[TLS] DH group validation

[Eric Rescorla <ekr at networkresonance.com>]

One of the remaining TODOs in TLS 1.2 is what (if anything)
the client should do to validate the server's offered DH
group. I ran this by Bodo Moeller, who writes:


On Thu, Oct 11, 2007 at 12:20:20PM -0700, Eric Rescorla wrote:

> The current TLS 1.2 draft has:
> 
>    Because TLS allows the server to provide arbitrary DH groups, the
>    client SHOULD verify the correctness of the DH group. [TODO: provide
>    a reference to some document describing how] and that it is of
>    suitable size as defined by local policy. The client SHOULD also
>    verify that the DH public exponent appears to be of adequate size.
>    The server MAY choose to assist the client by providing a known
>    group, such as those defined in [IKEALG] or [MODP]. These can be
>    verified by simple comparison.
> 
> Any chance you would be willing to provide some text for this TODO?
> Or a pointer or something?

I suppose I could write something on recommendations for DH groups
(although not right now -- I will be traveling without a computer
later this week and next week), but I don't really see the point of
client verification of server-chosen DH groups, and don't agree that
this should be a "SHOULD".

In the TLS 1.2 standard ciphersuites, a signature authenticates that
the server really has chosen this particular group.  (Or, in anonymous
ciphersuites, even *with* group verification you can't really trust
the DH value if you suspect there might be an active adversary.)  You
can't verify *all* security-relevant aspects of server behavior, so
why spend time verifying this particular one?  If the server
implementation sucks, it could use a perfectly nice DH group in a
perfectly broken way -- such as by using a low-entropy secret
exponent.  I don't see that verifying the DH group doesn't really add
significant value: it does not counter any threats by actual
adversaries.

Looking at the (purported) group size is reasonable because it is
cheap to do, so that the client can detect if the server at least
pretends to use a certain security level.

The client could do some more complex verification to decide if it
would appear secure to reuse its own secret exponent multiple times,
but I don't think this is worth the effort: we have session reuse
capabilities, anyway; so clients should always use fresh DH exponents
if a full handshake happens, and try to reuse a session if they want
to reuse older secret values.

Bodo



I tend to agree with this, and I suggest that we simply suggest
that the client SHOULD check the group size.

Comments in the other direction? I'd like to note that the reason
this section is not filled in is because I don't have any text
I'm comfortable with on how to check a DH group. Accordingly, 
any comments suggesting that we should have validation would
be most convincing if they came with a contribution of text
describing what you want done.

-Ekr




_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls