Re: [TLS] Static DH timing attack

Peter Gutmann <> Sat, 12 September 2020 03:48 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 56B7A3A0BE9 for <>; Fri, 11 Sep 2020 20:48:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Tf-_YwY20Ah3 for <>; Fri, 11 Sep 2020 20:48:36 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 37D7F3A0BE6 for <>; Fri, 11 Sep 2020 20:48:35 -0700 (PDT)
Received: from ( []) (Using TLS) by with ESMTP id au-mta-74-UDf7BsEMPjG9n1p3NaxG2w-1; Sat, 12 Sep 2020 13:48:32 +1000
X-MC-Unique: UDf7BsEMPjG9n1p3NaxG2w-1
Received: from (2603:1096:1:1e::21) by (2603:10c6:201:4::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3370.17; Sat, 12 Sep 2020 03:48:28 +0000
Received: from (2603:1096:1:1e:cafe::58) by (2603:1096:1:1e::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3370.16 via Frontend Transport; Sat, 12 Sep 2020 03:48:28 +0000
X-MS-Exchange-Authentication-Results: spf=none (sender IP is;; dkim=none (message not signed) header.d=none;; dmarc=none action=none;
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.3370.16 via Frontend Transport; Sat, 12 Sep 2020 03:48:27 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1497.2; Sat, 12 Sep 2020 15:48:25 +1200
Received: from ([]) by ([]) with mapi id 15.00.1497.006; Sat, 12 Sep 2020 15:48:25 +1200
From: Peter Gutmann <>
To: Filippo Valsorda <>, "" <>
Thread-Topic: [TLS] Static DH timing attack
Thread-Index: AQHWhrp+9EGmAKHnM0S2YOV3OYQKzqlhmhsF//998wCAAZtd6v///2UAgAA+bQCAAW7+LA==
Date: Sat, 12 Sep 2020 03:48:25 +0000
Message-ID: <>
References: <> <> <> <> <>, <>
In-Reply-To: <>
Accept-Language: en-NZ, en-GB, en-US
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 810791ef-5fff-4885-79cd-08d856ceb505
X-MS-TrafficTypeDiagnostic: MEAPR01MB3046:
X-Microsoft-Antispam-PRVS: <>
X-MS-Oob-TLC-OOBClassifiers: OLM:628;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: OPN8n67KnTcx26ye1TVGZnLDhl1EQvUxe6Iko2+lLRfmeFcOGiCDm6yC6D+cmcL6/tHBUAcazDrIMwU81LfU9AIMByBs32Q2bgauL6J6gR+uEUKgl/jLObvecSBAJGb0RUVyMpOdy+hktx808cGyD3nO/womjuh9R72rMOfrxsRqYq8eAwV/38GLHLHAw3FPCS38fVoS9FSIyd2PW6n3QnfU3kZIh4OL2HVWrnorf6cQcet/EyAjrr+sGjv+VMffPrumLFIwIuPHLbF7baFJ8O3kdzz4D/A2Ogn6JOcPYQXO4lz/5fLFxNmZ6C9WxYQ5QNKCCZnzBkfHXgIkiKO20dlplcVUmZBnD0RNhonFwBNPA1mO7qY05xzYUg2sADK7V4cf+EJj4Kj7iL0XbjYA4A==
X-Forefront-Antispam-Report: CIP:; CTRY:NZ; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM;;; CAT:NONE; SFS:(4636009)(136003)(376002)(346002)(39860400002)(396003)(46966005)(110136005)(316002)(336012)(26005)(70206006)(70586007)(86362001)(82310400003)(82740400003)(356005)(7636003)(186003)(47076004)(478600001)(2906002)(36906005)(786003)(2616005)(8936002)(5660300002)(8676002); DIR:OUT; SFP:1101;
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Sep 2020 03:48:27.0453 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 810791ef-5fff-4885-79cd-08d856ceb505
X-MS-Exchange-CrossTenant-Id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=d1b36e95-0d50-42e9-958f-b63fa906beaa; Ip=[]; Helo=[]
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MEAPR01MB3046
X-Mimecast-Spam-Score: 0.0
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Content-Language: en-NZ
Archived-At: <>
Subject: Re: [TLS] Static DH timing attack
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 12 Sep 2020 03:48:38 -0000

Filippo Valsorda <> writes:

>I feel like there should be nothing controversial in the context of TLS.
>   Non-ephemeral FFDHE ciphersuites in TLS 1.0–1.2 (TLS_DH_*) ought to be a
>	MUST NOT, because they can't be implemented securely.
>   Reusing ephemeral shares for ECDHE and DHE ought to be a MUST NOT in all
>	TLS versions, because it's unnecessary and has been a requirement for many
>	attacks now.
>   Non-ephemeral ECDH ciphersuites (TLS_ECDH_*) ought to be a SHOULD NOT,
>	because again ECDH share reuse enables a whole class of attacks.
>   FFDHE ciphersuites in TLS 1.0–1.2 (TLS_DHE_*) ought to be a SHOULD NOT,
>	because they are specified in a dangerous way that is not secure if shares
>	are reused.

I agree with the first two but not the last.  Why is non-ephemeral DH a MUST
NOT but non-ephemeral ECDH a SHOULD NOT?  There's nothing magic about the EC
form that makes it any better or safer.

And for the FFDHE ciphersuites, they're not specified in a dangerous way,
people implement them in a dangerous way.  You really have to go out of your
way to get it wrong, in the case of RACCOON it's actually more effort to get
it wrong (keep old copies of values floating around and reuse them over and
over) than to get it right (generate a fresh value every time).  So it doesn't
need a "don't do FFDHE", it needs a "here's a lot of stupid things you can do
with FFDHE if you put your mind to it.  Don't do any of them".

Or maybe it can be turned into a more general "here are some dumb things that
people have done with TLS over the years.  Check your server to make sure
you're not doing them".  Posting your web server's private key as a .p12 file
in a subdirectory below $DocumentRoot, for example, would be high on my list.