IETF Logo Mail Archive

Re: [TLS] Adoption call for Deprecating Obsolete Key Exchange Methods in TLS

"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Fri, 30 July 2021 19:30 UTC

Return-Path: <sfluhrer@cisco.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E46B93A0C43 for <tls@ietfa.amsl.com>; Fri, 30 Jul 2021 12:30:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.596
X-Spam-Level:
X-Spam-Status: No, score=-9.596 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=PRCGVSLm; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=LJZSdHu6
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jtVXEr6E0Lvv for <tls@ietfa.amsl.com>; Fri, 30 Jul 2021 12:30:42 -0700 (PDT)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 979273A0C19 for <tls@ietf.org>; Fri, 30 Jul 2021 12:30:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2715; q=dns/txt; s=iport; t=1627673442; x=1628883042; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=qqMf8Xqzs1Hi2quA4UHnHdrLSBuZsMh+C6l4TiXcjuk=; b=PRCGVSLmksr3PM/z3EjVvAMPDsncFbQs0EHObeiCsgcqzDSMromXqu3E 9mHLD+GjiGnTJ/d72jZBk+aPvYxx72i/Gqo6geuB8hHPnHMls0l4F/L27 pv4jRpToj3exlL25n+WGHOUGWHHS8hAitx5SaeQwuQ6/n58hpluLvbGOB E=;
X-IPAS-Result: A0AkAQAAUwRh/5hdJa1aHQEBAQEJARIBBQUBQIFGBwELAYFSUQd3WjcxiA8DhTmIXgOaM4EugSUDVAsBAQENAQEqCwwEAQGEWAKCfAIlNQgOAgQBAQEBAwIDAQEBAQEBAwEBBQEBAQIBBgSBEROFaAEMhkIBAQEBAgEBARALIwEBLAwEBwQCAQgRBAEBLycLHQgCBBMIGoJQglUDDiEBDp8lAYE6AooPEHiBM4EBggcBAQYEBIUZGII0AwaBOgGCe4Z3g3wnHIFJRIEVQ4IyMD6CYgEBgUgag0uCLoMdPipDEFsLMisCZw+fV5xagRcKgyeMdpFrEoNjowSWDqUTAgQCBAUCDgEBBoFiAjeBWXAVO4JpUBkOiEqFVYNxhRSFSnM4AgYBCgEBAwmKUAEB
IronPort-PHdr: A9a23:XQgnWB20qcBgSx3UsmDPs1BlVkEcU/3cPwMJ5Nwgkb0dOqig/pG3O kvZ6L0tiVLSRozU5rpCjPaeqKHvX2EMoPPj+HAPeZBBTVkJ3MMRmQFzAcOZBwv8NvG5JyA/F d5JAVli+XzzOENJGcH4MlvVpHD67TMbFhjlcwRvIeGgEY/JhMPx3Oe3qPXu
IronPort-HdrOrdr: A9a23:WcptNavecrIRxMYjrT+OyPEC7skC14Mji2hC6mlwRA09TyXGra GTdaUguyMc1gx/ZJh5o6H9BEDyewKiyXcT2/hRAV7CZniphILMFuFfBOTZskXd8kHFh4tgPO JbAtVD4b7LfBhHZKTBkXKF+r8bqbHtms3F9ISurUuFDzsaEZ2IhD0JbTpzZ3cGPTWucqBJcq Z0iPA3wwaISDAyVICWF3MFV+/Mq5ngj5T9eyMLABYh9U2nkS6owKSSKWna4j4uFxd0hZsy+2 nMlAL0oo+5teug9xPa32jPq7xLhdrazMdZDsDksLlWFtyssHfsWG1SYczEgNkHmpDo1L/sqq iUn/4UBbU215oWRBDsnfKi4Xi67N9k0Q6d9bbRuwqTnSW+fkNhNyKE7rgpLicwLCEbzYxBOe twrhKknosSAhXakCvn4d/UExlsi0qvuHIn1fUelnpFTOIlGfVsRKEkjQto+a07bWnHAUEcYZ 1TJdCZ4OwTfUKRbnjfsGUqyNuwXm4rFhPDRkQZoMSa3zVfgXg8liIjtYAit2ZF8Ih4R4hP5u zCPKgtnLZSTtUOZaY4AOsaW8O4BmHEXBqJOmOPJlbsEr0BJhv22tPKyaRw4PvvdI0DzZM0lp iEWFREtXQqc0arEsGK1I0jyGGFfIx8Z0Wa9ih63ek3hlTRfsuYDcSzciFYryL7mYRtPiTyYY fHBK5r
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.84,282,1620691200"; d="scan'208";a="741428344"
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by alln-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 30 Jul 2021 19:30:32 +0000
Received: from mail.cisco.com (xbe-aln-005.cisco.com [173.36.7.20]) by rcdn-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id 16UJUWK9022760 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK) for <tls@ietf.org>; Fri, 30 Jul 2021 19:30:32 GMT
Received: from xfe-rcd-005.cisco.com (173.37.227.253) by xbe-aln-005.cisco.com (173.36.7.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Fri, 30 Jul 2021 14:30:32 -0500
Received: from xfe-rtp-002.cisco.com (64.101.210.232) by xfe-rcd-005.cisco.com (173.37.227.253) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Fri, 30 Jul 2021 14:30:32 -0500
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (64.101.32.56) by xfe-rtp-002.cisco.com (64.101.210.232) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15 via Frontend Transport; Fri, 30 Jul 2021 15:30:32 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=eWeQ6upe8lsf5DG7wwkPDosMkqcG6wwQ3U5pRA9JNZ84fAIfynvsJSgR0x0f68KK4LJarOWXe2aIt/pzcH6CysQqMxozisp47ZDvFzkoic+w5H57FY3XKKSGV6GBRuwYO1QPJJ/iPe3yboGLFYZUbgMpqkalD0qs1WXQGZBF2fg5N8+SkfYXRmN5hwa/7jEDski4NwOrqjJLIo/OnoTFha+6aTpacZWt1kn2RGcsMlsoqKZeKbiv850g6XHokwMzfEfJlfh8hZZprpwEx9P6dLaeJgznTter9A+nGevvk48hbOufjEoCJdLwG9xvQMRnwoxxP9eSF7V2eBsNIdp/4g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=AjTfgR0dqM8LhC5HKiRjJKVc1CcKcHVzK3lAMKYOGqU=; b=FMG0Y9oG6Gz3MwGpNJGfxSziz/WPMzaLx+9xZEaRI0lsJjilef/oOPUImoxWIXnTO6z3nL1QMkOJjNNWtsEGo8udWUQXh2NcasAGtVgo9qtjjCAW/Eii9usHHGp4pnmB6PybK0qh5WbfHTlVvJfT/iH2CepPRRR24Tb03XgJKopdj3gLJC96wNGcOnLAdL9mtk8lhw+MA1IXvkQTUCaf55SbBJ0A/bkVRtkJ0dxib3XaI3EVNNV8LTame04DbE4PMkpsnXGqzAooNHMt4RLolHcl2PCVpM8hbtkZNQ9HwYkBTCaPOoFIV0gAFp34WYNw5OlLUppU5XNHDyNFjatHuw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=AjTfgR0dqM8LhC5HKiRjJKVc1CcKcHVzK3lAMKYOGqU=; b=LJZSdHu63faZZuH17khWkpD5Mntqs8pOhFSazcDQWYqBr4rsGi5COnSCYUOa9As/YcLy6oznUvBiTiSs8/2FSp5xEU1cuXy/RuEjUIkirZxydL1HcA58Nvpu1Yw2SELuGyGy6+NFbESLhdha8FfJ3Q07rM8TAzErO+G6smCef+E=
Received: from BL3PR11MB5682.namprd11.prod.outlook.com (2603:10b6:208:33d::18) by MN2PR11MB4599.namprd11.prod.outlook.com (2603:10b6:208:26d::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4373.18; Fri, 30 Jul 2021 19:30:31 +0000
Received: from BL3PR11MB5682.namprd11.prod.outlook.com ([fe80::10cc:9b86:5495:ce4b]) by BL3PR11MB5682.namprd11.prod.outlook.com ([fe80::10cc:9b86:5495:ce4b%6]) with mapi id 15.20.4373.025; Fri, 30 Jul 2021 19:30:31 +0000
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Adoption call for Deprecating Obsolete Key Exchange Methods in TLS
Thread-Index: AQHXhNw0igiH/DfgmUuXKAqPrLNVAqta+boAgADl3ACAAAbFQA==
Date: Fri, 30 Jul 2021 19:30:31 +0000
Message-ID: <BL3PR11MB5682F0455884BAC742324DD8C1EC9@BL3PR11MB5682.namprd11.prod.outlook.com>
References: <CAOgPGoARpxr8-FzYJPRcup9XF-DRv875aAnuNZtoLPHM9-6j-w@mail.gmail.com> <4c0aafd3-fc8f-453a-a009-44ecc18dafd7@www.fastmail.com> <YQNLizvBb/xZyxkl@straasha.imrryr.org> <SY4PR01MB6251677071C9EDF4E5149616EEEC9@SY4PR01MB6251.ausprd01.prod.outlook.com> <YQRLcoKm/+lVGwfv@straasha.imrryr.org>
In-Reply-To: <YQRLcoKm/+lVGwfv@straasha.imrryr.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=cisco.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ae22eb7c-48e7-4cf7-34f3-08d953907e8d
x-ms-traffictypediagnostic: MN2PR11MB4599:
x-microsoft-antispam-prvs: <MN2PR11MB45997DFB727CFCBBD9997FC4C1EC9@MN2PR11MB4599.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: EIdlnIwsqrKCGrQ+jOsvt96xOxg72MY8X0XtY+vnrPPPVsZgOEwnAAwVMPOiqJtICGw7u5Wlso9lIaPUzIRnotoEUrGL8HuMpe3TRaCLIG4bSJGWyPfCfYl8XqIJlRANZHgetweVYbtw4vF227qXYu0pcTxpyKrc64kZNRL8NFUw7LQA27K9kNCNCBWxxRkR7FDXtnP3RIr+OmTA2ymdKPB2vQjyq7ngnm/hM1lO6WPqrrnq10qHvQU2aBfF69LDloDLjUOxW6poCn48d2wWU6sRqA+O90x4/URJav0+4GAc4NPTmX2d71DhnQm5QfuBmluhVqy80u/ZXVc0KzpKPGziDmR4PchPtEr1owjDuxLaR7trAT5tLvBGLmn8Csyq35Q4jES2Lwse+JxjQF9EUoTuVHz7DXGplju5gp8iMovqgNimLeUNc2vjuWPmnEni1kXNvVGU2GMKXNXORcZ8Fx4GhKVQll3ujQ3ft4oY9Neywe0TkjoAeu/zy6b4YvQZuOxet48InpAiv0TlvYRA4rGhdOLhIQ+ETVVR2DNJ5IO6E88Bc+kMR8IFH+nVOoMxSz/6IsvfpWFExlzl59oMujrXehNCeRhqOOoL2cXtyykDebhN5v3vspnwjVv8F9yHSD1WUaPp3JuIFzSxMDbQMIJhD1TlZB00cgFRB67Ha9BE31YWvhYT+L+iHgB0boxF/N/SzQh2LOa0HIkeBdewfHg8rzNPa7fh0yxWrlbDBlDaq4f/phwKAwrczy2T4TUFAxz02h4GBmpVF5YsJ0P+aSimQvFxEIyv61/dsULm79g=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BL3PR11MB5682.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(966005)(8676002)(38070700005)(8936002)(66574015)(2906002)(508600001)(9686003)(55016002)(7696005)(5660300002)(86362001)(71200400001)(53546011)(83380400001)(38100700002)(122000001)(6506007)(26005)(6916009)(66946007)(186003)(66476007)(52536014)(33656002)(76116006)(64756008)(66556008)(66446008)(316002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 9Sew1MWFixZl1kmV+hWrPzL9GIkF2fmqX2vujrIqwFNlCrAW6FLhK4asdOw3rTFXHYJjIh3W0z7VGoeHkoXqr7GFJfe5w4zmg3MTyQn/ry8jpeKJgLPnQQo0nxYOl4EHT5NcJOOEREKy+flTgku78e5+ArQCtxls1ohl2Zya/bFMDUgbPT0mtz48IVB5LRYX5izrhAbFhY3lxph0v8XDG4YQk8BM/KIxp12Pg90ZoGMT2+AFTKFSy2jdlA5oDt6ptLYGJitqF4UjIs1c1/YlZQkWcEvjpSTRyiT9f97D3MnWhju2ZXd3/EpJLrnG64rfyLtJKNZlwsgIoEDFd/ZASt4x6xX8DcTAdYNvs+xz25Essi6XDmjDOf1RvITQpQRYOUVjREJORVKrDqGRCQs6FSh35jLQvIRoHaEC+015ZGHD2AIHKscUwYFQI5/V2EZQMPaF/Y+9MPUKPsA2fSfTxz3TzeMoASs6oq8Q4n5V7EMrbsiQtE7EJgVf9AY2/GW99cBXQv7NHJUD5snG7rXK+pqa5rXzzm6NgFOzdFwEtsEENaVvAmW8HeVdwCa5PUasIwP1a6WL/cY9i45LUCAsxDc1yf9t1/JM74gJQpcNh1PSnNa311u6VM2XGyQsQZPsRpHWisetE4IZS7sEcGpHORgMDe8lcceHu0P5l0b7tqUXjzb1pVf1Ms7gpHAG+8RmDbTKWDknN9Amc7a6hi0olJB4nsezu5LFBPYO70sspxsNlsU+PcCfq0j+NEDqIrFF07sRpOHzfYwjAj9tOL3clpGUH3az67tyOV1C2PIcWXEnMPijsDPGLQvUEsCFM+32QBJxEy69wPUYyUvGVsN4hGOzQUKQtQGRLp1F8k80OIFVWOxopMAsZbdJqSlRVdGKfKgwohG0SacP5p1lSgAe9MndHTZOWltsocqZc6TN/RRoAf00mFCqSHm2MLICngPc9Z8yum30uhK/5VyDm2xaSf2IjIcgeVMv4SK4jOsQ43JXuFQq/UQevlZI96+KIf4EhfyS/Mfa9PqIxW6z+qn31n8z9uuuYTVDNjOR35Z7qsVA3HwKat9MUs2MYda6J/c7YjGmF58YlAfcEXXYyQNmJYZE52SL5oO16kCUQ1ZPEm9VCogUniPno5KhdNZHxQK8zb5XTXn1f3mb8gf8JQrKxFQscJacjYwYiPq+wFChi69LCDz76UuY7N5/TB3mrAOqzZaSdTSTjvK1C7xVoMddzIZXrnGPxyJYaaTQsGssNw5ueGwS1QcqxCw6gAPWJBmdkA0Okig5+j5Fp1+2WTfowDWKNu3Qp3mHEMD6U2UvHjCqWIt7cinHaxjGXcpuUTC5
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BL3PR11MB5682.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ae22eb7c-48e7-4cf7-34f3-08d953907e8d
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Jul 2021 19:30:31.2010 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: JPVGNPpqkJA2kHkDo9lsiQGxYTl4heK4wxawKUWI9KqMH8ALK5qkoa35pHJBXn/XPijQIvCTDMFgUHUSxGZ4Iw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4599
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.20, xbe-aln-005.cisco.com
X-Outbound-Node: rcdn-core-1.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/qfmSD4cF_8okcB9cDbA6XqaHSs8>
Subject: Re: [TLS] Adoption call for Deprecating Obsolete Key Exchange Methods in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Jul 2021 19:30:47 -0000

> Was it wrong to generate server-side DH parameters?

The problem is that it is hard for the client to distinguish between a well designed server vs a server that isn't as well written, and selects the DH group in a naïve way.

For example, if the server just selects a random prime and a random generator value, well, that has a good probability of leaking quite a bit of information about the private exponents; leak enough, and the shared secret may be recoverable.  This is not obvious to someone new to the field; it is also very hard to detect by the client.

Now, as I mentioned in the WG meeting, it would be possible to detect if the server proposes a safe prime (it's not especially cheap, being several times as expensive as the rest of the DH operations, but it's possible), and that would prevent most of the problems that can happen (exception: if the server proposes an SNFS-friendly modulus, say, one with a very simple binary representation - that would reduce the security noticeably).  Of course, this works only if the legacy servers you are talking about actually do use safe primes...

-----Original Message-----
From: TLS <tls-bounces@ietf.org> On Behalf Of Viktor Dukhovni
Sent: Friday, July 30, 2021 2:57 PM
To: tls@ietf.org
Subject: Re: [TLS] Adoption call for Deprecating Obsolete Key Exchange Methods in TLS

On Fri, Jul 30, 2021 at 05:14:08AM +0000, Peter Gutmann wrote:

> >The only other alternative is to define brand new TLS 1.2 FFDHE 
> >cipher code points that use negotiated groups from the group list.  
> >But it is far from clear that this is worth doing given that we now have ECDHE, X25519 and X448.
> 
> There's still an awful lot of SCADA gear that does FFDHE, and that's 
> never going to change from that.  The current draft as it stands is 
> fine, in fact it seems kinda redundant since all it's saying is "don't 
> do things that you should never have been doing in the first place", 
> but I assume someone needs to explicitly say that.  No need to go beyond that.

Can you explain what you mean by "don't do things that you should never have been doing in the first place"?

There are quite a few deployments that generate local strong (Sophie Germain prime) DH parameters.  These would break if the draft sails through as-is, and there's no mechanism for the client to inform the legacy server that its would be choice of DH parameters is not acceptable.

Was it wrong to generate server-side DH parameters?

-- 
    Viktor.

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

v2.14.0 | Report a Bug | By Email