< draft-ietf-tls-negotiated-ff-dhe-05.txt   draft-ietf-tls-negotiated-ff-dhe-06.txt >
Internet Engineering Task Force D. Gillmor Internet Engineering Task Force D. Gillmor
Internet-Draft ACLU Internet-Draft ACLU
Updates: 4492, 5246, 4346, 2246 (if December 19, 2014 Updates: 4492, 5246, 4346, 2246 (if March 1, 2015
approved) approved)
Intended status: Informational Intended status: Informational
Expires: June 22, 2015 Expires: September 2, 2015
Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS
draft-ietf-tls-negotiated-ff-dhe-05 draft-ietf-tls-negotiated-ff-dhe-06
Abstract Abstract
Traditional finite-field-based Diffie-Hellman (DH) key exchange Traditional finite-field-based Diffie-Hellman (DH) key exchange
during the TLS handshake suffers from a number of security, during the TLS handshake suffers from a number of security,
interoperability, and efficiency shortcomings. These shortcomings interoperability, and efficiency shortcomings. These shortcomings
arise from lack of clarity about which DH group parameters TLS arise from lack of clarity about which DH group parameters TLS
servers should offer and clients should accept. This document offers servers should offer and clients should accept. This document offers
a solution to these shortcomings for compatible peers by using a a solution to these shortcomings for compatible peers by using a
section of the TLS "EC Named Curve Registry" to establish common section of the TLS "EC Named Curve Registry" to establish common
skipping to change at page 1, line 40 skipping to change at page 1, line 40
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 22, 2015. This Internet-Draft will expire on September 2, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 28 skipping to change at page 2, line 28
4. Server Behavior . . . . . . . . . . . . . . . . . . . . . . . 6 4. Server Behavior . . . . . . . . . . . . . . . . . . . . . . . 6
5. Optimizations . . . . . . . . . . . . . . . . . . . . . . . . 7 5. Optimizations . . . . . . . . . . . . . . . . . . . . . . . . 7
5.1. Checking the Peer's Public Key . . . . . . . . . . . . . 7 5.1. Checking the Peer's Public Key . . . . . . . . . . . . . 7
5.2. Short Exponents . . . . . . . . . . . . . . . . . . . . . 7 5.2. Short Exponents . . . . . . . . . . . . . . . . . . . . . 7
5.3. Table Acceleration . . . . . . . . . . . . . . . . . . . 8 5.3. Table Acceleration . . . . . . . . . . . . . . . . . . . 8
6. Operational Considerations . . . . . . . . . . . . . . . . . 8 6. Operational Considerations . . . . . . . . . . . . . . . . . 8
6.1. Preference Ordering . . . . . . . . . . . . . . . . . . . 8 6.1. Preference Ordering . . . . . . . . . . . . . . . . . . . 8
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
9. Security Considerations . . . . . . . . . . . . . . . . . . . 9 9. Security Considerations . . . . . . . . . . . . . . . . . . . 9
9.1. Negotiation resistance to active attacks . . . . . . . . 9 9.1. Negotiation resistance to active attacks . . . . . . . . 10
9.2. Group strength considerations . . . . . . . . . . . . . . 10 9.2. Group strength considerations . . . . . . . . . . . . . . 11
9.3. Finite-Field DHE only . . . . . . . . . . . . . . . . . . 11 9.3. Finite-Field DHE only . . . . . . . . . . . . . . . . . . 11
9.4. Deprecating weak groups . . . . . . . . . . . . . . . . . 11 9.4. Deprecating weak groups . . . . . . . . . . . . . . . . . 11
9.5. Choice of groups . . . . . . . . . . . . . . . . . . . . 11 9.5. Choice of groups . . . . . . . . . . . . . . . . . . . . 12
9.6. Timing attacks . . . . . . . . . . . . . . . . . . . . . 12 9.6. Timing attacks . . . . . . . . . . . . . . . . . . . . . 12
9.7. Replay attacks from non-negotiated FFDHE . . . . . . . . 12 9.7. Replay attacks from non-negotiated FFDHE . . . . . . . . 12
9.8. Forward Secrecy . . . . . . . . . . . . . . . . . . . . . 12 9.8. Forward Secrecy . . . . . . . . . . . . . . . . . . . . . 13
9.9. False Start . . . . . . . . . . . . . . . . . . . . . . . 13 9.9. False Start . . . . . . . . . . . . . . . . . . . . . . . 13
10. Privacy Considerations . . . . . . . . . . . . . . . . . . . 13 10. Privacy Considerations . . . . . . . . . . . . . . . . . . . 14
10.1. Client fingerprinting . . . . . . . . . . . . . . . . . 13 10.1. Client fingerprinting . . . . . . . . . . . . . . . . . 14
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 14
11.1. Normative References . . . . . . . . . . . . . . . . . . 13 11.1. Normative References . . . . . . . . . . . . . . . . . . 14
11.2. Informative References . . . . . . . . . . . . . . . . . 14 11.2. Informative References . . . . . . . . . . . . . . . . . 14
11.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 15 11.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Appendix A. Named Group Registry . . . . . . . . . . . . . . . . 15 Appendix A. Named Group Registry . . . . . . . . . . . . . . . . 16
A.1. ffdhe2048 . . . . . . . . . . . . . . . . . . . . . . . . 16 A.1. ffdhe2048 . . . . . . . . . . . . . . . . . . . . . . . . 16
A.2. ffdhe3072 . . . . . . . . . . . . . . . . . . . . . . . . 17 A.2. ffdhe3072 . . . . . . . . . . . . . . . . . . . . . . . . 17
A.3. ffdhe4096 . . . . . . . . . . . . . . . . . . . . . . . . 18 A.3. ffdhe4096 . . . . . . . . . . . . . . . . . . . . . . . . 19
A.4. ffdhe8192 . . . . . . . . . . . . . . . . . . . . . . . . 20 A.4. ffdhe6144 . . . . . . . . . . . . . . . . . . . . . . . . 20
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 23 A.5. ffdhe8192 . . . . . . . . . . . . . . . . . . . . . . . . 22
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 25
1. Introduction 1. Introduction
Traditional TLS [RFC5246] offers a Diffie-Hellman ephemeral (DHE) key Traditional TLS [RFC5246] offers a Diffie-Hellman ephemeral (DHE) key
exchange mode which provides Forward Secrecy for the connection. The exchange mode which provides Forward Secrecy for the connection. The
client offers a ciphersuite in the ClientHello that includes DHE, and client offers a ciphersuite in the ClientHello that includes DHE, and
the server offers the client group parameters generator g and modulus the server offers the client group parameters generator g and modulus
p. If the client does not consider the group strong enough (e.g. if p. If the client does not consider the group strong enough (e.g. if
p is too small, or if p is not prime, or there are small subgroups), p is too small, or if p is not prime, or there are small subgroups),
or if it is unable to process the group for other reasons, the client or if it is unable to process the group for other reasons, the client
skipping to change at page 3, line 47 skipping to change at page 3, line 47
provides guidance for compliant peers to take advantage of the provides guidance for compliant peers to take advantage of the
additional security, availability, and efficiency offered. additional security, availability, and efficiency offered.
The use of this mechanism by one compliant peer when interacting with The use of this mechanism by one compliant peer when interacting with
a non-compliant peer should have no detrimental effects. a non-compliant peer should have no detrimental effects.
1.1. Requirements Language 1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119]. The term
"PRIVATE USE" is to be interpreted as described in [RFC5226].
1.2. Vocabulary 1.2. Vocabulary
The terms "DHE" or "FFDHE" are used in this document to refer to the The terms "DHE" or "FFDHE" are used in this document to refer to the
finite-field-based Diffie-Hellman ephemeral key exchange mechanism in finite-field-based Diffie-Hellman ephemeral key exchange mechanism in
TLS. TLS also supports elliptic-curve-based Diffie-Hellman (ECDHE) TLS. TLS also supports elliptic-curve-based Diffie-Hellman (ECDHE)
ephemeral key exchanges [RFC4492], but this document does not ephemeral key exchanges [RFC4492], but this document does not
document their use. A registry previously used only by ECHDE-capable document their use. A registry previously used only by ECHDE-capable
implementations is expanded in this document to cover FFDHE groups as implementations is expanded in this document to cover FFDHE groups as
well. "FFDHE ciphersuites" is used in this document to refer well. "FFDHE ciphersuites" is used in this document to refer
skipping to change at page 4, line 35 skipping to change at page 4, line 35
Codepoints in the NamedCurve registry with a high byte of 0x01 (that Codepoints in the NamedCurve registry with a high byte of 0x01 (that
is, between 256 and 511 inclusive) are set aside for FFDHE groups, is, between 256 and 511 inclusive) are set aside for FFDHE groups,
though only a small number of them are initially defined and we do though only a small number of them are initially defined and we do
not expect many other FFDHE groups to be added to this range. No not expect many other FFDHE groups to be added to this range. No
codepoints outside of this range will be allocated to FFDHE groups. codepoints outside of this range will be allocated to FFDHE groups.
The new code points for the NamedCurve registry are: The new code points for the NamedCurve registry are:
enum { enum {
// other already defined elliptic curves (see RFC 4492) // other already defined elliptic curves (see RFC 4492)
ffdhe2048(256), ffdhe3072(257), ffdhe4096(258), ffdhe2432(256), ffdhe3072(257), ffdhe4096(258),
ffdhe8192(259), ffdhe6144(259), ffdhe8192(260),
// //
} NamedCurve; } NamedCurve;
These additions to the Named Curve registry are described in detail These additions to the Named Curve registry are described in detail
in Appendix A. They are all safe primes derived from the base of the in Appendix A. They are all safe primes derived from the base of the
natural logarithm ("e"), with the high and low 64 bits set to 1 for natural logarithm ("e"), with the high and low 64 bits set to 1 for
efficient Montgomery or Barrett reduction. efficient Montgomery or Barrett reduction.
The use of the base of the natural logarithm here is as a "nothing- The use of the base of the natural logarithm here is as a "nothing-
up-my-sleeve" number. The goal is to guarantee that the bits in the up-my-sleeve" number. The goal is to guarantee that the bits in the
skipping to change at page 7, line 41 skipping to change at page 7, line 41
squaring, this means each peer must do roughly 2*log_2(p) squaring, this means each peer must do roughly 2*log_2(p)
multiplications, twice (once for the generator and once for the multiplications, twice (once for the generator and once for the
peer's public key). peer's public key).
Peers concerned with performance may also prefer to choose their Peers concerned with performance may also prefer to choose their
secret exponent from a smaller range, doing fewer multiplications, secret exponent from a smaller range, doing fewer multiplications,
while retaining the same level of overall security. Each named group while retaining the same level of overall security. Each named group
indicates its approximate security level, and provides a lower-bound indicates its approximate security level, and provides a lower-bound
on the range of secret exponents that should preserve it. For on the range of secret exponents that should preserve it. For
example, rather than doing 2*2*3072 multiplications for a ffdhe3072 example, rather than doing 2*2*3072 multiplications for a ffdhe3072
handshake, each peer can choose to do 2*2*250 multiplications by handshake, each peer can choose to do 2*2*275 multiplications by
choosing their secret exponent from the range [2^249,2^250] (that is, choosing their secret exponent from the range [2^274,2^275] (that is,
a m-bit integer where m is at least 224) and still keep the a m-bit integer where m is at least 275) and still keep the same
approximate 125-bit security level. approximate security level.
A similar short-exponent approach is suggested in SSH's Diffie- A similar short-exponent approach is suggested in SSH's Diffie-
Hellman key exchange (See section 6.2 of [RFC4419]). Hellman key exchange (See section 6.2 of [RFC4419]).
5.3. Table Acceleration 5.3. Table Acceleration
Peers wishing to further accelerate FFDHE key exchange can also pre- Peers wishing to further accelerate FFDHE key exchange can also pre-
compute a table of powers of the generator of a known group. This is compute a table of powers of the generator of a known group. This is
a memory vs. time tradeoff, and it only accelerates the first a memory vs. time tradeoff, and it only accelerates the first
exponentiation of the ephemeral DH exchange (the fixed-base exponentiation of the ephemeral DH exchange (the fixed-base
skipping to change at page 9, line 7 skipping to change at page 9, line 7
<ffdhe8192,secp384p1,ffdhe3072,secp256r1>. In this example, with the <ffdhe8192,secp384p1,ffdhe3072,secp256r1>. In this example, with the
same CipherSuite offered as the previous example, a server configured same CipherSuite offered as the previous example, a server configured
to respect client preferences and with support for all listed groups to respect client preferences and with support for all listed groups
SHOULD select TLS_DHE_RSA_WITH_AES_128_CBC_SHA with ffdhe8192. A SHOULD select TLS_DHE_RSA_WITH_AES_128_CBC_SHA with ffdhe8192. A
server configured to respect client preferences and with support for server configured to respect client preferences and with support for
only secp384p1 and ffdhe3072 SHOULD select only secp384p1 and ffdhe3072 SHOULD select
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA with secp384p1. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA with secp384p1.
7. Acknowledgements 7. Acknowledgements
Thanks to Fedor Brunner, Dave Fergemann, Sandy Harris, Watson Ladd, Thanks to Fedor Brunner, Dave Fergemann, Niels Ferguson, Sandy
Nikos Mavrogiannopolous, Niels Moeller, Bodo Moeller, Kenny Paterson, Harris, Watson Ladd, Nikos Mavrogiannopolous, Niels Moeller, Bodo
Eric Rescorla, Tom Ritter, Rene Struik, Martin Thomson, Sean Turner, Moeller, Kenny Paterson, Eric Rescorla, Tom Ritter, Rene Struik,
and other members of the TLS Working Group for their comments and Martin Thomson, Sean Turner, and other members of the TLS Working
suggestions on this draft. Any mistakes here are not theirs. Group for their comments and suggestions on this draft. Any mistakes
here are not theirs.
8. IANA Considerations 8. IANA Considerations
IANA maintains the registry currently known as EC Named Curves IANA maintains the registry currently known as EC Named Curves
(originally defined in [RFC4492] and updated by [RFC7027]) at [1]. (originally defined in [RFC4492] and updated by [RFC7027]) at [1].
This document expands the semantics of this registry slightly, to This document expands the semantics of this registry slightly, to
include groups based on finite fields in addition to groups based on include groups based on finite fields in addition to groups based on
elliptic curves. It should add a range designation to that registry, elliptic curves. It should add a range designation to that registry,
indicating that values from 256-511 (inclusive) are set aside for indicating that values from 256-511 (inclusive) are set aside for
"Finite Field Diffie-Hellman groups", and that all other entries in "Finite Field Diffie-Hellman groups", and that all other entries in
the registry are "Elliptic curve groups". the registry are "Elliptic curve groups".
This document allocates five codepoints in the registry, as follows: This document allocates five well-defined codepoints in the registry
for specific Finite Field Diffie-Hellman groups defined in
Appendix A.
+-------+-------------+---------+-----------------+ In addition, the four highest codepoints in this range (508-511,
| Value | Description | DTLS-OK | Reference | inclusive) are designated for PRIVATE USE by peers who have custom
+-------+-------------+---------+-----------------+ Finite Field Diffie-Hellman groups that they wish to signal
| 256 | ffdhe2048 | Y | [this document] | internally.
| 257 | ffdhe3072 | Y | [this document] |
| 258 | ffdhe4096 | Y | [this document] |
| 259 | ffdhe8192 | Y | [this document] |
+-------+-------------+---------+-----------------+
9. Security Considerations The updated registry section should be as follows:
+---------------------+-------------+---------+-----------------+
| Value | Description | DTLS-OK | Reference |
+---------------------+-------------+---------+-----------------+
| 256 | ffdhe2048 | Y | [this document] |
| 257 | ffdhe3072 | Y | [this document] |
| 258 | ffdhe4096 | Y | [this document] |
| 259 | ffdhe6144 | Y | [this document] |
| 260 | ffdhe8192 | Y | [this document] |
| 508-511 (inclusive) | PRIVATE USE | - | - |
+---------------------+-------------+---------+-----------------+
9. Security Considerations
9.1. Negotiation resistance to active attacks 9.1. Negotiation resistance to active attacks
Because the contents of the Supported Groups extension is hashed in Because the contents of the Supported Groups extension is hashed in
the finished message, an active MITM that tries to filter or omit the finished message, an active MITM that tries to filter or omit
groups will cause the handshake to fail, but possibly not before groups will cause the handshake to fail, but possibly not before
getting the peer to do something they would not otherwise have done. getting the peer to do something they would not otherwise have done.
An attacker who impersonates the server can try to do any of the An attacker who impersonates the server can try to do any of the
following: following:
skipping to change at page 11, line 10 skipping to change at page 11, line 26
analysis. Therefore, FFDHE groups should be selected by clients and analysis. Therefore, FFDHE groups should be selected by clients and
servers based on confidentiality guarantees they need. Sessions servers based on confidentiality guarantees they need. Sessions
which need extremely long-term confidentiality should prefer stronger which need extremely long-term confidentiality should prefer stronger
groups. groups.
[ENISA] provides rough estimates of group resistance to attack, and [ENISA] provides rough estimates of group resistance to attack, and
recommends that forward-looking implementations ("future systems") recommends that forward-looking implementations ("future systems")
should use FFDHE group sizes of at least 3072 bits. ffdhe3072 is should use FFDHE group sizes of at least 3072 bits. ffdhe3072 is
intended for use in these implementations. intended for use in these implementations.
Other sources (e.g. [NIST]) estimate the security levels of the DLOG
problem to be slightly more difficult than [ENISA]. This document's
suggested minimum exponent sizes in Appendix A for implementations
that use the short exponents optimization (Section 5.2) are
deliberately conservative to account for the range of these
estimates.
9.3. Finite-Field DHE only 9.3. Finite-Field DHE only
Note that this document specifically targets only finite field-based Note that this document specifically targets only finite field-based
Diffie-Hellman ephemeral key exchange mechanisms. It does not cover Diffie-Hellman ephemeral key exchange mechanisms. It does not cover
the non-ephemeral DH key exchange mechanisms, nor does it address the non-ephemeral DH key exchange mechanisms, nor does it address
elliptic curve DHE (ECDHE) key exchange, which is defined in elliptic curve DHE (ECDHE) key exchange, which is defined in
[RFC4492]. [RFC4492].
Measured by computational cost to the TLS peers, ECDHE appears today Measured by computational cost to the TLS peers, ECDHE appears today
to offer much a stronger key exchange than FFDHE. to offer much a stronger key exchange than FFDHE.
skipping to change at page 13, line 22 skipping to change at page 13, line 47
proposed FFDHE group from a server that is attacker-controlled. In proposed FFDHE group from a server that is attacker-controlled. In
particular, the attacker can modify the ClientHello to strip the particular, the attacker can modify the ClientHello to strip the
proposed FFDHE groups, which may cause the server to offer a weaker proposed FFDHE groups, which may cause the server to offer a weaker
FFDHE group than it should, and this will not be detected until FFDHE group than it should, and this will not be detected until
receipt of the server's Finished message. This could cause the a receipt of the server's Finished message. This could cause the a
client using the False Start protocol modification to send data client using the False Start protocol modification to send data
encrypted under a weak key agreement. encrypted under a weak key agreement.
Clients should have their own classification of FFDHE groups that are Clients should have their own classification of FFDHE groups that are
"cryptographically strong" in the same sense described in the "cryptographically strong" in the same sense described in the
description of symmetric ciphers in [FALSE-START], and MUST offer at description of symmetric ciphers in [FALSE-START], and SHOULD offer
least one of these in the initial handshake if they contemplate using at least one of these in the initial handshake if they contemplate
the False Start protocol modification. using the False Start protocol modification with an FFDHE
ciphersuite.
Compatible clients performing a full handshake MUST NOT use the False Compatible clients performing a full handshake MUST NOT use the False
Start protocol modification if the server selects an FFDHE Start protocol modification if the server selects an FFDHE
ciphersuite but sends a group that is not cryptographically strong ciphersuite but sends a group that is not cryptographically strong
from the client's perspective. from the client's perspective.
10. Privacy Considerations 10. Privacy Considerations
10.1. Client fingerprinting 10.1. Client fingerprinting
skipping to change at page 14, line 9 skipping to change at page 14, line 37
Layer Security (TLS) False Start", Work in Progress, Layer Security (TLS) False Start", Work in Progress,
draft-bmoeller-tls-falsestart-01, November 2014. draft-bmoeller-tls-falsestart-01, November 2014.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B. [RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B.
Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites
for Transport Layer Security (TLS)", RFC 4492, May 2006. for Transport Layer Security (TLS)", RFC 4492, May 2006.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226,
May 2008.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008. (TLS) Protocol Version 1.2", RFC 5246, August 2008.
11.2. Informative References 11.2. Informative References
[CROSS-PROTOCOL] [CROSS-PROTOCOL]
Mavrogiannopolous, N., Vercauteren, F., Velichkov, V., and Mavrogiannopolous, N., Vercauteren, F., Velichkov, V., and
B. Preneel, "A Cross-Protocol Attack on the TLS Protocol", B. Preneel, "A Cross-Protocol Attack on the TLS Protocol",
October 2012, October 2012,
<http://www.cosic.esat.kuleuven.be/publications/ <http://www.cosic.esat.kuleuven.be/publications/
skipping to change at page 14, line 34 skipping to change at page 15, line 18
September 2012, September 2012,
<http://www.ecrypt.eu.org/documents/D.SPA.20.pdf>. <http://www.ecrypt.eu.org/documents/D.SPA.20.pdf>.
[ENISA] European Union Agency for Network and Information Security [ENISA] European Union Agency for Network and Information Security
Agency, "Algorithms, Key Sizes and Parameters Report, Agency, "Algorithms, Key Sizes and Parameters Report,
version 1.0", October 2013, version 1.0", October 2013,
<http://www.enisa.europa.eu/activities/identity-and- <http://www.enisa.europa.eu/activities/identity-and-
trust/library/deliverables/ trust/library/deliverables/
algorithms-key-sizes-and-parameters-report>. algorithms-key-sizes-and-parameters-report>.
[NIST] National Institute of Standards and Technology, "NIST
Special Publication 800-57. Recommendation for key
management - Part 1: General (Revision 3)", 2012,
<http://csrc.nist.gov/publications/nistpubs/800-57/
sp800-57_part1_rev3_general.pdf>.
[PANOPTICLICK] [PANOPTICLICK]
Electronic Frontier Foundation, "Panopticlick: How Unique Electronic Frontier Foundation, "Panopticlick: How Unique
- and Trackable - Is Your Browser?", 2010, - and Trackable - Is Your Browser?", 2010,
<https://panopticlick.eff.org/>. <https://panopticlick.eff.org/>.
[RFC3526] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP) [RFC3526] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP)
Diffie-Hellman groups for Internet Key Exchange (IKE)", Diffie-Hellman groups for Internet Key Exchange (IKE)",
RFC 3526, May 2003. RFC 3526, May 2003.
[RFC4419] Friedl, M., Provos, N., and W. Simpson, "Diffie-Hellman [RFC4419] Friedl, M., Provos, N., and W. Simpson, "Diffie-Hellman
skipping to change at page 17, line 7 skipping to change at page 17, line 41
8583D3E4 770536B8 4F017E70 E6FBF176 601A0266 941A17B0 8583D3E4 770536B8 4F017E70 E6FBF176 601A0266 941A17B0
C8B97F4E 74C2C1FF C7278919 777940C1 E1FF1D8D A637D6B9 C8B97F4E 74C2C1FF C7278919 777940C1 E1FF1D8D A637D6B9
9DDAFE5E 17611002 E2C778C1 BE8B41D9 6379A513 60D977FD 9DDAFE5E 17611002 E2C778C1 BE8B41D9 6379A513 60D977FD
4435A11C 30942E4B FFFFFFFF FFFFFFFF 4435A11C 30942E4B FFFFFFFF FFFFFFFF
The estimated symmetric-equivalent strength of this group is 103 The estimated symmetric-equivalent strength of this group is 103
bits. bits.
Peers using ffdhe2048 that want to optimize their key exchange with a Peers using ffdhe2048 that want to optimize their key exchange with a
short exponent (Section 5.2) should choose a secret key of at least short exponent (Section 5.2) should choose a secret key of at least
206 bits. 225 bits.
A.2. ffdhe3072 A.2. ffdhe3072
The 3072-bit prime has registry value 257, and is calcluated from the The 3072-bit prime has registry value 257, and is calcluated from the
following formula: following formula:
The modulus is: p = 2^3072 - 2^3008 + {[2^2942 * e] + 2625351} * 2^64 The modulus is: p = 2^3072 - 2^3008 + {[2^2942 * e] + 2625351} * 2^64
-1 -1
The hexadecimal representation of p is: The hexadecimal representation of p is:
skipping to change at page 18, line 27 skipping to change at page 18, line 50
577F0984 C289C938 5A098649 DE21BCA2 7A7EA229 716BA6E9 577F0984 C289C938 5A098649 DE21BCA2 7A7EA229 716BA6E9
B279710F 38FAA5FF AE574155 CE4EFB4F 743695E2 911B1D06 B279710F 38FAA5FF AE574155 CE4EFB4F 743695E2 911B1D06
D5E290CB CD86F56D 0EDFCD21 6AE22427 055E6835 FD29EEF7 D5E290CB CD86F56D 0EDFCD21 6AE22427 055E6835 FD29EEF7
9E0D9077 1FEACEBE 12F20E95 B363171B FFFFFFFF FFFFFFFF 9E0D9077 1FEACEBE 12F20E95 B363171B FFFFFFFF FFFFFFFF
The estimated symmetric-equivalent strength of this group is 125 The estimated symmetric-equivalent strength of this group is 125
bits. bits.
Peers using ffdhe3072 that want to optimize their key exchange with a Peers using ffdhe3072 that want to optimize their key exchange with a
short exponent (Section 5.2) should choose a secret key of at least short exponent (Section 5.2) should choose a secret key of at least
250 bits. 275 bits.
A.3. ffdhe4096 A.3. ffdhe4096
The 4096-bit group has registry value 258, and is calcluated from the The 4096-bit group has registry value 258, and is calcluated from the
following formula: following formula:
The modulus is: p = 2^4096 - 2^4032 + {[2^3966 * e] + 5736041} * 2^64 The modulus is: p = 2^4096 - 2^4032 + {[2^3966 * e] + 5736041} * 2^64
- 1 - 1
The hexadecimal representation of p is: The hexadecimal representation of p is:
skipping to change at page 20, line 33 skipping to change at page 20, line 33
5483B005 48C09862 36E3BC7C B8D6801C 0494CCD1 99E5C5BD 5483B005 48C09862 36E3BC7C B8D6801C 0494CCD1 99E5C5BD
0D0EDC9E B8A0001E 15276754 FCC68566 054148E6 E764BEE7 0D0EDC9E B8A0001E 15276754 FCC68566 054148E6 E764BEE7
C764DAAD 3FC45235 A6DAD428 FA20C170 E345003F 2F32AFB5 C764DAAD 3FC45235 A6DAD428 FA20C170 E345003F 2F32AFB5
7FFFFFFF FFFFFFFF 7FFFFFFF FFFFFFFF
The estimated symmetric-equivalent strength of this group is 150 The estimated symmetric-equivalent strength of this group is 150
bits. bits.
Peers using ffdhe4096 that want to optimize their key exchange with a Peers using ffdhe4096 that want to optimize their key exchange with a
short exponent (Section 5.2) should choose a secret key of at least short exponent (Section 5.2) should choose a secret key of at least
300 bits. 325 bits.
A.4. ffdhe8192 A.4. ffdhe6144
The 8192-bit group has registry value 259, and is calcluated from the The 6144-bit group has registry value 259, and is calcluated from the
following formula: following formula:
The modulus is: p = 2^8192 - 2^8128 + {[2^8062 * e] + 10965728} * The modulus is: p = 2^6144 - 2^6080 + {[2^6014 * e] + 15705020} *
2^64 - 1 2^64 - 1
The hexadecimal representation of p is: The hexadecimal representation of p is:
FFFFFFFF FFFFFFFF ADF85458 A2BB4A9A AFDC5620 273D3CF1 FFFFFFFF FFFFFFFF ADF85458 A2BB4A9A AFDC5620 273D3CF1
D8B9C583 CE2D3695 A9E13641 146433FB CC939DCE 249B3EF9 D8B9C583 CE2D3695 A9E13641 146433FB CC939DCE 249B3EF9
7D2FE363 630C75D8 F681B202 AEC4617A D3DF1ED5 D5FD6561 7D2FE363 630C75D8 F681B202 AEC4617A D3DF1ED5 D5FD6561
2433F51F 5F066ED0 85636555 3DED1AF3 B557135E 7F57C935 2433F51F 5F066ED0 85636555 3DED1AF3 B557135E 7F57C935
984F0C70 E0E68B77 E2A689DA F3EFE872 1DF158A1 36ADE735 984F0C70 E0E68B77 E2A689DA F3EFE872 1DF158A1 36ADE735
30ACCA4F 483A797A BC0AB182 B324FB61 D108A94B B2C8E3FB 30ACCA4F 483A797A BC0AB182 B324FB61 D108A94B B2C8E3FB
skipping to change at page 21, line 36 skipping to change at page 21, line 36
0BFD64B6 45036C7A 4E677D2C 38532A3A 23BA4442 CAF53EA6 0BFD64B6 45036C7A 4E677D2C 38532A3A 23BA4442 CAF53EA6
3BB45432 9B7624C8 917BDD64 B1C0FD4C B38E8C33 4C701C3A 3BB45432 9B7624C8 917BDD64 B1C0FD4C B38E8C33 4C701C3A
CDAD0657 FCCFEC71 9B1F5C3E 4E46041F 388147FB 4CFDB477 CDAD0657 FCCFEC71 9B1F5C3E 4E46041F 388147FB 4CFDB477
A52471F7 A9A96910 B855322E DB6340D8 A00EF092 350511E3 A52471F7 A9A96910 B855322E DB6340D8 A00EF092 350511E3
0ABEC1FF F9E3A26E 7FB29F8C 183023C3 587E38DA 0077D9B4 0ABEC1FF F9E3A26E 7FB29F8C 183023C3 587E38DA 0077D9B4
763E4E4B 94B2BBC1 94C6651E 77CAF992 EEAAC023 2A281BF6 763E4E4B 94B2BBC1 94C6651E 77CAF992 EEAAC023 2A281BF6
B3A739C1 22611682 0AE8DB58 47A67CBE F9C9091B 462D538C B3A739C1 22611682 0AE8DB58 47A67CBE F9C9091B 462D538C
D72B0374 6AE77F5E 62292C31 1562A846 505DC82D B854338A D72B0374 6AE77F5E 62292C31 1562A846 505DC82D B854338A
E49F5235 C95B9117 8CCF2DD5 CACEF403 EC9D1810 C6272B04 E49F5235 C95B9117 8CCF2DD5 CACEF403 EC9D1810 C6272B04
5B3B71F9 DC6B80D6 3FDD4A8E 9ADB1E69 62A69526 D43161C1 5B3B71F9 DC6B80D6 3FDD4A8E 9ADB1E69 62A69526 D43161C1
A41D570D 7938DAD4 A40E329C D0E40E65 FFFFFFFF FFFFFFFF
The generator is: g = 2
The group size is: q = (p-1)/2
The hexadecimal representation of q is:
7FFFFFFF FFFFFFFF D6FC2A2C 515DA54D 57EE2B10 139E9E78
EC5CE2C1 E7169B4A D4F09B20 8A3219FD E649CEE7 124D9F7C
BE97F1B1 B1863AEC 7B40D901 576230BD 69EF8F6A EAFEB2B0
9219FA8F AF833768 42B1B2AA 9EF68D79 DAAB89AF 3FABE49A
CC278638 707345BB F15344ED 79F7F439 0EF8AC50 9B56F39A
98566527 A41D3CBD 5E0558C1 59927DB0 E88454A5 D96471FD
DCB56D5B B06BFA34 0EA7A151 EF1CA6FA 572B76F3 B1B95D8C
8583D3E4 770536B8 4F017E70 E6FBF176 601A0266 941A17B0
C8B97F4E 74C2C1FF C7278919 777940C1 E1FF1D8D A637D6B9
9DDAFE5E 17611002 E2C778C1 BE8B41D9 6379A513 60D977FD
4435A11C 308FE7EE 6F1AAD9D B28C81AD DE1A7A6F 7CCE011C
30DA37E4 EB736483 BD6C8E93 48FBFBF7 2CC6587D 60C36C8E
577F0984 C289C938 5A098649 DE21BCA2 7A7EA229 716BA6E9
B279710F 38FAA5FF AE574155 CE4EFB4F 743695E2 911B1D06
D5E290CB CD86F56D 0EDFCD21 6AE22427 055E6835 FD29EEF7
9E0D9077 1FEACEBE 12F20E95 B34F0F78 B737A961 8B26FA7D
BC9874F2 72C42BDB 563EAFA1 6B4FB68C 3BB1E78E AA81A002
43FAADD2 BF18E63D 389AE443 77DA18C5 76B50F00 96CF3419
5483B005 48C09862 36E3BC7C B8D6801C 0494CCD1 99E5C5BD
0D0EDC9E B8A0001E 15276754 FCC68566 054148E6 E764BEE7
C764DAAD 3FC45235 A6DAD428 FA20C170 E345003F 2F06EC81
05FEB25B 2281B63D 2733BE96 1C29951D 11DD2221 657A9F53
1DDA2A19 4DBB1264 48BDEEB2 58E07EA6 59C74619 A6380E1D
66D6832B FE67F638 CD8FAE1F 2723020F 9C40A3FD A67EDA3B
D29238FB D4D4B488 5C2A9917 6DB1A06C 50077849 1A8288F1
855F60FF FCF1D137 3FD94FC6 0C1811E1 AC3F1C6D 003BECDA
3B1F2725 CA595DE0 CA63328F 3BE57CC9 77556011 95140DFB
59D39CE0 91308B41 05746DAC 23D33E5F 7CE4848D A316A9C6
6B9581BA 3573BFAF 31149618 8AB15423 282EE416 DC2A19C5
724FA91A E4ADC88B C66796EA E5677A01 F64E8C08 63139582
2D9DB8FC EE35C06B 1FEEA547 4D6D8F34 B1534A93 6A18B0E0
D20EAB86 BC9C6D6A 5207194E 68720732 FFFFFFFF FFFFFFFF
The estimated symmetric-equivalent strength of this group is 175
bits.
Peers using ffdhe6144 that want to optimize their key exchange with a
short exponent (Section 5.2) should choose a secret key of at least
375 bits.
A.5. ffdhe8192
The 8192-bit group has registry value 260, and is calcluated from the
following formula:
The modulus is: p = 2^8192 - 2^8128 + {[2^8062 * e] + 10965728} *
2^64 - 1
The hexadecimal representation of p is:
FFFFFFFF FFFFFFFF ADF85458 A2BB4A9A AFDC5620 273D3CF1
D8B9C583 CE2D3695 A9E13641 146433FB CC939DCE 249B3EF9
7D2FE363 630C75D8 F681B202 AEC4617A D3DF1ED5 D5FD6561
2433F51F 5F066ED0 85636555 3DED1AF3 B557135E 7F57C935
984F0C70 E0E68B77 E2A689DA F3EFE872 1DF158A1 36ADE735
30ACCA4F 483A797A BC0AB182 B324FB61 D108A94B B2C8E3FB
B96ADAB7 60D7F468 1D4F42A3 DE394DF4 AE56EDE7 6372BB19
0B07A7C8 EE0A6D70 9E02FCE1 CDF7E2EC C03404CD 28342F61
9172FE9C E98583FF 8E4F1232 EEF28183 C3FE3B1B 4C6FAD73
3BB5FCBC 2EC22005 C58EF183 7D1683B2 C6F34A26 C1B2EFFA
886B4238 611FCFDC DE355B3B 6519035B BC34F4DE F99C0238
61B46FC9 D6E6C907 7AD91D26 91F7F7EE 598CB0FA C186D91C
AEFE1309 85139270 B4130C93 BC437944 F4FD4452 E2D74DD3
64F2E21E 71F54BFF 5CAE82AB 9C9DF69E E86D2BC5 22363A0D
ABC52197 9B0DEADA 1DBF9A42 D5C4484E 0ABCD06B FA53DDEF
3C1B20EE 3FD59D7C 25E41D2B 669E1EF1 6E6F52C3 164DF4FB
7930E9E4 E58857B6 AC7D5F42 D69F6D18 7763CF1D 55034004
87F55BA5 7E31CC7A 7135C886 EFB4318A ED6A1E01 2D9E6832
A907600A 918130C4 6DC778F9 71AD0038 092999A3 33CB8B7A
1A1DB93D 7140003C 2A4ECEA9 F98D0ACC 0A8291CD CEC97DCF
8EC9B55A 7F88A46B 4DB5A851 F44182E1 C68A007E 5E0DD902
0BFD64B6 45036C7A 4E677D2C 38532A3A 23BA4442 CAF53EA6
3BB45432 9B7624C8 917BDD64 B1C0FD4C B38E8C33 4C701C3A
CDAD0657 FCCFEC71 9B1F5C3E 4E46041F 388147FB 4CFDB477
A52471F7 A9A96910 B855322E DB6340D8 A00EF092 350511E3
0ABEC1FF F9E3A26E 7FB29F8C 183023C3 587E38DA 0077D9B4
763E4E4B 94B2BBC1 94C6651E 77CAF992 EEAAC023 2A281BF6
B3A739C1 22611682 0AE8DB58 47A67CBE F9C9091B 462D538C
D72B0374 6AE77F5E 62292C31 1562A846 505DC82D B854338A
E49F5235 C95B9117 8CCF2DD5 CACEF403 EC9D1810 C6272B04
5B3B71F9 DC6B80D6 3FDD4A8E 9ADB1E69 62A69526 D43161C1
A41D570D 7938DAD4 A40E329C CFF46AAA 36AD004C F600C838 A41D570D 7938DAD4 A40E329C CFF46AAA 36AD004C F600C838
1E425A31 D951AE64 FDB23FCE C9509D43 687FEB69 EDD1CC5E 1E425A31 D951AE64 FDB23FCE C9509D43 687FEB69 EDD1CC5E
0B8CC3BD F64B10EF 86B63142 A3AB8829 555B2F74 7C932665 0B8CC3BD F64B10EF 86B63142 A3AB8829 555B2F74 7C932665
CB2C0F1C C01BD702 29388839 D2AF05E4 54504AC7 8B758282 CB2C0F1C C01BD702 29388839 D2AF05E4 54504AC7 8B758282
2846C0BA 35C35F5C 59160CC0 46FD8251 541FC68C 9C86B022 2846C0BA 35C35F5C 59160CC0 46FD8251 541FC68C 9C86B022
BB709987 6A460E74 51A8A931 09703FEE 1C217E6C 3826E52C BB709987 6A460E74 51A8A931 09703FEE 1C217E6C 3826E52C
51AA691E 0E423CFC 99E9E316 50C1217B 624816CD AD9A95F9 51AA691E 0E423CFC 99E9E316 50C1217B 624816CD AD9A95F9
D5B80194 88D9C0A0 A1FE3075 A577E231 83F81D4A 3F2FA457 D5B80194 88D9C0A0 A1FE3075 A577E231 83F81D4A 3F2FA457
1EFC8CE0 BA8A4FE8 B6855DFE 72B0A66E DED2FBAB FBE58A30 1EFC8CE0 BA8A4FE8 B6855DFE 72B0A66E DED2FBAB FBE58A30
FAFABE1C 5D71A87E 2F741EF8 C1FE86FE A6BBFDE5 30677F0D FAFABE1C 5D71A87E 2F741EF8 C1FE86FE A6BBFDE5 30677F0D
skipping to change at page 23, line 7 skipping to change at page 25, line 10
8F7E4670 5D4527F4 5B42AEFF 39585337 6F697DD5 FDF2C518 8F7E4670 5D4527F4 5B42AEFF 39585337 6F697DD5 FDF2C518
7D7D5F0E 2EB8D43F 17BA0F7C 60FF437F 535DFEF2 9833BF86 7D7D5F0E 2EB8D43F 17BA0F7C 60FF437F 535DFEF2 9833BF86
CBE88EA4 FBD4221E 84117283 54FA30A7 008F154A 41C7FC46 CBE88EA4 FBD4221E 84117283 54FA30A7 008F154A 41C7FC46
6B4645DB E2E32126 7FFFFFFF FFFFFFFF 6B4645DB E2E32126 7FFFFFFF FFFFFFFF
The estimated symmetric-equivalent strength of this group is 192 The estimated symmetric-equivalent strength of this group is 192
bits. bits.
Peers using ffdhe8192 that want to optimize their key exchange with a Peers using ffdhe8192 that want to optimize their key exchange with a
short exponent (Section 5.2) should choose a secret key of at least short exponent (Section 5.2) should choose a secret key of at least
384 bits. 400 bits.
Author's Address Author's Address
Daniel Kahn Gillmor Daniel Kahn Gillmor
ACLU ACLU
125 Broad Street, 18th Floor 125 Broad Street, 18th Floor
New York, NY 10004 New York, NY 10004
USA USA
Email: dkg@fifthhorseman.net Email: dkg@fifthhorseman.net
 End of changes. 31 change blocks. 
50 lines changed or deleted 169 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/