Re: [TLS] STRAW POLL: Size of the Minimum FF DHE group

Yoav Nir <ynir.ietf@gmail.com> Tue, 04 November 2014 18:55 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78CC61ACD88 for <tls@ietfa.amsl.com>; Tue, 4 Nov 2014 10:55:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qY2Q3pJMm7nr for <tls@ietfa.amsl.com>; Tue, 4 Nov 2014 10:55:07 -0800 (PST)
Received: from mail-wg0-x236.google.com (mail-wg0-x236.google.com [IPv6:2a00:1450:400c:c00::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3CA0F1ACD7F for <tls@ietf.org>; Tue, 4 Nov 2014 10:55:07 -0800 (PST)
Received: by mail-wg0-f54.google.com with SMTP id n12so8927174wgh.27 for <tls@ietf.org>; Tue, 04 Nov 2014 10:55:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=LwIEuRFQ4NM+VxT76N6plekoNQtnd99vldbI1sb3ps4=; b=hF45tcG7ygUkctbc5oKhzK///JAteZjFKq9gAFOWQNGf/fMzbH+7c0ybW1XGdSjof2 FtViChWNEHrDcZjYUesz4Kfkk1zcZKLqEiHN3ZWZwajykfV9yR7wtJr1dSG0qB4joaN3 T+K/s75ZjVBMehdrzgPQcRHE0Fo+UN6i4uK8d3qUfqOCCKgpppj9sG27bi8rUULTvsDB edKCvu9XywPtMW6+dCRV8mvUhhz8Q4xDzFJMZUpjtCEQ/CKVfsCGbDeFbOArIclnt/WT 3IRTAe03GhaAASl2PBayyUBYRgP1ZGlYgccAIDNUF5pg0WAuH3atNQbSK5WVvXbKxuQq MWNA==
X-Received: by 10.194.63.79 with SMTP id e15mr19208845wjs.79.1415127305449; Tue, 04 Nov 2014 10:55:05 -0800 (PST)
Received: from [192.168.1.103] (IGLD-84-228-87-161.inter.net.il. [84.228.87.161]) by mx.google.com with ESMTPSA id wx3sm1480543wjc.19.2014.11.04.10.55.04 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 04 Nov 2014 10:55:05 -0800 (PST)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 8.0 \(1990.1\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <8E6B8F53-9E8C-46B2-A721-85E918576F3A@ieca.com>
Date: Tue, 04 Nov 2014 20:55:02 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <2BBD35FD-9573-415F-AEAB-FAFF37BB0255@gmail.com>
References: <8E6B8F53-9E8C-46B2-A721-85E918576F3A@ieca.com>
To: Sean Turner <TurnerS@ieca.com>
X-Mailer: Apple Mail (2.1990.1)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/qCpHTusoPDQcoQGtlpiRi5p2oc4
Cc: "TLS@ietf.org (tls@ietf.org)" <tls@ietf.org>
Subject: Re: [TLS] STRAW POLL: Size of the Minimum FF DHE group
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Nov 2014 18:55:09 -0000

2048

I have very little use for FF DHE, but matching the strength of the certificates that are in use (and RSA 2048 is overwhelmingly more popular at this point than ECDSA or RSA with greater values). 

Yoav

> On Nov 4, 2014, at 7:49 PM, Sean Turner <TurnerS@ieca.com> wrote:
> 
> Hi!
> 
> At the TLS Interim meeting in Paris, the WG discussed the FF DHE draft (https://datatracker.ietf.org/doc/draft-ietf-tls-negotiated-ff-dhe/)  The chairs would like to poll the WG on one of the issues in the draft namely the size of the minimum group.
> 
> The draft currently includes a minimum group size of 2432 but the WG also discussed 2048.  Groups smaller than 2048 were discounted for a standards track document as too weak for use but might be documented in a separate “historic” draft.  To help us reach consensus on this point, please reply to this email indicating whether you favor a “2048" or “2432” minimum group size.  Note we’re also looking to specify the smallest number of options for groups as is acceptable - i.e., we’re not looking at specifying both 2048 and 2432.
> 
> Background: Regardless of whether you agree with what follows or not, the following has been put forward as the rationale. We don’t need comments on the rationale, we’re just providing it for background.
> 
> 1) 3DES has a 112-bit work factor and is still considered acceptable in TLS 1.2 and the DLOG keying material shouldn’t be any weaker than the symmetric cipher.
> 
> 2) There is some disagreement about the work factor for the DLOG keys - e.g., NIST says 112-bit work factor correlates to 2048-bit DLOG keys but ECRYPT-II says 112-bit work factor correlates to 2432-bit DLOG keys (see references in draft).
> 
> 3) The other point made about 2048-bit DLOG is that it’s a power of 2 and there’s parity with the public key sizes.
> 
> Cheers,
> j&s
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls