IETF Logo Mail Archive

Re: [TLS] I-D Action: draft-ietf-tls-ecdhe-psk-aead-00.txt

Daniel Migault <daniel.migault@ericsson.com> Mon, 24 October 2016 15:22 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 793A4129879 for <tls@ietfa.amsl.com>; Mon, 24 Oct 2016 08:22:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.597
X-Spam-Level:
X-Spam-Status: No, score=-2.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 42bnKP6pjGhv for <tls@ietfa.amsl.com>; Mon, 24 Oct 2016 08:22:08 -0700 (PDT)
Received: from mail-yw0-x230.google.com (mail-yw0-x230.google.com [IPv6:2607:f8b0:4002:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3FDBB129876 for <tls@ietf.org>; Mon, 24 Oct 2016 08:22:08 -0700 (PDT)
Received: by mail-yw0-x230.google.com with SMTP id t193so192695519ywc.2 for <tls@ietf.org>; Mon, 24 Oct 2016 08:22:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=jFQCtGUMCa8pRgx9/texZf5o+z3ZtrVdpkFLIkR/l2k=; b=pLSO0f/XkHHlcJCfzJzJ/jiBdhdiytQc9EdxVpeXizOa7VYr9U/Z8GyADBm31ZaMv/ Rdmm49jlBTXi9vEOpCLmVHY+QvuEUWQafUlHCOasqW4ZYa0p/wQ6gvDaO1Exwt5fjXLf kg+/RYkKbzZF74cNjEGxOSjezp64FIbRkpAndUPO78k/5XYGDA7+plawKxFn4nKfEbpQ 8IbCdCy4SAuSPMmSOSQct1yvBhiDllmaxK208vqxOM9NUAeD+lKwhImHzHxh8+NUuofN uO8Rjd79mSpU5jrVVvQ36yHz+xEiMurgxHwV50LNQ3EzTNkOeUuKx6VHjeGnJGCQjGs3 0/Ww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=jFQCtGUMCa8pRgx9/texZf5o+z3ZtrVdpkFLIkR/l2k=; b=KczATIuocHR6YgCdUQoOj0xnPP1hlWekg4kqqfEvY7sQeHNwOCrvgzS85usJ3hK0ss paHfxjeEJu6q6mXvVjcXN7rO10K72InLAW2I/NxfEz2MNYnGELFl3RWgvcJMhTK7ddUg tN/JdDUD6ru7ND71uvrujU354e1qP3zDdPgt/Cp7yLAF4IPlm2E0YCQ1kef53Ffaur4B 4A9j9/gkxjz0fuToB3l9E/7zn46PDUr0QvZ28Hrnn5sspggCtPcK1BBw5ABxy7NQpHs4 6eySu1RqtoSz4Rjku6/Sh2nsxKI8n6JSkzwavFQM78orrO6fiNed/xOJk6prrteHsAE3 F4Nw==
X-Gm-Message-State: ABUngvfjdnI9t8a17ph70EC6kmbfkla8ONZGy7M3MVoYSNrWmqGGy4gfrTnaoaUWGtjsaYuDZHd6Xk1vcJxodw==
X-Received: by 10.107.164.103 with SMTP id n100mr12873717ioe.35.1477322527335; Mon, 24 Oct 2016 08:22:07 -0700 (PDT)
MIME-Version: 1.0
Sender: mglt.ietf@gmail.com
Received: by 10.107.188.4 with HTTP; Mon, 24 Oct 2016 08:22:06 -0700 (PDT)
In-Reply-To: <CADZyTkkJv2yyd5p7CR8p5gHCE+gjWQNu-+39N4RW-26gh+NzSA@mail.gmail.com>
References: <20160527171935.11166.82258.idtracker@ietfa.amsl.com> <7a3597ae-92b8-23c8-b2c3-357f6fdb6792@bouncycastle.org> <6CE18F17-F8E0-4F4A-95A4-BE9B3A8250A2@sn3rd.com> <80bc8ae67e0ba0e2355b26bdbb34d1b6.squirrel@www.trepanning.net> <D41FA5C6.52E9B%john.mattsson@ericsson.com> <CADZyTkkJv2yyd5p7CR8p5gHCE+gjWQNu-+39N4RW-26gh+NzSA@mail.gmail.com>
From: Daniel Migault <daniel.migault@ericsson.com>
Date: Mon, 24 Oct 2016 11:22:06 -0400
X-Google-Sender-Auth: XRqXwGt9PD180LuOwCuNdvj9t1M
Message-ID: <CADZyTkmHwL=2MVQOUKwDkMur_gMiT_00Q6EY-h=zOUbfeddAOA@mail.gmail.com>
To: John Mattsson <john.mattsson@ericsson.com>
Content-Type: multipart/alternative; boundary="001a1141c95675efdd053f9df42a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/pMBsCr3tq_0FBC0hXIkRJqSQ1Ys>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-ecdhe-psk-aead-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Oct 2016 15:22:12 -0000

Hi,

My understanding is that the updated version should not introduce any
profile. Am I correct ?

BR,
Daniel

On Mon, Oct 17, 2016 at 1:16 PM, Daniel Migault <daniel.migault@ericsson.com
> wrote:

> Hi,
>
> I am not very clear on how to update the text of the draft. The problem
> seems to me that code point restriction are hard to implement. As a result,
> the session is aborted with - insufficient_security(71) or equivalent -
> when the code point does not match the security strength. I am encline to
> think that we should also provide some profiles that achieve 128/256 bit
> security. These profiles may be described in this document or in another
> document more related to cryptographic recommendation. What would be the
> most appropriated way to move forward ?
>
> BR,
> Daniel
>
>
>
> On Sun, Oct 9, 2016 at 2:59 AM, John Mattsson <john.mattsson@ericsson.com>
> wrote:
>
>> Hi Dan, Sean, Nikos,
>>
>> First, let me state that I think requiring 128-bit key management for
>> AES-128 is quite reasonable.
>>
>> HTTP/2 [RFC7540] also has some related text in Section 9.2.1 that applies
>> when TLS is used for HTTP/2. "Endpoints MAY treat negotiation of key sizes
>> smaller than the lower limits as a connection error (Section 5.4.1
>> <https://tools.ietf.org/html/rfc7540#section-5.4.1>) of type
>> INADEQUATE_SECURITY."
>>
>>
>> I think this is a question for TLS in general,
>> draft-ietf-tls-ecdhe-psk-aead should just follow what the TLS WG decides
>> as the general way forward. Wether that is MAY/SHOULD/SHALL treat groups
>> with insufficient security as an error.
>>
>> I think the real problem here are TLS libraries supporting 1024 MODP and
>> 160 ECC at all, support for these should have been removed before 2010.
>> Nikos [0] recommends a RCF forbidding weak elliptic curves from TLS 1.2
>> (i.e. WeakDH DieDieDie!!!). I think this is a great idea and much better
>> than bundling it into a code-point assignment RFC. (My current plans for
>> the next update of 3GPP’s TLS and DTLS profiles is simply to forbid
>> support of anything weaker than 2048 MODP and 255-bit ECC).
>>
>> [0]. https://mailarchive.ietf.org/arch/msg/tls/4PZsc_Dy-aT299BYrl
>> BKvZs0BOQ
>>
>>
>>
>> Cheers,
>> John
>>
>>
>> On 11/07/16 22:26, "TLS on behalf of Dan Harkins" <tls-bounces@ietf.org
>> on
>> behalf of dharkins@lounge.org> wrote:
>>
>> >
>> >  I'm glad I have to opportunity to make you happy Sean :-)
>> >
>> >On Mon, July 11, 2016 7:40 am, Sean Turner wrote:
>> >> I think I can take this bit:
>> >>
>> >> On Jul 10, 2016, at 06:51, Peter Dettman
>> >><peter.dettman@bouncycastle.org>
>> >> wrote:
>> >>>
>> >>> I'm also curious whether there is a precedent in other RFCs for an
>> >>> explicit minimum curve bits, or perhaps a de facto implementer's rule?
>> >>
>> >> I'd be happy to be wrong here. but to my knowledge no there's not been
>> >> an explicit minimum for curve bits.  There have however been similar
>> (at
>> >> least in my non-cryptographer mind) for RSA key sizes so if we wanted
>> to
>> >> define an explicit minimum curve bits then we could.
>> >
>> >  draft-ietf-tls-pwd-07 includes a RECOMMENDED practice of ensuring
>> >the curves used provide commensurate strength with the ciphersuite
>> >negotiated. Section 10, "Implementation Considerations", says:
>> >
>> >   It is RECOMMENDED that implementations take note of the strength
>> >   estimates of particular groups and to select a ciphersuite providing
>> >   commensurate security with its hash and encryption algorithms.  A
>> >   ciphersuite whose encryption algorithm has a keylength less than the
>> >   strength estimate, or whose hash algorithm has a blocksize that is
>> >   less than twice the strength estimate SHOULD NOT be used.
>> >
>> >  And I would like to take this opportunity to remind everyone that
>> >the only difference between TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256
>> >and TLS_ECCPWD_WITH_AES_128_GCM_SHA256 is that the latter is resistant
>> >to dictionary attack and the former is not.
>> >
>> >  regards,
>> >
>> >  Dan.
>> >
>> >
>> >
>> >_______________________________________________
>> >TLS mailing list
>> >TLS@ietf.org
>> >https://www.ietf.org/mailman/listinfo/tls
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
>
>

v2.30.2 | Report a Bug | By Email | System Status