Re: [TLS] Another IRINA bug in TLS

Kurt Roeckx <kurt@roeckx.be> Sat, 23 May 2015 12:11 UTC

Return-Path: <kurt@roeckx.be>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D4251A1A4E for <tls@ietfa.amsl.com>; Sat, 23 May 2015 05:11:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GndVn_8OPDTU for <tls@ietfa.amsl.com>; Sat, 23 May 2015 05:11:54 -0700 (PDT)
Received: from defiant.e-webshops.eu (defiant.e-webshops.eu [82.146.122.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 203961A1A42 for <tls@ietf.org>; Sat, 23 May 2015 05:11:54 -0700 (PDT)
Received: from intrepid.roeckx.be (localhost [127.0.0.1]) by defiant.e-webshops.eu (Postfix) with ESMTP id 467AC1C21B7; Sat, 23 May 2015 14:11:52 +0200 (CEST)
Received: by intrepid.roeckx.be (Postfix, from userid 1000) id 152E61FE014F; Sat, 23 May 2015 14:11:52 +0200 (CEST)
Date: Sat, 23 May 2015 14:11:52 +0200
From: Kurt Roeckx <kurt@roeckx.be>
To: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
Message-ID: <20150523121151.GA18846@roeckx.be>
References: <555DBF7E.9050807@redhat.com> <1432207863352.27057@microsoft.com> <555DC498.2000109@redhat.com> <1432209104.3243.65.camel@redhat.com> <1432219967072.32353@microsoft.com> <810C31990B57ED40B2062BA10D43FBF5DDDDEB@XMB116CNC.rim.net> <CACsn0c=HuipCG20HGO+uLfBcm+bOEZQFdFdyKWsA1d5D3W0ZCA@mail.gmail.com> <810C31990B57ED40B2062BA10D43FBF5DDF130@XMB116CNC.rim.net> <CAH8yC8mjvXzFm038bXKJr=cnavJ8JGTV4Cufepvv8fXAXp041w@mail.gmail.com> <B515FE85-F5C2-4609-A673-936354CEB066@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <B515FE85-F5C2-4609-A673-936354CEB066@gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/qxd-fE5oDjqCzCh0nvfIuzFrieM>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Another IRINA bug in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 May 2015 12:11:58 -0000

On Fri, May 22, 2015 at 10:36:57PM +0200, Karthikeyan Bhargavan wrote:
> 
> > I think the authors felt the same. But in Section 4 of the paper, they said:
> 
> As one of the authors of the paper, let me try to clarify our recommendations a little bit.
> First, we only know what is broken, and can only make precise recommendations for avoiding the attacks in the paper.
> Figuring out what's a good long-term alternative is for a community forum like this to decide. 
> 
> If we were to make a recommendation for TLS, at least as it is used on the web, it would be as follows, 
> in decreasing order of preference:
> 
> 1) Switch to ECDHE. 
>     It is faster, and the kinds of attacks discussed in our paper have not (yet) been shown to be effective for the common curves.
>     As usual, we need to be wary of weak curves (160-bit) or curves that may have been generated maliciously.
>     We leave it to the EC folks to tell us what are good curves to use.
> 
> 2) Switch to stronger (>=2048-bit) DHE groups.
>     If ECDHE is unavailable, we are happy (today) with >= 2048 groups as suggested in the FF-DHE draft.
>     As usual, we have to be wary of how these groups are generated, since there is the possibility of trapdoors being built in.
>     Using well known constants such as pi or e as the basis for prime generation (e is used in FF-DHE) is, as far as we know, 
>     a safe technique for generating a group with a low probability of a trapdoor.

The weakdh.org site currently says:
| If you run a server...
| 
| If you have a web or mail server, you should disable support for
| export cipher suites and generate a unique 2048-bit Diffie-Hellman
| group.

Should that be changed to "and use a 2048-bit Diffie-Hellman
group"?


Kurt