Re: [TLS] DH group validation

To: tls at lists.ietf.org
Subject: Re: [TLS] DH group validation
From: Nikos Mavrogiannopoulos <nmav at gnutls.org>
Date: Tue, 16 Oct 2007 22:10:11 +0300
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:from:to:subject:date:user-agent:references:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:message-id:sender; bh=hnd1qZzTUhgxOffxgSFir0GCXXK2gVHGlxk96viAg2c=; b=En+dK8jxNKD4r8oPZdmY0BCBSk+3W/T2DnsGucM2u4GJ9GRIYJFmcE2uzWcuY27DnSyNgq4RcqC9xJ2+Cimsh3p+E4mu/x+c6Sq/sW+pFo/tW7OaO1Xn819gLLJ3JQEZ8af3Wxq5IJ2PaxOvK5kPdFDqlkPzu1riYPAFFI0Js5A=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:from:to:subject:date:user-agent:references:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:message-id:sender; b=tQH9vqft16IUM5aqJVVi5EtHmMEX1cGnczhKNzEcrxDjbESfBBmTjyK5W9lvx7X6D0VrevLOvPMfRFmgjcoJt0t9MNhMDflEZkYUwuZm63H0xSGXDomHpM2pLYffKD2TUylRt1rzXuE0W0s+Fr840JmRybv9hdOehqL9j0oKuVs=
In-reply-to: <20071016154947.883D933C21@delta.rtfm.com>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <20071016154947.883D933C21@delta.rtfm.com>
User-agent: KMail/1.9.6 (enterprise 0.20070907.709405)

On Tuesday 16 October 2007, Eric Rescorla wrote:

> In the TLS 1.2 standard ciphersuites, a signature authenticates that
> the server really has chosen this particular group.  (Or, in anonymous
> ciphersuites, even *with* group verification you can't really trust
> the DH value if you suspect there might be an active adversary.)  You
> can't verify *all* security-relevant aspects of server behavior, so
> why spend time verifying this particular one?  If the server
> implementation sucks, it could use a perfectly nice DH group in a
> perfectly broken way -- such as by using a low-entropy secret
> exponent.  I don't see that verifying the DH group doesn't really add
> significant value: it does not counter any threats by actual
> adversaries.

I agree with the above. He can post the transaction in plaintext. I don't see 
much to gain by further checking the group.

> Looking at the (purported) group size is reasonable because it is
> cheap to do, so that the client can detect if the server at least
> pretends to use a certain security level.

But of course then you need to define what a security level is and how it 
applies to DH key exchange.


regards,
Nikos



_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] DH group validation
  - From: Eric Rescorla

References:
- [TLS] DH group validation
  - From: Eric Rescorla

Prev by Date: [TLS] Comments on draft-salowey-tls-rfc4507bis-01.txt
Next by Date: Re: [TLS] DH group validation
Previous by thread: [TLS] DH group validation
Next by thread: Re: [TLS] DH group validation
Index(es):
- Date
- Thread

Re: [TLS] DH group validation

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.