Re: [TLS] draft-sheffer-tls-bcp: DH recommendations

"Blumenthal, Uri - 0558 - MITLL" <uri@ll.mit.edu> Wed, 18 September 2013 19:24 UTC

Return-Path: <prvs=29737ce98b=uri@ll.mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B709111E8108 for <tls@ietfa.amsl.com>; Wed, 18 Sep 2013 12:24:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.872
X-Spam-Level:
X-Spam-Status: No, score=-4.872 tagged_above=-999 required=5 tests=[AWL=-0.422, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4, SARE_OBFU_ALL=0.751, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jt7CXitGFDKV for <tls@ietfa.amsl.com>; Wed, 18 Sep 2013 12:24:36 -0700 (PDT)
Received: from mx2.ll.mit.edu (MX2.LL.MIT.EDU [129.55.12.46]) by ietfa.amsl.com (Postfix) with ESMTP id 539DE11E8119 for <tls@ietf.org>; Wed, 18 Sep 2013 12:24:33 -0700 (PDT)
Received: from LLE2K7-HUB01.mitll.ad.local (LLE2K7-HUB01.mitll.ad.local) by mx2.ll.mit.edu (unknown) with ESMTP id r8IJNS2n015120; Wed, 18 Sep 2013 15:24:26 -0400
From: "Blumenthal, Uri - 0558 - MITLL" <uri@ll.mit.edu>
To: james hughes <hughejp@mac.com>
Date: Wed, 18 Sep 2013 15:24:18 -0400
Thread-Topic: [TLS] draft-sheffer-tls-bcp: DH recommendations
Thread-Index: Ac60pK0TJ8+ukqRvTbef8uY9L0Iwaw==
Message-ID: <CE5F7540.11590%uri@ll.mit.edu>
In-Reply-To: <2EF88965-50F2-44C3-862F-F9B92BD51D66@mac.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.7.130812
acceptlanguage: en-US
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha256; boundary="B_3462362658_41927692"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.10.8794, 1.0.431, 0.0.0000 definitions=2013-09-18_08:2013-09-18, 2013-09-18, 1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1305240000 definitions=main-1309180098
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] draft-sheffer-tls-bcp: DH recommendations
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Sep 2013 19:24:41 -0000

From:  james hughes <hughejp@mac.com>;
> On Sep 18, 2013, at 10:34 AM, "Blumenthal, Uri - 0558 - MITLL"
> <uri@ll.mit.edu>; wrote:
>> If you think that in 5 years 1024-bit DH will be trivially crackable - I'd
>> like to see some evidence to support it.
> There is a different between "trivially crackable" and routinely exploitable.
> In 5 years this will be routinely exploitable.

If you mean "exploitable in bulk", then I'd buy your argument.  (Though
we've no idea what may happen in 5 years.)

> It seems to me that the standards process does not need NSA to subvert the
> process, the standards people seem to be doing this fine by themselves.
> Anyway, speaking as someone working in this field (more factoring than
> discreet log) the professional recommendation is 2048.

Recommendation noted. I almost remember myself many years ago trying to
convince SNMP WG that HMAC is a better choice than just keyed hash, and
SHA-1 should replace MD5 as "MUST". The arguments against it were "it would
hurt performance too badly".

> I am not baiting here, but the argument that 2048 is "too much" given that a
> PC can do a complete authenticated PFS key exchange in 3ms of CPU time seems
> "interesting". 

As I said, if the exchange takes 3 seconds on my PC (or on my smartphone :)
I'm OK with it. The complaints are likely to come from the server folks. You
can guess why.