Re: [TLS] Deprecating FFDHE + RSA Key Exchange

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Tue, 06 April 2021 13:00 UTC

Return-Path: <prvs=3730a96cd9=uri@ll.mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 372DA3A203C for <tls@ietfa.amsl.com>; Tue, 6 Apr 2021 06:00:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.893
X-Spam-Level:
X-Spam-Status: No, score=-1.893 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ewWN8ho1W6xI for <tls@ietfa.amsl.com>; Tue, 6 Apr 2021 06:00:37 -0700 (PDT)
Received: from llmx2.ll.mit.edu (LLMX2.LL.MIT.EDU [129.55.12.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6DB03A2025 for <tls@ietf.org>; Tue, 6 Apr 2021 06:00:37 -0700 (PDT)
Received: from LLE2K16-HYBRD01.mitll.ad.local (LLE2K16-HYBRD01.mitll.ad.local) by llmx2.ll.mit.edu (unknown) with ESMTPS id 136D0W5n014796; Tue, 6 Apr 2021 09:00:32 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=c9fF5fT2MnBaYR4ffDmxFgsH0kPzeQnVLnyr/lcJfo4EdN/D+SlZBfRJMUh2+21NSzmUzHkFF0H+6pcWFVXwyP83wkELP3tRCOGqrsjqKiwpf3fBq18Iq187+va3h14n0RpUrm+xm2XQD+nkAkOunGlY3vCvHGCy6EaW65LM2uEqwVXTxtH4bXOWhNMcBOlgKm96vB2hf/QaHp32CjpIUHBaz9JE6FLfJoUS8ae6it+2AiJ6m119fyttedIZIpc6epe/9K3I5PYgCPkF9w+nkGXoE1+pWKg7HlTHZehfurpeEQClbbeqDQEopZkQyRiyC1D05bBAki4j89SV+0GXpw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bm3DG2QYTQdx9fRAaEE0dRd5lGCK6wWrisVKfEUY5uY=; b=vusF8OYbd9XBiKVcQUpYAHdLdgSbY0l2mi/UUPVx/REXU/VowwuZz/OdgNBGE9rpPM67fiYAhKMzIIcl6RWxV4zLtHtyIc5t85RpwfXMSox4BbnZ6ioajzEsD1Zx+e/Yyoubf0ZctuvTjdY6RPm+UEydIjH0JexRcdvtiDdbeqLn/Aowe3cYwGxLCEGzbOAWuoTpfhornTdjGD3l6NJomhEqfuRKXu+woN9caem+oN5BmjxXys6jUnP/3LXRdn/vDX0hnqarZ1IXHjwgdxOZvfhcOWiBcowFE9xdW6+GxaIPO58t/QW5h2m6nhkJu0AhxJZRxViTP2BxKhwUtBOH1A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Nimrod Aviram <nimrod.aviram@gmail.com>, "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] Deprecating FFDHE + RSA Key Exchange
Thread-Index: AQHXKscr4xJSdnhm3UiSaMiAjAQMRaqnMQaA
Date: Tue, 6 Apr 2021 13:00:30 +0000
Message-ID: <C6E00AC9-7A03-4706-B35D-418CDDDE0163@ll.mit.edu>
References: <CABiKAoTBTcRGvQyFF5GAUGDu3pu-Cc_S3U4nnafpjx6vGVHodA@mail.gmail.com>
In-Reply-To: <CABiKAoTBTcRGvQyFF5GAUGDu3pu-Cc_S3U4nnafpjx6vGVHodA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.47.21031401
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=ll.mit.edu;
x-originating-ip: [129.55.200.20]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 7fba6e55-3954-41a7-fd6f-08d8f8fbf550
x-ms-traffictypediagnostic: DM3P110MB0378:
x-microsoft-antispam-prvs: <DM3P110MB0378712D087577F1C04EC09590769@DM3P110MB0378.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: q7R9gtt/WHft8X7AThXddOVzFR9NoTIvAs+tRwzl4xcD6Q89F27AbQfb0yzXoPHel1Xt1VfUElJ+d3XCcpX3I1vtHI+tUW+Zo1JmffWDgWSfIyx6w5c7Y74ffTJ3ZTho5gagZwseq1E/uxOEnfS35mDEC7DPJ9GK8p1hG59n9Kk5ZLXdOyTkc6d+zZED51QBCfImnWU3AD6XmNtFnxSvcknGvk12D0Gapq2LAYgM008e4a8dBQLWVbCaXaVlok3SvbKmtLFAg38WtBZH/CEjXImarOjjpoyD/d6EHhRHr4VoV3+QSZOSrmk2J0R5/XpEujdQW+5Xto5z7JCa/wwJRC/D1AHA5CsJJx9jbEygmtsnNGYH3BVR90t5P+ubozFbTtmRlNWAkjsQ1dzqEtnESq8z+sKeFciGBilRU8k+22OV987JlliUl9glSYsJV7TDRcUlPXdVkiljnL9R/oQh+5wYOSlKC0Wbkop7HC76SP5LWNxQMcaNwmg8GH4yv/NOcbL3p4O5LRA4lJP4t3eN7CywO0MWNxItV0Kq+aBIdh7JHPaVgvbpinr4qXJMzvw8fixRHCtn+dhs6ugacVj4pehMbl3yvVuyf9ijDz6behD7K93NilMU1Jqksj3GxGWk
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM3P110MB0475.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(376002)(136003)(39860400002)(396003)(346002)(366004)(2906002)(186003)(66946007)(26005)(8936002)(6512007)(2616005)(66574015)(86362001)(6506007)(71200400001)(110136005)(66476007)(316002)(478600001)(6486002)(5660300002)(64756008)(33656002)(66556008)(76116006)(66446008)(66616009)(8676002)(75432002)(53546011)(83380400001)(38100700001)(99936003)(491001)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: EVgYpWV8t8HCKKNL0Dzeuh50kJq270Uk0ESEV3ZJepOwbFKiaTkXHNYG/ccn+J3QscQg9s9dCPKTrVDy/3s3JJ9wXGRWjPdQ2LuII8gug1amamO/aH27ioWahiG6LaeuzOaipPxgQau47/wqf/S2TYUkD207AzOIVpBe7il68SXPWrTB/3m4g5aDBTUSJW9dE8RY2eypctfC1Ccb6yOxVegiU9ZMlgAzOi2kpF1MrdsMZmRINkprcJ0vLIIN9fHTjs8JakBFRn+d+GrOoj1r2FWnBjH3iufkPpeNPy6ALIjCxygR4IvAePHLwmn7x3NVn2Fqt/RoliXXbNI4yo3NbWlW5H2Qj2/IJoBp3p/cZCYkiVzUsafCTxUKbyZAPE42g6YPkqQuOQN6M+5WCiDxfVEQctrVVpPVhpS+q8xnTuqfnhuFAUAD6H3UYjnjKsTyUbbm4xw8JoGfelLl7nnVMiWp+w+NTBxa8//xwMav+AtvbLmfipZZVCdOBD94lMwCBQazPE68PmsaNSxMBTGE8QyiuxnM0mN2OZjfVa1faz5/7P+IWXOjcWPyI+f05K+NFJh0aYuseulkC8AO86j263EGcnlsRJaagg0lDPW8PTfd5LDst7hPU9eBcqCBiroMIaOqnd4EyXDxCbimUwdRGEPkKVpcytgF0L7U6zDlkedAF8pjLs0e1tILvzVJHnQ6PPrryWgx+CpNuTwqP1/0kg==
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha256; boundary="B_3700544430_1877091089"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM3P110MB0475.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 7fba6e55-3954-41a7-fd6f-08d8f8fbf550
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Apr 2021 13:00:30.8600 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM3P110MB0378
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.761 definitions=2021-04-06_03:2021-04-01, 2021-04-06 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-2103310000 definitions=main-2104060089
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/u0WU8ADoL9uLUeR1qiM06t3EUe8>
Subject: Re: [TLS] Deprecating FFDHE + RSA Key Exchange
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Apr 2021 13:00:42 -0000

As has been pointed out, TLS is *not* just the Web. And TLS peers are not necessarily browsers.

 

Yes, there are reasons to avoid deprecating FFDHE with RSA signatures on the open Internet (besides that doing it would be silly counterproductive, as not everybody uses ECC).

 

Limiting FFDHE to well-known groups would probably be a good idea. Though it would be educational to hear from those who for some reasons need weird “special” groups of weird sizes.

--

Regards,

Uri

 

There are two ways to design a system. One is to make is so simple there are obviously no deficiencies.

The other is to make it so complex there are no obvious deficiencies.

                                                                                                                                     -  C. A. R. Hoare

 

 

From: TLS <tls-bounces@ietf.org> on behalf of Nimrod Aviram <nimrod.aviram@gmail.com>
Date: Tuesday, April 6, 2021 at 05:28
To: "<tls@ietf.org>" <tls@ietf.org>
Subject: [TLS] Deprecating FFDHE + RSA Key Exchange

 

Dear all,

Following the discussion around draft-bartle-tls-deprecate-ffdhe, what are your thoughts on deprecating RSA key exchange, and Finite-Field Diffie-Hellman? (This would probably happen in a separate document.)

Considering the following different areas/use cases:
1. On the open Internet/web, both key exchange methods have been superseded by ECDH. Browser support for FFDHE has been entirely removed IIUC, so formally deprecating FFDHE should not be a problem (right?). Are there any reasons to avoid deprecating FFDHE and RSA on the open Internet?
2. On local networks, deprecating both key exchange methods may leave some endpoints without any key exchange algorithms. Could you please give feedback on the following:
a. Is the number of such endpoints large enough that we shouldn’t deprecate these methods?
b. If the answer to the above is yes, what would be a good plan/timeline to deprecate them?

We could also consider limiting FFDHE to well-known groups of at least 2048 bits, with fully ephemeral secrets. But this would likely cause enough interoperability problems that we might as well deprecate it fully, right?

thanks,
Nimrod