Re: [TLS] RFC 7919 on Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS)

Watson Ladd <watsonbladd@gmail.com> Tue, 16 August 2016 20:36 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1ED1312D5BF for <tls@ietfa.amsl.com>; Tue, 16 Aug 2016 13:36:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cC5sC7PkrUfo for <tls@ietfa.amsl.com>; Tue, 16 Aug 2016 13:36:51 -0700 (PDT)
Received: from mail-ua0-x235.google.com (mail-ua0-x235.google.com [IPv6:2607:f8b0:400c:c08::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50F4E126D74 for <tls@ietf.org>; Tue, 16 Aug 2016 13:36:51 -0700 (PDT)
Received: by mail-ua0-x235.google.com with SMTP id n59so141297063uan.2 for <tls@ietf.org>; Tue, 16 Aug 2016 13:36:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=C3jNuw/eHJyKoLBUqAp+XMfUxI7uB64etxi5TxiNcTk=; b=yW+jORJENnB2VEGSLO4uFyFLrKgzFV2eUG5EsBWYOPeAcglnCZBbEuV7tiVYVk8yP0 QMudWTeFC4OSn8tBNdyZPT2gdsvcwCQMLCO2s5cjsYn6XV1ArFbzC/g6tZklGwBXNeh1 Urf2POWun4kVykAF8wgnJcf8Gn0SIMLLP4/UBWbX7/WwJ3XNAbJ83BCrPppM9/2ywWBB h9sbQWc06Nh9BgRsGG6Rwo3IDvQMp+EJtLEZ42q4+0zFWHMWxjvfDRLEca2s0LlT8EEk 3t1f3UXA9ZkVIKGaehWaoru0qCx/bb49EX/KVK1SFFhg+qPltio3qlUg/fmz4aIQB+QC w2iA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=C3jNuw/eHJyKoLBUqAp+XMfUxI7uB64etxi5TxiNcTk=; b=GDAEcWKIINkOKyVxEKlcbfrL6HLGyBx5P2/2Lf00w+tNWdTW7Xr/nQ1K5TVYK/4EcW Ofc66BTY4pHAjfmENc7f1icBkaNknrGpHvCBA4nScfcgXd77THm9fwVYs8aKPrLFbYSu J//plwbIlYihEyeID8dsiJEiyYCwRVH04XggShKdGIhOgmE/YV0cRefQtldVEtxZZ0Rt AUasUJC6H1ujjrOCVXhjQQTHaiIG4RYbrlNRo2JCEuOlQbGacLi9pxNy10zTu6tn4C8X 8haGFEq5YS1QOBI5JCMGO2A9M8hYkdiI1oR36no7NaMfqmXpoh7+P7YEgDL0AiA1qFkW WixA==
X-Gm-Message-State: AEkooutFOqB41wccM0G4D5jA9/89PV/Xu+mBEw/kjy71G1EiWj2hPOibC5LsCFohqFB3pjFVTf4CpBL+6E/uqg==
X-Received: by 10.176.65.7 with SMTP id j7mr6372392uad.117.1471379810363; Tue, 16 Aug 2016 13:36:50 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.176.1.209 with HTTP; Tue, 16 Aug 2016 13:36:49 -0700 (PDT)
In-Reply-To: <0131e121-4a96-6c9f-0c28-fea0519adad4@akamai.com>
References: <9A043F3CF02CD34C8E74AC1594475C73F4CF009C@uxcn10-5.UoA.auckland.ac.nz> <0131e121-4a96-6c9f-0c28-fea0519adad4@akamai.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Tue, 16 Aug 2016 13:36:49 -0700
Message-ID: <CACsn0cndF0Nu-=UDN7jdiWd6_L8Rjmri7bjzBbKPMT8iXeAt9A@mail.gmail.com>
To: Benjamin Kaduk <bkaduk@akamai.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/wbc5IgY30t_VFT-xZT9Wkq6ucHw>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] RFC 7919 on Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Aug 2016 20:36:53 -0000

On Tue, Aug 16, 2016 at 1:34 PM, Benjamin Kaduk <bkaduk@akamai.com> wrote:
> On 08/16/2016 05:44 AM, Peter Gutmann wrote:
>
> As far as I can see what this text is saying is that if the client can't
> guess
> in advance which PFS suite/group the server knows about, the server must
> disable use of PFS.  In other words instead of saying "give me a PFS suite,
> preferably with this group", it's saying "give me a PFS suite with exactly
> this group and if you can't do that, don't do PFS".  This seems like a
> pretty
> awful way to handle things.
>
>
> Recall that the "perfect" part depends on both sides doing what they're
> supposed to.  And if the server wants to behave badly and is doing a
> not-named group, it can send something that is not prime, or has small
> subgroups, etc. -- not all clients will check, so the client is definitely
> not guaranteed forward secrecy.

A malicious server can also send the PMS to the Nation State
Adversary. Compromised endpoints offer no security.

>
> -Ben
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>



-- 
"Man is born free, but everywhere he is in chains".
--Rousseau.