Re: [TLS] Do we need DH?

Yoav Nir <ynir.ietf@gmail.com> Fri, 02 January 2015 18:41 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67AC81A0052 for <tls@ietfa.amsl.com>; Fri, 2 Jan 2015 10:41:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iGxcoGG9t9HW for <tls@ietfa.amsl.com>; Fri, 2 Jan 2015 10:41:24 -0800 (PST)
Received: from mail-wg0-x236.google.com (mail-wg0-x236.google.com [IPv6:2a00:1450:400c:c00::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F3DE1A0056 for <tls@ietf.org>; Fri, 2 Jan 2015 10:41:24 -0800 (PST)
Received: by mail-wg0-f54.google.com with SMTP id z12so6672229wgg.41 for <tls@ietf.org>; Fri, 02 Jan 2015 10:41:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=BfG+dgG94rr7zREzMCM6OK1FTg6mgQC6XtlmYUrPOS8=; b=xYcEuvCD3oPgz0OisL873P2u+Xy4ElAquxoyx1oUImGR3lmas5gDVY4eir1txF8UCe ZDYaii5HG34H8ivEvi1UXorbvmQkrkBE8OUOUzT7bFXRZtxBr+MlSamFxBhfxT2sXFgG m4bl+epAogo8xQrddtEHNDrvdvGi6aPn9p/K+m7syAW/YHP8yuyDktjdTJEps7bESBPl Y1DS19MFjj7lapFbXKGW9uZtt3PEC7A7p1ha/rYziIg+8ZKdvxpGc9PGcQzNuLYP9lHm CuDxDZdSg0g0ytLv41XyRZAV2k5zr3D5FFRlU/GAJMVLpVHqLeFG3CA+oY5wiRSWpL/o 4RfQ==
X-Received: by 10.194.110.69 with SMTP id hy5mr155141727wjb.121.1420224083283; Fri, 02 Jan 2015 10:41:23 -0800 (PST)
Received: from [192.168.1.102] (IGLD-84-228-227-214.inter.net.il. [84.228.227.214]) by mx.google.com with ESMTPSA id vs8sm40618061wjc.6.2015.01.02.10.41.21 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 02 Jan 2015 10:41:22 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <20150102171711.GY24442@localhost>
Date: Fri, 02 Jan 2015 20:41:19 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <C340713C-C379-4EFD-8543-F0DE626DC7B7@gmail.com>
References: <CACsn0cmD=YA4i889f--e_b-OahUVoYdKyQUaiUN--QKOmqn8uA@mail.gmail.com> <54A252EA.1010905@iki.fi> <2348107.Lj21YcAO1u@pintsize.usersys.redhat.com> <DF638EB0-A163-4DBD-B095-43EEDA4D9DB1@gmail.com> <20150102171711.GY24442@localhost>
To: Nico Williams <nico@cryptonector.com>
X-Mailer: Apple Mail (2.1993)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/yqI-CuMT9ebnX62ZCqO5t4OhrmI
Cc: tls@ietf.org
Subject: Re: [TLS] Do we need DH?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Jan 2015 18:41:26 -0000

> On Jan 2, 2015, at 7:17 PM, Nico Williams <nico@cryptonector.com> wrote:
> 
> On Fri, Jan 02, 2015 at 03:08:07PM +0200, Yoav Nir wrote:
>>> On Jan 2, 2015, at 2:46 PM, Hubert Kario <hkario@redhat.com> wrote:
>>> On Tuesday 30 December 2014 09:23:22 Tapio Sokura wrote:
>>>> With regards to all eggs being in the same basket, AES is also something
>>>> that really should have a realistic alternative standardized and
>>>> deployed _before_ (/if) AES is broken. Like SHA-3 is coming around the
>>>> corner while SHA-2 is still well alive and kicking.
>>> 
>>> We do have Camellia ciphers defined, PFS AEAD included (RFC 6367).
>> 
>> That, and the ChaCha20+Poly1305 AEAD will be defined when http://tools.ietf.org/html/draft-mavrogiannopoulos-chacha-tls-04 is adopted.
> 
> I think Hubert may be referring to the need for for interoperable
> alternatives.  As in: being likely to find those alternatives deployed.
> 
> IOW, we need at least two realistic *REQUIRED to implement* algorithms
> (curves for ECC) of most kinds: two hash functions, two PRFs, two ECDH
> curves, two digital signature algorithms (e.g., RSA and E*DSA), two AEAD
> ciphers.
> 
> For some kinds of algorithms (ciphers) this might be difficult,
> politically.  But it's worth considering.

I think ChaCha20+Poly1305 has a very good chance of becoming deployed. Chrome has an implementation of an earlier draft, and I’m sure once draft-mavrogiannopoulos gets published as an RFC both the Chrome implementation and the contribution to OpenSSL will get updated. I can’t speak for SCHANNEL, NSS and whatever Safari is using, but I think it has a better chance of becoming ubiquitous than anything else that’s on the table.

Yoav