Re: [TLS] security levels for TLS
Mike <mike-list@pobox.com> Thu, 11 October 2007 15:38 UTC
Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Ig06z-0004YB-SY; Thu, 11 Oct 2007 11:38:09 -0400
Received: from tls by megatron.ietf.org with local (Exim 4.43) id 1Ig06y-0004Xj-8O for tls-confirm+ok@megatron.ietf.org; Thu, 11 Oct 2007 11:38:08 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Ig06x-0004VY-V8 for tls@lists.ietf.org; Thu, 11 Oct 2007 11:38:07 -0400
Received: from rune.pobox.com ([208.210.124.79]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Ig06j-0007Fh-V5 for tls@lists.ietf.org; Thu, 11 Oct 2007 11:38:00 -0400
Received: from rune (localhost [127.0.0.1]) by rune.pobox.com (Postfix) with ESMTP id 5F8EF146879 for <tls@lists.ietf.org>; Thu, 11 Oct 2007 11:37:35 -0400 (EDT)
Received: from [192.168.1.8] (wsip-24-234-114-35.lv.lv.cox.net [24.234.114.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by rune.sasl.smtp.pobox.com (Postfix) with ESMTP id 1AD4A146874 for <tls@lists.ietf.org>; Thu, 11 Oct 2007 11:37:34 -0400 (EDT)
Message-ID: <470E4399.3010008@pobox.com>
Date: Thu, 11 Oct 2007 08:39:05 -0700
From: Mike <mike-list@pobox.com>
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: tls@lists.ietf.org
Subject: Re: [TLS] security levels for TLS
References: <c331d99a0710080621g7c0ec91et35c46553c23f4402@mail.gmail.com> <p0624082fc331b0ed0ecc@[192.168.1.100]> <FA998122A677CF4390C1E291BFCF59890849871E@EXCH.missi.ncsc.mil> <470D0243.3050009@pobox.com> <20071010180324.7ABC533C21@delta.rtfm.com>
In-Reply-To: <20071010180324.7ABC533C21@delta.rtfm.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 52f7a77164458f8c7b36b66787c853da
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
I think there is good reason to try to solve this problem in the TLS layer. The alternative is to force every TLS- enabled application to solve it (and likely they won't solve it and be less secure). Wouldn't it be ideal if an application could just say: TLS::SetSecurityLevel (3); and know that the resulting connection will either meet the (implementation-dependent) criteria for that level of security, or the TLS negotiation will fail? Currently an application has to do the following: 1) configure TLS layer with acceptable cipher suites 2) connect to server 3) negotiate a TLS session (many applications will stop here) 4) check that the negotiated parameters meet the application's idea of good security 5) if not, abort TLS session, disconnect, remove some cipher suites from the acceptable list and goto step 1 This is inefficient and error-prone, and makes it much harder to know how secure your IT infrastructure as a whole is since there are as many points of failure as there are applications. Also as attacks improve and the security requirements change, every application needs to be reexamined and modified. It would be much better if all that was needed was to replace the TLS library with an updated version. Or better yet, the TLS library may have a plain text configuration file for its security levels that could be replaced, and all you need to do is restart your applications. > Absent some significant evidence that this is a problem in > practice, I'm against the TLS WG doing anything along these > lines. The folks at Opera Software have expressed how difficult it was to secure their browser, and how insecure some servers are (256-bit DH parameters!). The W3C is also attempting to solve this problem, but the need extends beyond HTTPS. Another issue I've been meaning to bring up is that if you want forward secrecy, you need to use Diffie- Hellman; however, there is no way to tell the server the size of the parameter p you want. Increasing the size of p has significant performance implications, so servers will typically use 1024 bits. On my Windows machine, it takes 0.02 seconds to generate a public key and another 0.02 seconds to compute the secret using 1024-bit parameters. Moving to 2048-bit parameters, the computation time increases to 0.15 seconds each. 4096-bit computations take 1.1 seconds. No server operator will decrease throughput by a factor of 50 for everyone, just to accommodate the few who want this level of security. It would be better if those who want to use 4096 bits could ask for it. Mike _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] security levels for TLS Nikos Mavrogiannopoulos
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Nikos Mavrogiannopoulos
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Yngve Nysaeter Pettersen
- Re: [TLS] security levels for TLS Paul Hoffman
- RE: [TLS] security levels for TLS Kemp, David P.
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Nicolas Williams
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Steven M. Bellovin
- Re: [TLS] security levels for TLS Nicolas Williams
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Paul Hoffman
- Re: [TLS] security levels for TLS Nikos Mavrogiannopoulos
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Nicolas Williams
- Re: [TLS] security levels for TLS Nicolas Williams
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Nicolas Williams
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Paul Hoffman