IETF Logo Mail Archive

Re: [TLS] Why are the brainpool curves not allowed in TLS 1.3?

Johannes Merkle <johannes.merkle@secunet.com> Tue, 17 July 2018 15:04 UTC

Return-Path: <Johannes.Merkle@secunet.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F7B2130E58 for <tls@ietfa.amsl.com>; Tue, 17 Jul 2018 08:04:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0BGVm_eolt2q for <tls@ietfa.amsl.com>; Tue, 17 Jul 2018 08:04:25 -0700 (PDT)
Received: from a.mx.secunet.com (a.mx.secunet.com [62.96.220.36]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C62EA130DFE for <tls@ietf.org>; Tue, 17 Jul 2018 08:04:25 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id 43F62200AA; Tue, 17 Jul 2018 19:04:09 +0200 (CEST)
X-Virus-Scanned: by secunet
Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3expFOAhscqZ; Tue, 17 Jul 2018 19:04:08 +0200 (CEST)
Received: from mail-essen-01.secunet.de (mail-essen-01.secunet.de [10.53.40.204]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by a.mx.secunet.com (Postfix) with ESMTPS id E7DF4200A0; Tue, 17 Jul 2018 19:04:08 +0200 (CEST)
Received: from [10.208.1.212] (10.208.1.212) by mail-essen-01.secunet.de (10.53.40.204) with Microsoft SMTP Server (TLS) id 14.3.399.0; Tue, 17 Jul 2018 17:04:23 +0200
To: Hanno Böck <hanno@hboeck.de>, tls@ietf.org
References: <DE8E4C1F24911E469CC24DD4819274AA2770426C@mail-essen-01.secunet.de> <20180717155550.1a18202e@computer>
From: Johannes Merkle <johannes.merkle@secunet.com>
Openpgp: preference=signencrypt
Message-ID: <5cde94e3-416a-6773-c35c-9bb3952f5097@secunet.com>
Date: Tue, 17 Jul 2018 17:04:23 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <20180717155550.1a18202e@computer>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-G-Data-MailSecurity-for-Exchange-State: 0
X-G-Data-MailSecurity-for-Exchange-Error: 0
X-G-Data-MailSecurity-for-Exchange-Sender: 23
X-G-Data-MailSecurity-for-Exchange-Server: d65e63f7-5c15-413f-8f63-c0d707471c93
X-EXCLAIMER-MD-CONFIG: 2c86f778-e09b-4440-8b15-867914633a10
X-G-Data-MailSecurity-for-Exchange-Guid: A62A4E5E-CF42-4927-B52A-94E27907E517
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/x45lhFXUDMXycr0a8sr6sm4ToOY>
Subject: Re: [TLS] Why are the brainpool curves not allowed in TLS 1.3?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2018 15:04:28 -0000

Hi,

> There's a very strong reason against this: It creates complexity. More
> opportunities for attacks, more fragmentation of the ecosystem. I
> believe I speak for a lot of people here when I say that fewer
> algorithms is better and having more algs "just because" is not a good
> reason. With that in mind an algorithm doesn't have to be weak to be
> removed from TLS. It's reason enough if it's rarely used and doesn't
> have a significant advantage over alternatives.

Crypto agility definitely has its value. There are not so many curves supported by TLS 1.3, and all of them use primes
of a very special form. Of course, this is exactly what makes these curves faster than the Brainpool curves, but from a
security perspective it might be advisable to have alternatives at hand which have very different properties (and have
not been generated by the NSA using seeds of obscure origin). In particular, as the code points had already been
registered and have already been implemented in some products.

Furthermore, the reasoning in the draft that these curves "should be assumed to be potentially unsafe" is completely wrong.

Johannes

v2.23.0 | Report a Bug | By Email