[TLS] Re: TLS 1.2 draft
Simon Josefsson <simon@josefsson.org> Wed, 07 March 2007 09:53 UTC
Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HOspj-0002O7-On; Wed, 07 Mar 2007 04:53:19 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HOsph-0002JP-Ui for tls@ietf.org; Wed, 07 Mar 2007 04:53:17 -0500
Received: from 178.230.13.217.in-addr.dgcsystems.net ([217.13.230.178] helo=yxa.extundo.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HOspf-0005pj-HE for tls@ietf.org; Wed, 07 Mar 2007 04:53:17 -0500
Received: from extundo.com (yxa.extundo.com [217.13.230.178]) (authenticated bits=0) by yxa.extundo.com (8.13.4/8.13.4/Debian-3sarge3) with ESMTP id l279r09W028069 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 7 Mar 2007 10:53:02 +0100
From: Simon Josefsson <simon@josefsson.org>
To: EKR <ekr@networkresonance.com>
References: <200703061740.SAA00305@uw1048.wdf.sap.corp> <86irdetgcx.fsf@raman.networkresonance.com>
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
X-Hashcash: 1:22:070307:martin.rex@sap.com::ybz8f6xUZAhT5Y1x:7G76
X-Hashcash: 1:22:070307:tls@ietf.org::lqaJaj9eFeGLEuma:LG/p
X-Hashcash: 1:22:070307:ekr@networkresonance.com::Wt1Y8DSxQWCZEhO3:SgCz
Date: Wed, 07 Mar 2007 10:53:00 +0100
In-Reply-To: <86irdetgcx.fsf@raman.networkresonance.com> (Eric Rescorla's message of "Tue\, 06 Mar 2007 09\:46\:22 -0800")
Message-ID: <87vehdl6rn.fsf@latte.josefsson.org>
User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/22.0.94 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Spam-Status: No, score=-0.8 required=4.0 tests=AWL,BAYES_40 autolearn=ham version=3.1.1
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on yxa-iv
X-Virus-Scanned: ClamAV version 0.88.2, clamav-milter version 0.88.2 on yxa.extundo.com
X-Virus-Status: Clean
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 8b30eb7682a596edff707698f4a80f7d
Cc: tls@ietf.org
Subject: [TLS] Re: TLS 1.2 draft
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
Eric Rescorla <ekr@networkresonance.com> writes: > What I'm saying is that the recommendation to prevent his attack > is to use an RSA_DHE ciphersuite I agree with that. However, if I remember correctly, DHE key exchanges are generally slower than plain RSA key exchanges with temporary keys, although it depends on the DH group size. > and use a fresh DH ephemeral with each key exchange. This provides > the same security at a substantially superior performance level. Generating a fresh DH ephemeral with each key exchange would deplete the entropy in many RNG's. Perhaps we could discuss the frequency that DH ephemeral's should be changed, possibly also in the document. There are tools out there that use a static hard-coded DH ephemeral in the code, and some configurations where the DH ephemeral is stored in a separate file, but never re-freshed anyway. I can't find an appropriate section, but section 8.1.2 seems as good as any, so I suggest adding this to the end of it: When ephemeral DH parameters are needed, they SHOULD be re-freshed with some interval appropriate for the local environment. This MAY be for each new key exchange, but MAY also be each day, week or month. That's quite fuzzy, but I'm not sure there are any good recommendations on this. In GnuTLS, I think we recommend to change the DH ephemeral somewhere around each day or week. The change frequency is related to the size of the DH group, I guess, and it would be interesting to know what sizes others default to? GnuTLS uses 1024 bit DHE parameters by default. /Simon _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] TLS 1.2 draft EKR
- Re: [TLS] TLS 1.2 draft Nelson B Bolyard
- Re: [TLS] TLS 1.2 draft EKR
- Re: [TLS] TLS 1.2 draft Nelson B Bolyard
- [TLS] Re: TLS 1.2 draft Simon Josefsson
- RE: [TLS] TLS 1.2 draft (issue #25 about SSLv2 He… Pasi.Eronen
- Re: [TLS] TLS 1.2 draft (issue #25 about SSLv2 He… Mike
- Re: [TLS] TLS 1.2 draft (issue #25 about SSLv2 He… EKR
- Re: [TLS] Re: TLS 1.2 draft Wan-Teh Chang
- Re: [TLS] TLS 1.2 draft Martin Rex
- Re: [TLS] TLS 1.2 draft EKR
- Re: [TLS] TLS 1.2 draft Martin Rex
- Re: [TLS] TLS 1.2 draft Eric Rescorla
- Re: [TLS] TLS 1.2 draft Dr Stephen Henson
- Re: [TLS] Re: TLS 1.2 draft Dr Stephen Henson
- [TLS] Re: TLS 1.2 draft Simon Josefsson
- Re: [TLS] Re: TLS 1.2 draft Steven M. Bellovin
- RE: [TLS] TLS 1.2 draft Pasi.Eronen
- RE: [TLS] Re: TLS 1.2 draft Pasi.Eronen
- Re: [TLS] Re: TLS 1.2 draft Martin Rex
- RE: [TLS] Re: TLS 1.2 draft Pasi.Eronen
- RE: [TLS] TLS 1.2 draft (issue #25 about SSLv2 He… Pasi.Eronen
- Re: [TLS] Re: TLS 1.2 draft Wan-Teh Chang
- [TLS] Re: TLS 1.2 draft EKR