[TLS] Re: TLS 1.2 draft
EKR <ekr@networkresonance.com> Wed, 07 March 2007 16:11 UTC
Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HOyk0-00019g-JT; Wed, 07 Mar 2007 11:11:48 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HOyjh-0000dD-57 for tls@ietf.org; Wed, 07 Mar 2007 11:11:29 -0500
Received: from c-69-181-78-47.hsd1.ca.comcast.net ([69.181.78.47] helo=delta.rtfm.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HOyjT-0000K7-HQ for tls@ietf.org; Wed, 07 Mar 2007 11:11:29 -0500
Received: from networkresonance.com (localhost.rtfm.com [127.0.0.1]) by delta.rtfm.com (Postfix) with ESMTP id 1C7E31CC78; Wed, 7 Mar 2007 08:10:16 -0800 (PST)
To: Simon Josefsson <simon@josefsson.org>
In-reply-to: Your message of "Wed, 07 Mar 2007 10:53:00 +0100." <87vehdl6rn.fsf@latte.josefsson.org>
X-Mailer: MH-E 7.4.2; nmh 1.2; XEmacs 21.4 (patch 20)
Date: Wed, 07 Mar 2007 08:10:16 -0800
From: EKR <ekr@networkresonance.com>
Message-Id: <20070307161016.1C7E31CC78@delta.rtfm.com>
X-Spam-Score: 0.2 (/)
X-Scan-Signature: bdc523f9a54890b8a30dd6fd53d5d024
Cc: tls@ietf.org
Subject: [TLS] Re: TLS 1.2 draft
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
Simon Josefsson <simon@josefsson.org> wrote: > Eric Rescorla <ekr@networkresonance.com> writes: > > > What I'm saying is that the recommendation to prevent his attack > > is to use an RSA_DHE ciphersuite > > I agree with that. However, if I remember correctly, DHE key > exchanges are generally slower than plain RSA key exchanges with > temporary keys, although it depends on the DH group size. This is discussed pretty extensively in "SSL and TLS". From memory, on the server side there are three time consuming steps in the ephemeral RSA computation: 1. Generating the ephemeral RSA key 2. Signing the ephemeral RSA key with the static RSA key. 3. Decrypting the PMS encrypted under the ephemeral RSA key. The first can be amortized over a large number of transactions, so really we're talking about (2) and (3). In RSA-DHE, there are three costs as well: 1. Generating the DH ephemeral. 2. Signing the ephemeral DH key with the static RSA key. 3. Computing the DH ZZ. However step 1 can actually be made quite fast by using a short DH exponent and/or using a squaring table, so the dominant costs are (2) and (3). (2) is obviously the same, which leaves us with (3), which is comparable in both cases. So, on the server side, the costs are fairly comparable. On the client side, DHE is much more expensive since you need to do (1) and (2). But the cost of one computation is typically relatively small compared to people's perceptual times (order 50 ms) and clients tend to be low volume, so it's not an issue except for very slow machines. > > and use a fresh DH ephemeral with each key exchange. This provides > > the same security at a substantially superior performance level. > > Generating a fresh DH ephemeral with each key exchange would deplete > the entropy in many RNG's. I don't understand this point. Most TLS implementations use the PRNG to generate the random values as well as the session IDs. You quickly get to the point where you've exposed vastly more bits of entropy than your underlying PRNG state. If your PRNG can't handle this, you need a new PRNG. > Perhaps we could discuss the frequency that DH ephemeral's should be > changed, possibly also in the document. > > There are tools out there that use a static hard-coded DH ephemeral in > the code, and some configurations where the DH ephemeral is stored in > a separate file, but never re-freshed anyway. DH has two parts: 1. The group parameters. 2. The ephemeral share (g^x mod p). The group parameters never need refreshing. The ephemeral share needs to be secret so hardcoding it sees like a pretty bad idea. Standard practice is to generate a fresh ephemeral for every connection but you can amortize if you're careful. In particular, you have to worry about small subgroup issues so it starts to get a lot more important to use S-G primes. I can try to draft up some guidance here based on Zuccheratto's S/MIME draft, but if someone (Bodo?) wanted to contribute some text, I wouldn'tcomplain :) -Ekr _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] TLS 1.2 draft EKR
- Re: [TLS] TLS 1.2 draft Nelson B Bolyard
- Re: [TLS] TLS 1.2 draft EKR
- Re: [TLS] TLS 1.2 draft Nelson B Bolyard
- [TLS] Re: TLS 1.2 draft Simon Josefsson
- RE: [TLS] TLS 1.2 draft (issue #25 about SSLv2 He… Pasi.Eronen
- Re: [TLS] TLS 1.2 draft (issue #25 about SSLv2 He… Mike
- Re: [TLS] TLS 1.2 draft (issue #25 about SSLv2 He… EKR
- Re: [TLS] Re: TLS 1.2 draft Wan-Teh Chang
- Re: [TLS] TLS 1.2 draft Martin Rex
- Re: [TLS] TLS 1.2 draft EKR
- Re: [TLS] TLS 1.2 draft Martin Rex
- Re: [TLS] TLS 1.2 draft Eric Rescorla
- Re: [TLS] TLS 1.2 draft Dr Stephen Henson
- Re: [TLS] Re: TLS 1.2 draft Dr Stephen Henson
- [TLS] Re: TLS 1.2 draft Simon Josefsson
- Re: [TLS] Re: TLS 1.2 draft Steven M. Bellovin
- RE: [TLS] TLS 1.2 draft Pasi.Eronen
- RE: [TLS] Re: TLS 1.2 draft Pasi.Eronen
- Re: [TLS] Re: TLS 1.2 draft Martin Rex
- RE: [TLS] Re: TLS 1.2 draft Pasi.Eronen
- RE: [TLS] TLS 1.2 draft (issue #25 about SSLv2 He… Pasi.Eronen
- Re: [TLS] Re: TLS 1.2 draft Wan-Teh Chang
- [TLS] Re: TLS 1.2 draft EKR