IETF Logo Mail Archive

Re: [TLS] IANA Recommendations for Obsolete Key Exchange

Martin Thomson <mt@lowentropy.net> Tue, 16 April 2024 01:56 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A13BC15108C for <tls@ietfa.amsl.com>; Mon, 15 Apr 2024 18:56:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b="L0d8VSkL"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="CRlVIXrE"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id myG-XvBKPcdX for <tls@ietfa.amsl.com>; Mon, 15 Apr 2024 18:56:12 -0700 (PDT)
Received: from wfout3-smtp.messagingengine.com (wfout3-smtp.messagingengine.com [64.147.123.146]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26798C151084 for <tls@ietf.org>; Mon, 15 Apr 2024 18:56:12 -0700 (PDT)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.47]) by mailfout.west.internal (Postfix) with ESMTP id 562611C00152; Mon, 15 Apr 2024 21:56:11 -0400 (EDT)
Received: from imap41 ([10.202.2.91]) by compute6.internal (MEProxy); Mon, 15 Apr 2024 21:56:11 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=cc:cc:content-transfer-encoding:content-type:content-type :date:date:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:subject:subject:to:to; s=fm3; t=1713232570; x=1713318970; bh=CO8D48JYAiWRIs/NzIN57K800u/MhIf+ 1Povphlnk20=; b=L0d8VSkLp4QpqoDVOmcPstWnaMoS13/RQH9zsLsV6J6rfti/ VRNtP+nucH5EVCUGbk6L+ziCPjT5frLKOvZhLct5yjKEhBBrm+LxK2yWvWw+qXCr X2RP1DMPwizCUVDcJ1g8+N0YuGzjZkSiz+e4xQkkkAeY+TRgTnXLEyH1E/QYZAB9 ykYfz172a6+wApe9jUGD9MM94Rmx5oqqniemPR0qQ+tk10GyBC2aJCu/TwCHk6EA JwUgYPWHLqDFGGOhYNeQz4TYvV6ybzjW8MH935Kw17ckkpEfDDXwVMCT2DAhZxET sxU/C2KFGBByrmUX0IZSuW5Sy5v61n38S9pt2A==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=1713232570; x= 1713318970; bh=CO8D48JYAiWRIs/NzIN57K800u/MhIf+1Povphlnk20=; b=C RlVIXrEXKgoGxtwpm8qcGDheIu77z8AET3/K2oJEYUNCHX/rC5dRd5u0ozH3Fxuu loMeOt+/3xuxsqnSXhFhDOmCzcBme5S5beuWPwcCfk95C3EtDMyvOrT0vbqM8ZaI vKf/Zi8a64lhQcXERjwvJA+k4NkeqPX+iNac9z8yN0O8IjIbp9Znat7kd3EDaMn/ PbFGb8OaQqFoV0+Pf9TNrjkcBlLL4lXygfqH5IDr6C/hDteRCEg3qV6y1IgrL+wP cKdSwuJkKc75NiV4FMuKj8o0oOUUQ6Cia0pxuKMfHvHtwqlsSGuu/gNBahs0tfLg VJZkM/CA8z2JtJPyu+LfQ==
X-ME-Sender: <xms:utodZo6RNCgXMxWsM3_zb50wiotS1QhBMp9s2eg2S6lWrB9ngtBpkA> <xme:utodZp6pBfT500DHH9U7zOVzIhSEEhlZZXM19TP6p3YFkUb_nrJ1dgfe3SXS7_5CR -PZDP2fGLmrtKHos3g>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrudejfedghedvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvfevufgtgfesthhqredtreerjeenucfhrhhomhepfdfo rghrthhinhcuvfhhohhmshhonhdfuceomhhtsehlohifvghnthhrohhphidrnhgvtheqne cuggftrfgrthhtvghrnhepudfhveegudejhfetfedulefgueduhffhffegueetgfetffeh ffejjeegudeugeegnecuffhomhgrihhnpehivghtfhdrohhrghenucevlhhushhtvghruf hiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmtheslhhofigvnhhtrhhophih rdhnvght
X-ME-Proxy: <xmx:utodZneE1VUrtH3AyKbLLiEqekr0SeU3yGc1SwX_rFzCntrtVs_w3A> <xmx:utodZtK8g_Wvw7cbxbqtmtSz46kk5bH8d8yLlkjEPmXqq_MBQjZjUQ> <xmx:utodZsLVl05rs1PkNYwUeyPMapT48-VHabSedTgw7HP9iHQEyccGcA> <xmx:utodZuzrcKyc9ya1DdM93LLWX4NS-jAJoa2ZHkbW6PKLr82OrZOGtw> <xmx:utodZjUZK4-cT-5eQwNF8gpRhob6vWxnGrwkX1gUVTIY5ASh7RXe-z1N>
Feedback-ID: ic129442d:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 9EE812340080; Mon, 15 Apr 2024 21:56:10 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.11.0-alpha0-379-gabd37849b7-fm-20240408.001-gabd37849
MIME-Version: 1.0
Message-Id: <e391bfd4-e6c6-46c1-9702-48b7288bf335@betaapp.fastmail.com>
In-Reply-To: <CAF8qwaCOK75mpZmAzOvFDgofsZS5C0bu1-TFJJ_wsWUnXL-P3g@mail.gmail.com>
References: <CAOgPGoDZbdQD_i+u4=XQ7gRmJPOHM-T+Q-=dzRQh-+cs3ZLEkg@mail.gmail.com> <CAF8qwaCOK75mpZmAzOvFDgofsZS5C0bu1-TFJJ_wsWUnXL-P3g@mail.gmail.com>
Date: Tue, 16 Apr 2024 11:55:50 +1000
From: Martin Thomson <mt@lowentropy.net>
To: David Benjamin <davidben@chromium.org>, Joseph Salowey <joe@salowey.net>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/mMUF2cuRnE-c6ZpSmpL-sGdVB6A>
Subject: Re: [TLS] IANA Recommendations for Obsolete Key Exchange
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Apr 2024 01:56:13 -0000

With David's clarifications, this is good.

On Tue, Apr 16, 2024, at 04:46, David Benjamin wrote:
> From the meeting, I remember there being some confusion around a table 
> that split things up between TLS 1.2 and TLS 1.3, and differences in 
> how they negotiate things, which makes this listing a bit ambiguous. In 
> particular, there aren't any *cipher suites* with FFDH or FFDHE in 
> their name in TLS 1.2. Also some of these constructions have analogs in 
> TLS 1.3 and some don't, but none as cipher suites.
>
> Agreed with the proposal, but specifically, this is what I understand 
> the proposal to mean:
>
> TLS 1.2 RSA cipher suites (TLS_RSA_WITH_*) should be marked with a "D"
> -- These lack forward secrecy and use a broken encryption scheme.
> -- There is no analog to RSA key exchange in TLS 1.3, so leave it alone.
>
> TLS 1.2 static DH cipher suites (TLS_DH_*_WITH_*) should be marked with 
> a "D"
> -- These lack forward secrecy and the DH(E) construction in TLS 1.2 is 
> broken. It lacks parameter negotiation, and uses a variable-length 
> secret that is vulnerable to the Raccoon attack, particularly in this 
> context with a static DH key.
> -- There is no analog to static DH in TLS 1.3, so leave it alone.
>
> TLS 1.2 DHE cipher suites (TLS_DHE_*_WITH_*) should be marked with a "D"
> -- While these do provide forward secrecy, the DH(E) construction in 
> TLS 1.2 is broken. It lacks parameter negotiation, and uses a 
> variable-length secret that is vulnerable to the Raccoon attack. In 
> this context, the Racoon attack is less fatal, but it is still a side 
> channel leakage that the protocol should have avoided.
> -- In theory RFC 7919 addressed the lack of parameter negotiation, but 
> by reusing the old construction's cipher suites, it is undeployable. It 
> also does not fix the side channel.
> -- There *is* an analog in TLS 1.3 (the ffdhe* named groups). However, 
> they do not share the TLS 1.2 construction's problems, so we can leave 
> them alone. They're just slow and kinda pointless given ECC exists.
>
> TLS 1.2 static ECDH cipher suites (TLS_ECDH_*_WITH_*) should be marked 
> with a "D"
> -- These lack forward secrecy
> -- There is no analog to static ECDH in TLS 1.3, so leave it alone.
>
>
>
> On Mon, Apr 15, 2024 at 1:30 PM Joseph Salowey <joe@salowey.net> wrote:
>> At IETF 119 we had discussion on how to mark the ciphersuites deprecated by draft-ietf-tls-deprecate-obsolete-kex in the IANA Registry. At the meeting there was support for ('D' means discouraged):
>> 
>> RSA ciphersuites should be marked with a "D"
>> FFDH ciphersuites should be marked with a "D"
>> FFDHE ciphersuites should be marked with a "D"
>> ECDH ciphersuites should be marked with a "D"
>> 
>> This aligns with the deprecation intent of the draft. The draft states ECDH are a SHOULD NOT instead of a MUST NOT, but the sentiment was they should be generally discouraged.
>> 
>> Please respond with any comments on this proposal by April 30,2024.
>> 
>> Thanks,
>> 
>> Sean, Deirdre and Joe
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email