IETF Logo Mail Archive

Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-02.txt

Henrick Hellström <henrick@streamsec.se> Sat, 25 October 2014 21:53 UTC

Return-Path: <henrick@streamsec.se>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8BD61A0264 for <tls@ietfa.amsl.com>; Sat, 25 Oct 2014 14:53:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.25
X-Spam-Level:
X-Spam-Status: No, score=-1.25 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NAgGIm0vsIGV for <tls@ietfa.amsl.com>; Sat, 25 Oct 2014 14:53:49 -0700 (PDT)
Received: from vsp2.ballou.se (vsp2.ballou.se [91.189.40.83]) by ietfa.amsl.com (Postfix) with SMTP id 99DC01A0231 for <tls@ietf.org>; Sat, 25 Oct 2014 14:53:47 -0700 (PDT)
Received: from nmail1.ballou.se (unknown [10.0.0.116]) by vsp2.ballou.se (Halon Mail Gateway) with ESMTP; Sat, 25 Oct 2014 23:53:42 +0200 (CEST)
Received: from [192.168.0.195] (c-21cfe555.06-134-73746f39.cust.bredbandsbolaget.se [85.229.207.33]) (Authenticated sender: henrick@streamsec.se) by nmail1.ballou.se (Postfix) with ESMTPSA id EA83D1DE4C; Sat, 25 Oct 2014 23:53:41 +0200 (CEST)
Message-ID: <544C1BC3.5060204@streamsec.se>
Date: Sat, 25 Oct 2014 23:53:07 +0200
From: Henrick Hellström <henrick@streamsec.se>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: Nikos Mavrogiannopoulos <nmav@redhat.com>
References: <20141011044948.27553.93984.idtracker@ietfa.amsl.com> <5438B82B.6090600@fifthhorseman.net> <544BD3BF.9030702@streamsec.se> <1682594903.63043.1414266713793.JavaMail.zimbra@redhat.com>
In-Reply-To: <1682594903.63043.1414266713793.JavaMail.zimbra@redhat.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/mHxLlT_Gvcg-oOVNbx0nVGqJxRg
Cc: tls@ietf.org
Subject: Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-02.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: henrick@streamsec.se
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Oct 2014 21:53:51 -0000

On 2014-10-25 21:51, Nikos Mavrogiannopoulos wrote:
>> It seems to me the the recommended Client Behavior and Server Behavior
>> has to be simplified and strengthened, in order for the standard to meet
>> the security objectives.
>
> Could you elaborate on which security objectives are you referring to?

Second paragraph of section 6.3 Arbitrary groups:

>    Note that in several known attacks against TLS and SSL
>    [SECURE-RESUMPTION] [CROSS-PROTOCOL] [SSL3-ANALYSIS], a malicious
>    server uses a deliberately broken FFDHE group to impersonate the
>    client to a different server."


> What is the advantage of that proposal? It is more complex, and a security
> protocol should strive for simplicity.

In my view, the current draft leads to a lot more complex 
implementations, compared to my proposal.

You get complexity for two major reasons:
   * When adding new abilities in a manner that is not backwards 
compatible by design.
   * When balancing security requirements against interoperability 
requirements, without clear indications in the standards how these 
requirements should be balanced.

The problem a client faces, is that if it supports TLS 1.0 through TLS 
1.2, it will have to be prepared to deal with servers sending arbitrary 
FF DHE groups anyway. While I agree the ambiguity of the 
server_key_exchange message is a concern, implementing the draft-02 
doesn't resolve that ambiguity. Implementing TLS 1.3 and dropping 
support for older versions might be solution, but that is not going to 
happen any time soon.

Consequently, I would argue that a recommendation that ECDHE should only 
use named curves, and FF DHE only use standard groups encoded as 
arbitrary groups, would be closer to reality, lead to greater security 
at the expense of less interoperability issues, and make both server 
implementations and client implementations (that require backwards 
compatibility with older peers) *less* complex.

v2.39.1 | Report a Bug | By Email | System Status