< draft-ietf-tls-negotiated-ff-dhe-03.txt   draft-ietf-tls-negotiated-ff-dhe-04.txt >
Internet Engineering Task Force D. Gillmor Internet Engineering Task Force D. Gillmor
Internet-Draft ACLU Internet-Draft ACLU
Updates: 4492, 5246, 4346, 2246 (if November 12, 2014 Updates: 4492, 5246, 4346, 2246 (if December 5, 2014
approved) approved)
Intended status: Informational Intended status: Informational
Expires: May 16, 2015 Expires: June 8, 2015
Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS
draft-ietf-tls-negotiated-ff-dhe-03 draft-ietf-tls-negotiated-ff-dhe-04
Abstract Abstract
Traditional finite-field-based Diffie-Hellman (DH) key exchange Traditional finite-field-based Diffie-Hellman (DH) key exchange
during the TLS handshake suffers from a number of security, during the TLS handshake suffers from a number of security,
interoperability, and efficiency shortcomings. These shortcomings interoperability, and efficiency shortcomings. These shortcomings
arise from lack of clarity about which DH group parameters TLS arise from lack of clarity about which DH group parameters TLS
servers should offer and clients should accept. This document offers servers should offer and clients should accept. This document offers
a solution to these shortcomings for compatible peers by using a a solution to these shortcomings for compatible peers by using a
section of the TLS "EC Named Curve Registry" to establish common section of the TLS "EC Named Curve Registry" to establish common
skipping to change at page 1, line 40 skipping to change at page 1, line 40
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 16, 2015. This Internet-Draft will expire on June 8, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 43 skipping to change at page 2, line 43
9.6. Timing attacks . . . . . . . . . . . . . . . . . . . . . 12 9.6. Timing attacks . . . . . . . . . . . . . . . . . . . . . 12
9.7. Replay attacks from non-negotiated FFDHE . . . . . . . . 12 9.7. Replay attacks from non-negotiated FFDHE . . . . . . . . 12
9.8. Forward Secrecy . . . . . . . . . . . . . . . . . . . . . 12 9.8. Forward Secrecy . . . . . . . . . . . . . . . . . . . . . 12
10. Privacy Considerations . . . . . . . . . . . . . . . . . . . 13 10. Privacy Considerations . . . . . . . . . . . . . . . . . . . 13
10.1. Client fingerprinting . . . . . . . . . . . . . . . . . 13 10.1. Client fingerprinting . . . . . . . . . . . . . . . . . 13
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 13
11.1. Normative References . . . . . . . . . . . . . . . . . . 13 11.1. Normative References . . . . . . . . . . . . . . . . . . 13
11.2. Informative References . . . . . . . . . . . . . . . . . 13 11.2. Informative References . . . . . . . . . . . . . . . . . 13
11.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 15 11.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Appendix A. Named Group Registry . . . . . . . . . . . . . . . . 15 Appendix A. Named Group Registry . . . . . . . . . . . . . . . . 15
A.1. ffdhe2432 . . . . . . . . . . . . . . . . . . . . . . . . 15 A.1. ffdhe2048 . . . . . . . . . . . . . . . . . . . . . . . . 15
A.2. ffdhe3072 . . . . . . . . . . . . . . . . . . . . . . . . 16 A.2. ffdhe3072 . . . . . . . . . . . . . . . . . . . . . . . . 16
A.3. ffdhe4096 . . . . . . . . . . . . . . . . . . . . . . . . 18 A.3. ffdhe4096 . . . . . . . . . . . . . . . . . . . . . . . . 18
A.4. ffdhe8192 . . . . . . . . . . . . . . . . . . . . . . . . 19 A.4. ffdhe8192 . . . . . . . . . . . . . . . . . . . . . . . . 19
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 22 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 22
1. Introduction 1. Introduction
Traditional TLS [RFC5246] offers a Diffie-Hellman ephemeral (DHE) key Traditional TLS [RFC5246] offers a Diffie-Hellman ephemeral (DHE) key
exchange mode which provides Forward Secrecy for the connection. The exchange mode which provides Forward Secrecy for the connection. The
client offers a ciphersuite in the ClientHello that includes DHE, and client offers a ciphersuite in the ClientHello that includes DHE, and
skipping to change at page 4, line 35 skipping to change at page 4, line 35
Codepoints in the NamedCurve registry with a high byte of 0x01 (that Codepoints in the NamedCurve registry with a high byte of 0x01 (that
is, between 256 and 511 inclusive) are set aside for FFDHE groups, is, between 256 and 511 inclusive) are set aside for FFDHE groups,
though only a small number of them are initially defined and we do though only a small number of them are initially defined and we do
not expect many other FFDHE groups to be added to this range. No not expect many other FFDHE groups to be added to this range. No
codepoints outside of this range will be allocated to FFDHE groups. codepoints outside of this range will be allocated to FFDHE groups.
The new code points for the NamedCurve registry are: The new code points for the NamedCurve registry are:
enum { enum {
// other already defined elliptic curves (see RFC 4492) // other already defined elliptic curves (see RFC 4492)
ffdhe2432(256), ffdhe3072(257), ffdhe4096(258), ffdhe2048(256), ffdhe3072(257), ffdhe4096(258),
ffdhe8192(259), ffdhe8192(259),
// //
} NamedCurve; } NamedCurve;
These additions to the Named Curve registry are described in detail These additions to the Named Curve registry are described in detail
in Appendix A. They are all safe primes derived from the base of the in Appendix A. They are all safe primes derived from the base of the
natural logarithm ("e"), with the high and low 64 bits set to 1 for natural logarithm ("e"), with the high and low 64 bits set to 1 for
efficient Montgomery or Barrett reduction. efficient Montgomery or Barrett reduction.
The use of the base of the natural logarithm here is as a "nothing- The use of the base of the natural logarithm here is as a "nothing-
skipping to change at page 6, line 47 skipping to change at page 6, line 47
A TLS server MUST NOT select an FFDHE ciphersuite if the client did A TLS server MUST NOT select an FFDHE ciphersuite if the client did
not offer one, even if the client offered an FFDHE group in the not offer one, even if the client offered an FFDHE group in the
Supported Groups extension. Supported Groups extension.
If a non-anonymous FFDHE ciphersuite is chosen, and the TLS client If a non-anonymous FFDHE ciphersuite is chosen, and the TLS client
has used this extension to offer an FFDHE group of comparable or has used this extension to offer an FFDHE group of comparable or
greater strength than the server's public key, the server SHOULD greater strength than the server's public key, the server SHOULD
select an FFDHE group at least as strong as the server's public key. select an FFDHE group at least as strong as the server's public key.
For example, if the server has a 3072-bit RSA key, and the client For example, if the server has a 3072-bit RSA key, and the client
offers only ffdhe2432 and ffdhe4096, the server SHOULD select offers only ffdhe2048 and ffdhe4096, the server SHOULD select
ffdhe4096. ffdhe4096.
When a compatible server selects an FFDHE group from among a client's When a compatible server selects an FFDHE group from among a client's
Supported Groups, and the client sends a ClientKeyExchange, the Supported Groups, and the client sends a ClientKeyExchange, the
server MUST verify that 1 < dh_Yc < dh_p - 1. If it is out of range, server MUST verify that 1 < dh_Yc < dh_p - 1. If it is out of range,
the server MUST terminate the connection with fatal the server MUST terminate the connection with fatal
handshake_failure(40) alert. handshake_failure(40) alert.
5. Optimizations 5. Optimizations
skipping to change at page 7, line 40 skipping to change at page 7, line 40
secret exponent from the range [2,p-2]. Using exponentiation by secret exponent from the range [2,p-2]. Using exponentiation by
squaring, this means each peer must do roughly 2*log_2(p) squaring, this means each peer must do roughly 2*log_2(p)
multiplications, twice (once for the generator and once for the multiplications, twice (once for the generator and once for the
peer's public key). peer's public key).
Peers concerned with performance may also prefer to choose their Peers concerned with performance may also prefer to choose their
secret exponent from a smaller range, doing fewer multiplications, secret exponent from a smaller range, doing fewer multiplications,
while retaining the same level of overall security. Each named group while retaining the same level of overall security. Each named group
indicates its approximate security level, and provides a lower-bound indicates its approximate security level, and provides a lower-bound
on the range of secret exponents that should preserve it. For on the range of secret exponents that should preserve it. For
example, rather than doing 2*2*2432 multiplications for a ffdhe2432 example, rather than doing 2*2*3072 multiplications for a ffdhe3072
handshake, each peer can choose to do 2*2*224 multiplications by handshake, each peer can choose to do 2*2*250 multiplications by
choosing their secret exponent from the range [2^223,2^224] (that is, choosing their secret exponent from the range [2^249,2^250] (that is,
a m-bit integer where m is at least 224) and still keep the a m-bit integer where m is at least 224) and still keep the
approximate 112-bit security level. approximate 125-bit security level.
A similar short-exponent approach is suggested in SSH's Diffie- A similar short-exponent approach is suggested in SSH's Diffie-
Hellman key exchange (See section 6.2 of [RFC4419]). Hellman key exchange (See section 6.2 of [RFC4419]).
5.3. Table Acceleration 5.3. Table Acceleration
Peers wishing to further accelerate FFDHE key exchange can also pre- Peers wishing to further accelerate FFDHE key exchange can also pre-
compute a table of powers of the generator of a known group. This is compute a table of powers of the generator of a known group. This is
a memory vs. time tradeoff, and it only accelerates the first a memory vs. time tradeoff, and it only accelerates the first
exponentiation of the ephemeral DH exchange (the fixed-base exponentiation of the ephemeral DH exchange (the fixed-base
skipping to change at page 9, line 30 skipping to change at page 9, line 30
elliptic curves. It should add a range designation to that registry, elliptic curves. It should add a range designation to that registry,
indicating that values from 256-511 (inclusive) are set aside for indicating that values from 256-511 (inclusive) are set aside for
"Finite Field Diffie-Hellman groups", and that all other entries in "Finite Field Diffie-Hellman groups", and that all other entries in
the registry are "Elliptic curve groups". the registry are "Elliptic curve groups".
This document allocates five codepoints in the registry, as follows: This document allocates five codepoints in the registry, as follows:
+-------+-------------+---------+-----------------+ +-------+-------------+---------+-----------------+
| Value | Description | DTLS-OK | Reference | | Value | Description | DTLS-OK | Reference |
+-------+-------------+---------+-----------------+ +-------+-------------+---------+-----------------+
| 256 | ffdhe2432 | Y | [this document] | | 256 | ffdhe2048 | Y | [this document] |
| 257 | ffdhe3072 | Y | [this document] | | 257 | ffdhe3072 | Y | [this document] |
| 258 | ffdhe4096 | Y | [this document] | | 258 | ffdhe4096 | Y | [this document] |
| 259 | ffdhe8192 | Y | [this document] | | 259 | ffdhe8192 | Y | [this document] |
+-------+-------------+---------+-----------------+ +-------+-------------+---------+-----------------+
9. Security Considerations 9. Security Considerations
9.1. Negotiation resistance to active attacks 9.1. Negotiation resistance to active attacks
Because the contents of the Supported Groups extension is hashed in Because the contents of the Supported Groups extension is hashed in
skipping to change at page 12, line 49 skipping to change at page 12, line 49
long-term secret key (usually RSA) is revealed in the future. long-term secret key (usually RSA) is revealed in the future.
This property depends on both sides of the connection discarding This property depends on both sides of the connection discarding
their ephemeral keys promptly. Implementations should wipe their their ephemeral keys promptly. Implementations should wipe their
FFDHE secret key material from memory as soon as it is no longer FFDHE secret key material from memory as soon as it is no longer
needed, and should never store it in persistent storage. needed, and should never store it in persistent storage.
Forward secrecy also depends on the strength of the Diffie-Hellman Forward secrecy also depends on the strength of the Diffie-Hellman
group; using a very strong symmetric cipher like AES256 with a group; using a very strong symmetric cipher like AES256 with a
forward-secret ciphersuite, but generating the keys with a much forward-secret ciphersuite, but generating the keys with a much
weaker group like dhe2432 simply moves the adversary's cost from weaker group like dhe2048 simply moves the adversary's cost from
attacking the symmetric cipher to attacking the dh_Ys or dh_Yc attacking the symmetric cipher to attacking the dh_Ys or dh_Yc
ephemeral keyshares. ephemeral keyshares.
If the goal is to provide forward secrecy, attention should be paid If the goal is to provide forward secrecy, attention should be paid
to all parts of the ciphersuite selection process, both key exchange to all parts of the ciphersuite selection process, both key exchange
and symmetric cipher choice. and symmetric cipher choice.
10. Privacy Considerations 10. Privacy Considerations
10.1. Client fingerprinting 10.1. Client fingerprinting
skipping to change at page 15, line 36 skipping to change at page 15, line 36
p = 2^b - 2^{b-64} + {[2^{b-130} e] + X } * 2^64 - 1 p = 2^b - 2^{b-64} + {[2^{b-130} e] + X } * 2^64 - 1
New additions of FFDHE groups to this registry may use this same New additions of FFDHE groups to this registry may use this same
derivation (e.g. with different bitlengths) or may choose their derivation (e.g. with different bitlengths) or may choose their
parameters in a different way, but must be clear about how the parameters in a different way, but must be clear about how the
parameters were derived. parameters were derived.
New additions of FFDHE groups MUST use a safe prime as the modulus to New additions of FFDHE groups MUST use a safe prime as the modulus to
enable the inexpensive peer verification described in Section 5.1. enable the inexpensive peer verification described in Section 5.1.
A.1. ffdhe2432 A.1. ffdhe2048
The 2432-bit group has registry value 256, and is calcluated from the The 2048-bit group has registry value 256, and is calcluated from the
following formula: following formula:
The modulus is: p = 2^2432 - 2^2368 + {[2^2302 * e] + 2111044} * 2^64 The modulus is: p = 2^2048 - 2^1984 + {[2^1918 * e] + 560315 } * 2^64
- 1 - 1
The hexadecimal representation of p is: The hexadecimal representation of p is:
FFFFFFFF FFFFFFFF ADF85458 A2BB4A9A AFDC5620 273D3CF1 FFFFFFFF FFFFFFFF ADF85458 A2BB4A9A AFDC5620 273D3CF1
D8B9C583 CE2D3695 A9E13641 146433FB CC939DCE 249B3EF9 D8B9C583 CE2D3695 A9E13641 146433FB CC939DCE 249B3EF9
7D2FE363 630C75D8 F681B202 AEC4617A D3DF1ED5 D5FD6561 7D2FE363 630C75D8 F681B202 AEC4617A D3DF1ED5 D5FD6561
2433F51F 5F066ED0 85636555 3DED1AF3 B557135E 7F57C935 2433F51F 5F066ED0 85636555 3DED1AF3 B557135E 7F57C935
984F0C70 E0E68B77 E2A689DA F3EFE872 1DF158A1 36ADE735 984F0C70 E0E68B77 E2A689DA F3EFE872 1DF158A1 36ADE735
30ACCA4F 483A797A BC0AB182 B324FB61 D108A94B B2C8E3FB 30ACCA4F 483A797A BC0AB182 B324FB61 D108A94B B2C8E3FB
B96ADAB7 60D7F468 1D4F42A3 DE394DF4 AE56EDE7 6372BB19 B96ADAB7 60D7F468 1D4F42A3 DE394DF4 AE56EDE7 6372BB19
0B07A7C8 EE0A6D70 9E02FCE1 CDF7E2EC C03404CD 28342F61 0B07A7C8 EE0A6D70 9E02FCE1 CDF7E2EC C03404CD 28342F61
9172FE9C E98583FF 8E4F1232 EEF28183 C3FE3B1B 4C6FAD73 9172FE9C E98583FF 8E4F1232 EEF28183 C3FE3B1B 4C6FAD73
3BB5FCBC 2EC22005 C58EF183 7D1683B2 C6F34A26 C1B2EFFA 3BB5FCBC 2EC22005 C58EF183 7D1683B2 C6F34A26 C1B2EFFA
886B4238 611FCFDC DE355B3B 6519035B BC34F4DE F99C0238 886B4238 61285C97 FFFFFFFF FFFFFFFF
61B46FC9 D6E6C907 7AD91D26 91F7F7EE 598CB0FA C186D91C
AEFE1309 8533C8B3 FFFFFFFF FFFFFFFF
The generator is: g = 2 The generator is: g = 2
The group size is: q = (p-1)/2 The group size is: q = (p-1)/2
The hexadecimal representation of q is: The hexadecimal representation of q is:
7FFFFFFF FFFFFFFF D6FC2A2C 515DA54D 57EE2B10 139E9E78 7FFFFFFF FFFFFFFF D6FC2A2C 515DA54D 57EE2B10 139E9E78
EC5CE2C1 E7169B4A D4F09B20 8A3219FD E649CEE7 124D9F7C EC5CE2C1 E7169B4A D4F09B20 8A3219FD E649CEE7 124D9F7C
BE97F1B1 B1863AEC 7B40D901 576230BD 69EF8F6A EAFEB2B0 BE97F1B1 B1863AEC 7B40D901 576230BD 69EF8F6A EAFEB2B0
9219FA8F AF833768 42B1B2AA 9EF68D79 DAAB89AF 3FABE49A 9219FA8F AF833768 42B1B2AA 9EF68D79 DAAB89AF 3FABE49A
CC278638 707345BB F15344ED 79F7F439 0EF8AC50 9B56F39A CC278638 707345BB F15344ED 79F7F439 0EF8AC50 9B56F39A
98566527 A41D3CBD 5E0558C1 59927DB0 E88454A5 D96471FD 98566527 A41D3CBD 5E0558C1 59927DB0 E88454A5 D96471FD
DCB56D5B B06BFA34 0EA7A151 EF1CA6FA 572B76F3 B1B95D8C DCB56D5B B06BFA34 0EA7A151 EF1CA6FA 572B76F3 B1B95D8C
8583D3E4 770536B8 4F017E70 E6FBF176 601A0266 941A17B0 8583D3E4 770536B8 4F017E70 E6FBF176 601A0266 941A17B0
C8B97F4E 74C2C1FF C7278919 777940C1 E1FF1D8D A637D6B9 C8B97F4E 74C2C1FF C7278919 777940C1 E1FF1D8D A637D6B9
9DDAFE5E 17611002 E2C778C1 BE8B41D9 6379A513 60D977FD 9DDAFE5E 17611002 E2C778C1 BE8B41D9 6379A513 60D977FD
4435A11C 308FE7EE 6F1AAD9D B28C81AD DE1A7A6F 7CCE011C 4435A11C 30942E4B FFFFFFFF FFFFFFFF
30DA37E4 EB736483 BD6C8E93 48FBFBF7 2CC6587D 60C36C8E
577F0984 C299E459 FFFFFFFF FFFFFFFF
The estimated symmetric-equivalent strength of this group is 112 The estimated symmetric-equivalent strength of this group is 103
bits. bits.
Peers using ffdhe2432 that want to optimize their key exchange with a Peers using ffdhe2048 that want to optimize their key exchange with a
short exponent (Section 5.2) should choose a secret key of at least short exponent (Section 5.2) should choose a secret key of at least
224 bits. 206 bits.
A.2. ffdhe3072 A.2. ffdhe3072
The 3072-bit prime has registry value 257, and is calcluated from the The 3072-bit prime has registry value 257, and is calcluated from the
following formula: following formula:
p = 2^3072 - 2^3008 + {[2^2942 * e] + 2625351} * 2^64 -1 The modulus is: p = 2^3072 - 2^3008 + {[2^2942 * e] + 2625351} * 2^64
-1
The hexadecimal representation of p is: The hexadecimal representation of p is:
FFFFFFFF FFFFFFFF ADF85458 A2BB4A9A AFDC5620 273D3CF1 FFFFFFFF FFFFFFFF ADF85458 A2BB4A9A AFDC5620 273D3CF1
D8B9C583 CE2D3695 A9E13641 146433FB CC939DCE 249B3EF9 D8B9C583 CE2D3695 A9E13641 146433FB CC939DCE 249B3EF9
7D2FE363 630C75D8 F681B202 AEC4617A D3DF1ED5 D5FD6561 7D2FE363 630C75D8 F681B202 AEC4617A D3DF1ED5 D5FD6561
2433F51F 5F066ED0 85636555 3DED1AF3 B557135E 7F57C935 2433F51F 5F066ED0 85636555 3DED1AF3 B557135E 7F57C935
984F0C70 E0E68B77 E2A689DA F3EFE872 1DF158A1 36ADE735 984F0C70 E0E68B77 E2A689DA F3EFE872 1DF158A1 36ADE735
30ACCA4F 483A797A BC0AB182 B324FB61 D108A94B B2C8E3FB 30ACCA4F 483A797A BC0AB182 B324FB61 D108A94B B2C8E3FB
B96ADAB7 60D7F468 1D4F42A3 DE394DF4 AE56EDE7 6372BB19 B96ADAB7 60D7F468 1D4F42A3 DE394DF4 AE56EDE7 6372BB19
0B07A7C8 EE0A6D70 9E02FCE1 CDF7E2EC C03404CD 28342F61 0B07A7C8 EE0A6D70 9E02FCE1 CDF7E2EC C03404CD 28342F61
 End of changes. 20 change blocks. 
26 lines changed or deleted 24 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/