Re: [TLS] Security today

[Eric Rescorla <ekr at networkresonance.com>]

At Sat, 29 Mar 2008 09:39:23 -0700,
Mike wrote:
> 
> >> Put another way, if someone came to you and said they needed to
> >> protect millions of transactions worth billions of dollars, would
> >> you suggest 1024-bit RSA with RC4/MD5?  That's the reality we live
> >> in today.
> > 
> > We do trust this. You mention having read books by Schneier. No doubt 
> > you've come across the parable of the 50-foot pole.
> 
> Sure, the attacker runs around the pole.  The problem with that story
> is that the pole in question is not nearly 50 feet tall.  It could be
> easily jumped over, perhaps after a few years of improvements to
> athletic shoes.
> 
> And actually I do trust 1024-bit RSA keys.  But only for signatures
> such as those used for DHE_RSA.  You really do need to have a unique
> key for every transaction (or possibly limited to a very small number
> of transactions), which is what DHE provides.
> 
> > 1024-bit RSA with 
> > RC4 and HMAC-MD5 may not be the best cryptography we have today, but 
> > it's enough that no attacker to date has targeted the cryptography. All 
> > hacking and cracking you hear about is done without any attempt at 
> > cryptanalysis. Rather, it's done through poor database permissions, poor 
> > input sanitizations or social engineering.
> 
> The existence of other flaws is not an excuse to get the cryptography
> wrong.  At some point it will be easy to break 1024-bit keys, and
> with the mountain of transactions piling up, ALL USING THE EXACT SAME
> KEYS, an attacker can simply passively record network traffic, wait a
> few years and then run RSACrack1024.exe.
> 
> The damage is already done, by the way, if anybody is recording such
> network traffic.  There is no way to prevent them from recovering all
> that data, names, passwords, account numbers, transaction details.
> And if you think you can just change your password and stop making
> transactions on an offending site, you're wrong; your password change
> will be recorded along with the rest of it.

Mike,

1. The properties of static RSA versus ephemeral DH are very 
   well known.
2. The protocol supports ephemeral DH.
3. The major servers support ephemeral DH, as do many clients.
4. Servers can choose to offer ephemeral DH if they wish
   without in any way breaking operation for clients which
   do not use it.
5. Clients could, if they chose, refuse to do any cipher suite
   other than DH.
6. For a variety of reasons, principally performance, many
   servers have chosen not to offer DH and clients have chosen
   not to require it.

I realize that you happen to think that people have made the wrong
decision, but clearly other people have different opinions
about the relevant cost/benefit issues. TLS offers a set of
mechanisms that people can choose from to meet their needs,
and the document is quite clear about the security properties
of static RSA versus DH (see F.1.1.2). We've done our job.

You should of course feel free to write an advocacy piece somewhere
about how people really should use DHE, but that's not really
something appropriate for the TLS WG to take on.

-Ekr


 
_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls