[TLS] STRAW POLL: Size of the Minimum FF DHE group

Sean Turner <turners@ieca.com> Tue, 04 November 2014 17:49 UTC

Return-Path: <turners@ieca.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id D0B981ACCE3 for <tls@ietfa.amsl.com>; Tue, 4 Nov 2014 09:49:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.557
X-Spam-Status: No, score=-1.557 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_FSL_HELO_BARE_IP_2=0.01] autolearn=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id xCtHXfOyqzRs for <tls@ietfa.amsl.com>; Tue, 4 Nov 2014 09:49:24 -0800 (PST)
Received: from gateway13.websitewelcome.com (gateway13.websitewelcome.com []) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5FA171ACCEF for <tls@ietf.org>; Tue, 4 Nov 2014 09:49:24 -0800 (PST)
Received: by gateway13.websitewelcome.com (Postfix, from userid 5007) id 6CE66757EC5AD; Tue, 4 Nov 2014 11:49:23 -0600 (CST)
Received: from gator3286.hostgator.com (gator3286.hostgator.com []) by gateway13.websitewelcome.com (Postfix) with ESMTP id 56DBF757EC55A for <tls@ietf.org>; Tue, 4 Nov 2014 11:49:23 -0600 (CST)
Received: from [] (port=53972 helo= by gator3286.hostgator.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.82) (envelope-from <turners@ieca.com>) id 1XliEM-0006gr-RL for tls@ietf.org; Tue, 04 Nov 2014 11:49:22 -0600
From: Sean Turner <turners@ieca.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Message-Id: <8E6B8F53-9E8C-46B2-A721-85E918576F3A@ieca.com>
Date: Tue, 04 Nov 2014 12:49:21 -0500
To: "TLS@ietf.org (tls@ietf.org)" <tls@ietf.org>
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
X-Mailer: Apple Mail (2.1878.6)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator3286.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Exim-ID: 1XliEM-0006gr-RL
X-Source-Sender: ( []:53972
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 1
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IzMjg2Lmhvc3RnYXRvci5jb20=
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/wrxnUDyd4mQSOKRHmVrxdKiPX3A
Subject: [TLS] STRAW POLL: Size of the Minimum FF DHE group
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Nov 2014 17:49:30 -0000


At the TLS Interim meeting in Paris, the WG discussed the FF DHE draft (https://datatracker.ietf.org/doc/draft-ietf-tls-negotiated-ff-dhe/)  The chairs would like to poll the WG on one of the issues in the draft namely the size of the minimum group.

The draft currently includes a minimum group size of 2432 but the WG also discussed 2048.  Groups smaller than 2048 were discounted for a standards track document as too weak for use but might be documented in a separate “historic” draft.  To help us reach consensus on this point, please reply to this email indicating whether you favor a “2048" or “2432” minimum group size.  Note we’re also looking to specify the smallest number of options for groups as is acceptable - i.e., we’re not looking at specifying both 2048 and 2432.

Background: Regardless of whether you agree with what follows or not, the following has been put forward as the rationale. We don’t need comments on the rationale, we’re just providing it for background.

1) 3DES has a 112-bit work factor and is still considered acceptable in TLS 1.2 and the DLOG keying material shouldn’t be any weaker than the symmetric cipher.

2) There is some disagreement about the work factor for the DLOG keys - e.g., NIST says 112-bit work factor correlates to 2048-bit DLOG keys but ECRYPT-II says 112-bit work factor correlates to 2432-bit DLOG keys (see references in draft).

3) The other point made about 2048-bit DLOG is that it’s a power of 2 and there’s parity with the public key sizes.