[TLS] Re: Short Ephermal Diffie-Hellman keys

To: <Pasi.Eronen at nokia.com>
Subject: [TLS] Re: Short Ephermal Diffie-Hellman keys
From: Simon Josefsson <simon at josefsson.org>
Date: Tue, 15 May 2007 18:12:50 +0200
Cc: tls at lists.ietf.org
In-reply-to: <B356D8F434D20B40A8CEDAEC305A1F2404229A6B@esebe105.NOE.Nokia.com> (Pasi Eronen's message of "Tue\, 15 May 2007 16\:50\:13 +0300")
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
Openpgp: id=B565716F; url=http://josefsson.org/key.txt
References: <op.tsa3n9ttqrq7tp@nimisha.oslo.opera.com> <46488F24.4020304@pobox.com> <B356D8F434D20B40A8CEDAEC305A1F24041FA7FF@esebe105.NOE.Nokia.com> <4649A374.8040805@drh-consultancy.demon.co.uk> <87y7jqckh2.fsf@mocca.josefsson.org> <B356D8F434D20B40A8CEDAEC305A1F2404229A6B@esebe105.NOE.Nokia.com>
User-agent: Gnus/5.110007 (No Gnus v0.7) Emacs/22.0.95 (gnu/linux)

<Pasi.Eronen at nokia.com> writes:

> Simon Josefsson wrote:
>
>> Some applications that use GnuTLS (I believe Exim is an example)
>> have a separate script invoked once every day (or similar) to
>> re-generate the DH parameters.  This approach works fine even if
>> getting the entropy is a bottle-neck, since it allows servers to
>> continue to run using the earlier DH parameters until the new
>> parameters have been generated.
>
> BTW, why do you generate new DH parameters in the first place?

GnuTLS doesn't -- external applications, notably Exim, do it.  However,
I have not idea why they do it.  There are some discussion about this
behaviour in section 2.2.3 of:

http://pkg-exim4.alioth.debian.org/README/README.Debian.html#id224002

Frankly, I'm not sure I really understand what they are doing or why.

> Earlier I suggested that TLS 1.2 spec should probably recommend just
> hardcoding some of the groups from RFC 3526 (i.e., recommend against
> generating DH parameters). This would simplify code and provide less
> opportunities for getting things wrong (e.g. very small primes seen by
> Yngve; small subgroup attacks; etc.).
>
> http://www1.ietf.org/mail-archive/web/tls/current/msg01115.html

I think we would need solid support from the cryptographic community to
change this.

Regenerating new DH parameters appear to me, if they are computed
correctly, to potentially offer one additional wall of protection.

The risk is if the parameters are not computed correctly.  But that risk
have to be weighted against the risk of someone exploiting the fact that
many D-H exchanges on the Internet uses the same parameters, and does so
over a multi-year time period.

Personally, I'm leaning towards reviewing the code to generate D-H
parameters, and to recommend administrators to re-generate parameters
every X days.  Instead of putting all trust in one D-H parameter.

/Simon

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- [TLS] RE: Short Ephermal Diffie-Hellman keys
  - From: Pasi.Eronen

References:
- [TLS] Short Ephermal Diffie-Hellman keys
  - From: Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] Short Ephermal Diffie-Hellman keys
  - From: Mike
- RE: [TLS] Short Ephermal Diffie-Hellman keys
  - From: Pasi.Eronen
- Re: [TLS] Short Ephermal Diffie-Hellman keys
  - From: Dr Stephen Henson
- [TLS] Re: Short Ephermal Diffie-Hellman keys
  - From: Simon Josefsson
- RE: [TLS] Re: Short Ephermal Diffie-Hellman keys
  - From: Pasi.Eronen

Prev by Date: [TLS] Further development of GSS-TLS
Next by Date: Re: [TLS] Short Ephermal Diffie-Hellman keys
Previous by thread: RE: [TLS] Re: Short Ephermal Diffie-Hellman keys
Next by thread: [TLS] RE: Short Ephermal Diffie-Hellman keys
Index(es):
- Date
- Thread

[TLS] Re: Short Ephermal Diffie-Hellman keys

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.