RE: [TLS] DH group validation
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [TLS] DH group validation
Bodo Moeller wrote:
> I don't see that verifying the DH group doesn't really add
> significant value: it does not counter any threats by actual
> adversaries.
Not all threats all caused by malicious adversaries. IMHO the
purpose of doing some kind of DH group validation is to mitigate
risk from a particular kind of implementation mistake. This
particular implementation mistake has been seen in real world,
so it does have some relevance (although there are, of course,
other implementation mistakes that can't be found by this
particular check).
However, it seems that as long as we don't require any particular
verifiable prime generation algorithm (such as X9.42), or use only
"known" groups (like IKE does), the only validation we can easily
do (without non-trivial computation) is checking the size of "p".
We could rephrase the text something like this:
The security level offered by TLS also depends on the DH group.
The client SHOULD verify that the DH modulus appears to be of
adequate size (some implementations of earlier versions of TLS are
known to generate very small DH moduli, offering little security).
Other aspects of DH group correctness (such as the subgroup size)
are more difficult to verify. The server MAY choose to assist the
client by providing a group with known level security, such as
those defined in [IKEALG] or [MODP]. These can be verified by
simple comparison.
Best regards,
Pasi
_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls
Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.
