Re: [TLS] Do we need DH?

Yoav Nir <ynir.ietf@gmail.com> Mon, 29 December 2014 17:42 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E1E11A889F for <tls@ietfa.amsl.com>; Mon, 29 Dec 2014 09:42:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id shmIiauOAW7l for <tls@ietfa.amsl.com>; Mon, 29 Dec 2014 09:42:54 -0800 (PST)
Received: from mail-wg0-x22d.google.com (mail-wg0-x22d.google.com [IPv6:2a00:1450:400c:c00::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5A491A8885 for <tls@ietf.org>; Mon, 29 Dec 2014 09:42:54 -0800 (PST)
Received: by mail-wg0-f45.google.com with SMTP id b13so19434067wgh.32 for <tls@ietf.org>; Mon, 29 Dec 2014 09:42:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=w+Os0geiBeXItUgrx2Xi1q2npif1PCk+94lfthoVmDw=; b=tGg5CkG9YxfQ/DIz+BHxOwRSHgv+Nhb5yks3OzpT0UEFuFBI/YwWk6Y2hjirgb0guH U91xz0M5OLgxb9JOJwjN9ykiwGsjUymCv0YEX+oYOUx7XqiEwnE08WFyOZgFpajMdAb8 QsfELNfxqzjn1h+qcagUKYQwRC/N9e+oRt6wbT7Zvbn/c9taPLfmuFEQPMUJRpcxEj8i 7OhsAoIqSPG4KvDeLmGrmK/34SCzpQlHFRQFjFujp+0qBfEfakO8O5uxU4Wsg5LCEagO izuhlSdo9peAdlwXGQOLKUyqopeCvOOYMfIzE121sw0wKEyimI4rbXOO8rcI7ORo9SrO SrRA==
X-Received: by 10.180.20.50 with SMTP id k18mr99729469wie.31.1419874971336; Mon, 29 Dec 2014 09:42:51 -0800 (PST)
Received: from [192.168.1.104] (IGLD-84-228-227-214.inter.net.il. [84.228.227.214]) by mx.google.com with ESMTPSA id wv8sm50742121wjc.44.2014.12.29.09.42.50 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 29 Dec 2014 09:42:50 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <CACsn0cmD=YA4i889f--e_b-OahUVoYdKyQUaiUN--QKOmqn8uA@mail.gmail.com>
Date: Mon, 29 Dec 2014 19:42:49 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <8E137973-DFFA-44D6-A59A-CC8DF0972828@gmail.com>
References: <CACsn0cmD=YA4i889f--e_b-OahUVoYdKyQUaiUN--QKOmqn8uA@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
X-Mailer: Apple Mail (2.1993)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/t5UVMNIpwX_ekRMLHxqv-D4h2uE
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Do we need DH?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Dec 2014 17:42:56 -0000

I don’t know of any reason besides legacy compatibility to support regular DH. In IKE it is necessary, because DH (and forward secrecy) was mandatory from the start. In TLS PFS has been defined forever, but it only became popular fairly recently, when ECDHE was already defined and implemented.

So speaking only for myself, I have no plan to add FF DH in my TLS implementation. I’ve said as much when TLS was considering DKG’s draft. 

Yoav

> On Dec 29, 2014, at 12:38 AM, Watson Ladd <watsonbladd@gmail.com> wrote:
> 
> Dear all,
> 
> I invite you to consider the following interesting sources
> 
> http://www.spiegel.de/media/media-35511.pdf
> http://www.spiegel.de/media/media-35510.pdf
> 
> These show that the NSA has a comparatively easy time exploiting static RSA.
> 
>> From this it seems that performance actually matters: the slow speed
> of DH exchange compared to ECC explains why ECC, and not DH is
> replacing RSA. DH is also being attacked by PHOENIX: I can wild mass
> guess that this is batch FFS: I don't know if this has been researched
> extensively, and even batch NFS has only an asymptotic analysis.
> 
> Given the low usage of the DH handshake, and potential vulnerabilities
> (not potential, but certainly not as well understood) should we keep
> it in TLS 1.3?
> 
> Sincerely,
> Watson Ladd