Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re: Confirming Consensus on removing RSA key Transport from TLS 1.3)
Watson Ladd <watsonbladd@gmail.com> Fri, 28 March 2014 00:09 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D77DF1A03F8 for <tls@ietfa.amsl.com>; Thu, 27 Mar 2014 17:09:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lcqgENc3eusy for <tls@ietfa.amsl.com>; Thu, 27 Mar 2014 17:09:06 -0700 (PDT)
Received: from mail-yh0-x235.google.com (mail-yh0-x235.google.com [IPv6:2607:f8b0:4002:c01::235]) by ietfa.amsl.com (Postfix) with ESMTP id 283981A034E for <tls@ietf.org>; Thu, 27 Mar 2014 17:09:06 -0700 (PDT)
Received: by mail-yh0-f53.google.com with SMTP id v1so4369035yhn.40 for <tls@ietf.org>; Thu, 27 Mar 2014 17:09:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=STgYRL3dWKbZyHl61epWk7Wo5c8sFsK6Iw1yAq0x+iM=; b=eFHh8DhdhVGmwOCIDQ4Be9KLdRGTvP4ILa94jzS/VrqU1ZGcYjbwJNcTSWva95awqd RfrCp8wDZPiWxEpTeV7Cc9HRXeKqNmq+7OKydUjwRayHmz4HwM0eYCOJvpcY/REQZdqk HYCoSxn3MMhmHeso0/4WCXNw6i7jXWbNce1XIJwhegehomAkhDzNWJ5xPWJma5UXWYTQ AEeP4ybuQBABvMQ7FBPiXeAT90Wmuk1lp+51KsERoQD66EvGMd9itrM0rJ4kMiVqcbb7 Z0HiTEr3jATdHACtk7PKgl4Kc06SLGFYc9g/QE2bZ/UwaRTQbk5+6YEl/cRt/UYnyEVL 0b+g==
MIME-Version: 1.0
X-Received: by 10.236.44.173 with SMTP id n33mr6729564yhb.2.1395965344146; Thu, 27 Mar 2014 17:09:04 -0700 (PDT)
Received: by 10.170.80.214 with HTTP; Thu, 27 Mar 2014 17:09:04 -0700 (PDT)
In-Reply-To: <CABkgnnX=KM4YVf1+znp_HS+Pu6DSw64q1adDC4EOPqRLuTDZKQ@mail.gmail.com>
References: <CABkgnnX=KM4YVf1+znp_HS+Pu6DSw64q1adDC4EOPqRLuTDZKQ@mail.gmail.com>
Date: Thu, 27 Mar 2014 20:09:04 -0400
Message-ID: <CACsn0cksap5t0--65gnJt5a2yJCNtzvkDX9mmQR=T_r2xYJjYQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/uDfuvwZRo-IsEYPPBQtrfUUJOGY
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re: Confirming Consensus on removing RSA key Transport from TLS 1.3)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Mar 2014 00:09:11 -0000
On Thu, Mar 27, 2014 at 8:04 PM, Martin Thomson <martin.thomson@gmail.com> wrote: > (Renaming the thread, since this is what we seem to be talking about) > > On 27 March 2014 16:55, Marsh Ray <maray@microsoft.com> wrote: >> From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Alyssa Rowan >>> >>> Show of hands: who *really* wants to deploy 2048-bit (or above) DHE, when they could have curve25519 instead? >> >> The general consensus at Microsoft is that we like ECDHE much better than the classic DHE. > > I think that this is the general trend, but is it so bad that you > would want to prohibit DHE? Well, the DHE handshake has validation issues: implementations aren't checking they get sensible inputs. Fix that, and maybe you have an argument for keeping it. But as it stands now the insecure resumption attacks are exploiting behavior in DHE that isn't fixable without a DOS vector being introduced. Sincerely, Watson Ladd > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- [TLS] Nuking DHE in favour of ECDHE (Was: Re: Con… Martin Thomson
- Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re:… Watson Ladd
- Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re:… Marsh Ray
- Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re:… Henrick Hellström
- Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re:… Karthikeyan Bhargavan
- Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re:… Daniel Kahn Gillmor
- Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re:… Eric Rescorla
- Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re:… Watson Ladd
- Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re:… Andrei Popov
- Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re:… Paul Hoffman
- Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re:… Peter Gutmann
- Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re:… Rob Stradling
- Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re:… Andrei Popov
- Re: [TLS] Nuking DHE in favour of ECDHE (Was: Re:… Andrei Popov