifiers the server >> doesn't recognize at all. >> How is the server supposed to tell if: >> 1. The client doesn't support named FFDHE groups at all and expects >> the arbitrary encoding of FFDHE server key exchange messages, or > > All the server needs to know is the common FFDHE groups they support. > And that it apparent in that case. None. > > If they have no common groups the server SHOULD NOT negotiate DHE > according to the current draft, so no dilemma here. That is NOT what the draft says. The draft does NOT prohibit the server to negotiate an FFDHE cipher suite, when negotiating with a non-compatible client. All the draft says is that the server shouldn't send specially formatted server_key_exchange messages to non-compatible clients, which makes sense.- >> 2. The client supports only a few named FFDHE groups defined in a >> later revision of the standard that the server hasn't yet implemented, >> meaning the server ideally MUST NOT use the arbitrary encoding of FFDHE >> groups, but rather pick other cipher suites? > > I think the situation is similar as above. Perhaps I wasn't clear. This isn't a second situation. It is just a second way the server might interpret the SAME ambiguous situation. > A client though will have to decide on whether a legacy server is seen, > or a compliant to ffdhe draft, based on the format of ServerKeyExchange. > That's why I suggested to make them sufficiently distinct. FWIW, the real problem here is RFC 4492. There was no ambiguity in TLS 1.0, because the ServerKeyExchange could only contain two kinds of messages, one with two large integers (a ServerRSAParams) or one with three large integers (a ServerDHParams). RFC 4492 introduced the ambiguity. Can anyone think of a way to fix it, without forcing Named FFDHE compatible servers to negotiate RSA cipher suites instead of DHE cipher suites with legacy clients? Is that even a good idea? (That was a rhetorical question.)
- [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dh… internet-drafts
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Daniel Kahn Gillmor
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Peter Gutmann
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Daniel Kahn Gillmor
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Peter Gutmann
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Peter Gutmann
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Alyssa Rowan
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Manuel Pégourié-Gonnard
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Geoffrey Keating
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Alyssa Rowan
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Stephen Checkoway
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Henrick Hellström
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Ilari Liusvaara
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Henrick Hellström
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Ilari Liusvaara
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Nikos Mavrogiannopoulos
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Watson Ladd
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Ilari Liusvaara
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Watson Ladd
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Henrick Hellström
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Nikos Mavrogiannopoulos
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Nikos Mavrogiannopoulos
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Henrick Hellström
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Henrick Hellström
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Nikos Mavrogiannopoulos
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Henrick Hellström
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Nikos Mavrogiannopoulos
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Henrick Hellström
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Ilari Liusvaara
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Henrick Hellström
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Daniel Kahn Gillmor
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Peter Gutmann
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Nikos Mavrogiannopoulos
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Hubert Kario