Re: [TLS] Deprecating Obsolete Key Exchange Methods in TLS
David Benjamin <davidben@chromium.org> Wed, 02 March 2022 18:31 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25C053A0B32 for <tls@ietfa.amsl.com>; Wed, 2 Mar 2022 10:31:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.261
X-Spam-Level:
X-Spam-Status: No, score=-9.261 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.248, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wCWSmch1QvW0 for <tls@ietfa.amsl.com>; Wed, 2 Mar 2022 10:31:49 -0800 (PST)
Received: from mail-pf1-x42f.google.com (mail-pf1-x42f.google.com [IPv6:2607:f8b0:4864:20::42f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF7BD3A0B7C for <tls@ietf.org>; Wed, 2 Mar 2022 10:31:48 -0800 (PST)
Received: by mail-pf1-x42f.google.com with SMTP id x18so2665725pfh.5 for <tls@ietf.org>; Wed, 02 Mar 2022 10:31:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=OO1S9MOSIlDNjipsAphvUIXiiOWG0vugb7yeYQe+8zk=; b=S3EM53RxyRKv+tPei8yBvG/Mv/jhLiumUcOF0ELvTZac3B/kTOXKQgU5g2XFIk63nS rNjZAIN/l7WKMKDO/rMo3Wz9Ph0tu4W7iLpBDtwuXQqpN9U6KBf91OIn8bXC78SD2ad/ vvCWrMpeOGarln56eHYdjiFSdqyW/oRhPcZ6U=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=OO1S9MOSIlDNjipsAphvUIXiiOWG0vugb7yeYQe+8zk=; b=S4LiDvpId+BP3DgOG0v0+RvUoKx3gqiBwxio3SVEGiT1BO4EytwY3zfOoj+nlJwOmx idzRkAXXDV+XNR/Oy15Nfz50mKjrTARU6LTmUO2d7jqJ46EmnZJgiKw+6Y6c+XQPzasE c/RnnEJdn5RqkLj59HwvyZ5BEs+Z8Qcik7h9ntlVd8GA2G4J5yLS2Ae8O9R6hMXMOoY0 LrIYVXfeFefjQhL9G5K1ip8RMKlrMIos0vHF2x//PFWenxN4/E6sGoDXsJPaDgVuJB2B FMfIvLXOkD48gvjLJYUtKFuA8okqQz8rNlRoGT+6Dczx31fOwSckL5mgTwdKZ/ajbmTT vxdA==
X-Gm-Message-State: AOAM533IgxRJ8sJFIh2l2+z6ePzJQMV+/08OrAkz9g7CAw1IU/hlOkKg 6b9SrFUlQhOtgMNV7nMWliHvuSAabg0vUVRGqkrkcyV3EQ==
X-Google-Smtp-Source: ABdhPJwDr4IOPOTOVdo/bdKzkd/SNwVCsGcFP28F3tpXHtyT07kthCWzxB6wz5glaNWwzL2GylZ53l06YAS36VESVPk=
X-Received: by 2002:a63:a545:0:b0:34c:9ba5:6125 with SMTP id r5-20020a63a545000000b0034c9ba56125mr26930423pgu.392.1646245907633; Wed, 02 Mar 2022 10:31:47 -0800 (PST)
MIME-Version: 1.0
References: <CABiKAoRZZy2Bqgf_QJOQxiyREwLscOWJ9LeqgEvam7Lz+dqyCA@mail.gmail.com> <F631C8A5-3684-4693-B828-4CAA7820125B@ll.mit.edu>
In-Reply-To: <F631C8A5-3684-4693-B828-4CAA7820125B@ll.mit.edu>
From: David Benjamin <davidben@chromium.org>
Date: Wed, 02 Mar 2022 13:31:31 -0500
Message-ID: <CAF8qwaA2go0o_gN=9bh4hqe7hfT+1N8cCBnxd1t00-fGUbSxvg@mail.gmail.com>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
Cc: "<tls@ietf.org>" <tls@ietf.org>, Carrick Bartle <cbartle@apple.com>
Content-Type: multipart/alternative; boundary="0000000000008a32c905d9407e44"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/zPVfG2ese-R0SY9hRjGrbzoBqqM>
Subject: Re: [TLS] Deprecating Obsolete Key Exchange Methods in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Mar 2022 18:32:02 -0000
On Wed, Mar 2, 2022 at 12:19 PM Blumenthal, Uri - 0553 - MITLL < uri@ll.mit.edu> wrote: > Following the discussions around draft-bartle-tls-deprecate-ffdh and > draft-aviram-tls-deprecate-obsolete-kex, and after consulting the chairs, > we have merged the two drafts into draft-aviram-tls-deprecate-obsolete-kex > <https://datatracker.ietf.org/doc/draft-aviram-tls-deprecate-obsolete-kex/> > . > > > > The merged draft prescribes the following: > > 1. RSA key exchange is a MUST NOT. > > NIST PQC API is Key Encapsulation – conceptually similar to RSA key > exchange. > Yes, but this has no bearing on why it's deprecated. The question is how you use the KEM, and as well as the properties of the KEM in question. In TLS 1.3, and in TLS 1.2 (EC)DHE key exchanges, the KEM recipient generates an *ephemeral, per-connection* key. This gives us forward secrecy properties, which this WG has treated as important. In TLS 1.2 RSA key exchange, the recipient uses a *static* RSA key. In principle, one could also use an RSA-based KEM with ephemeral keys, but RSA key generation is so expensive that this is implausible. Regardless, "RSA key exchange" in the context of TLS is specifically the TLS 1.2 RSA construction, which doesn't do this. Additionally, the particular KEM-like construction used in TLS RSA key exchange is flawed, per the Bleichenbacher attack. While we have a mitigation, it is just a workaround for what is ultimately a flawed construction. That mitigation has also had a series of implementation issues, per the documents cited by the draft. > > 1. Non-ephemeral finite-field DH is a MUST NOT. > > > > Overkill, and unnecessary. Should be SHOULD NOT. > > > > 1. Non-ephemeral ECDH is a SHOULD NOT. > > > > OK. > > > > 1. Ephemeral finite-field DH (DHE) is a MAY, only when fully > ephemeral, and only using a well-known group of size at least 2048 bits. > > > > Overkill, though requiring sufficiently large group size is fine. > > > > > > We added greater justification for point 3 > <https://www.ietf.org/archive/id/draft-aviram-tls-deprecate-obsolete-kex-01.html#name-security-considerations-2> > above to address concerns previously raised on the list. > > > > We'd love to hear your thoughts. > > > > best wishes, > > Carrick and Nimrod > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Deprecating Obsolete Key Exchange Methods i… Nimrod Aviram
- Re: [TLS] Deprecating Obsolete Key Exchange Metho… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Deprecating Obsolete Key Exchange Metho… David Benjamin
- Re: [TLS] Deprecating Obsolete Key Exchange Metho… Salz, Rich
- Re: [TLS] Deprecating Obsolete Key Exchange Metho… Carrick Bartle