[TLS] RE: Short Ephermal Diffie-Hellman keys

[<Pasi.Eronen at nokia.com>]

Simon Josefsson wrote:

> > Earlier I suggested that TLS 1.2 spec should probably recommend just
> > hardcoding some of the groups from RFC 3526 (i.e., recommend against
> > generating DH parameters). This would simplify code and provide less
> > opportunities for getting things wrong (e.g. very small 
> > primes seen by Yngve; small subgroup attacks; etc.).
> >
> > http://www1.ietf.org/mail-archive/web/tls/current/msg01115.html
> 
> I think we would need solid support from the cryptographic 
> community to change this.

Current TLS specs already allow implementations to do this; also 
many existing protocols (IKE/IKEv2, MIKEY, HIP) do this. So I don't 
think that this is very controversial (especially if we keep this
as a recommendation, not a MUST).

(BTW, even with TLS, I think FIPS/Suite B compliance would prohibit
generating new DH parameters in the ECDH case.)

> Regenerating new DH parameters appear to me, if they are computed
> correctly, to potentially offer one additional wall of protection.
> 
> The risk is if the parameters are not computed correctly.  But that
> risk have to be weighted against the risk of someone exploiting the
> fact that many D-H exchanges on the Internet uses the same
> parameters, and does so over a multi-year time period.

IKE has done exactly this over a multi-year time period, and I haven't
heard of any concerns over that...

Best regards,
Pasi

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls