< draft-ietf-tls-negotiated-ff-dhe-07.txt		draft-ietf-tls-negotiated-ff-dhe-08.txt >
	Internet Engineering Task Force D. Gillmor		Internet Engineering Task Force D. Gillmor
	Internet-Draft ACLU		Internet-Draft ACLU
	Updates: 4492, 5246, 4346, 2246 (if March 4, 2015		Updates: 4492, 5246, 4346, 2246 (if March 28, 2015
	approved)		approved)
	Intended status: Informational		Intended status: Informational
	Expires: September 5, 2015		Expires: September 29, 2015
	Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS		Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS
	draft-ietf-tls-negotiated-ff-dhe-07		draft-ietf-tls-negotiated-ff-dhe-08
	Abstract		Abstract
	Traditional finite-field-based Diffie-Hellman (DH) key exchange		Traditional finite-field-based Diffie-Hellman (DH) key exchange
	during the TLS handshake suffers from a number of security,		during the TLS handshake suffers from a number of security,
	interoperability, and efficiency shortcomings. These shortcomings		interoperability, and efficiency shortcomings. These shortcomings
	arise from lack of clarity about which DH group parameters TLS		arise from lack of clarity about which DH group parameters TLS
	servers should offer and clients should accept. This document offers		servers should offer and clients should accept. This document offers
	a solution to these shortcomings for compatible peers by using a		a solution to these shortcomings for compatible peers by using a
	section of the TLS "EC Named Curve Registry" to establish common		section of the TLS "EC Named Curve Registry" to establish common
	skipping to change at page 1, line 40 ¶		skipping to change at page 1, line 40 ¶
	Internet-Drafts are working documents of the Internet Engineering		Internet-Drafts are working documents of the Internet Engineering
	Task Force (IETF). Note that other groups may also distribute		Task Force (IETF). Note that other groups may also distribute
	working documents as Internet-Drafts. The list of current Internet-		working documents as Internet-Drafts. The list of current Internet-
	Drafts is at http://datatracker.ietf.org/drafts/current/.		Drafts is at http://datatracker.ietf.org/drafts/current/.
	Internet-Drafts are draft documents valid for a maximum of six months		Internet-Drafts are draft documents valid for a maximum of six months
	and may be updated, replaced, or obsoleted by other documents at any		and may be updated, replaced, or obsoleted by other documents at any
	time. It is inappropriate to use Internet-Drafts as reference		time. It is inappropriate to use Internet-Drafts as reference
	material or to cite them other than as "work in progress."		material or to cite them other than as "work in progress."
	This Internet-Draft will expire on September 5, 2015.		This Internet-Draft will expire on September 29, 2015.
	Copyright Notice		Copyright Notice
	Copyright (c) 2015 IETF Trust and the persons identified as the		Copyright (c) 2015 IETF Trust and the persons identified as the
	document authors. All rights reserved.		document authors. All rights reserved.
	This document is subject to BCP 78 and the IETF Trust's Legal		This document is subject to BCP 78 and the IETF Trust's Legal
	Provisions Relating to IETF Documents		Provisions Relating to IETF Documents
	(http://trustee.ietf.org/license-info) in effect on the date of		(http://trustee.ietf.org/license-info) in effect on the date of
	publication of this document. Please review these documents		publication of this document. Please review these documents
	skipping to change at page 9, line 8 ¶		skipping to change at page 9, line 8 ¶
	same CipherSuite offered as the previous example, a server configured		same CipherSuite offered as the previous example, a server configured
	to respect client preferences and with support for all listed groups		to respect client preferences and with support for all listed groups
	SHOULD select TLS_DHE_RSA_WITH_AES_128_CBC_SHA with ffdhe8192. A		SHOULD select TLS_DHE_RSA_WITH_AES_128_CBC_SHA with ffdhe8192. A
	server configured to respect client preferences and with support for		server configured to respect client preferences and with support for
	only secp384p1 and ffdhe3072 SHOULD select		only secp384p1 and ffdhe3072 SHOULD select
	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA with secp384p1.		TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA with secp384p1.
	7. Acknowledgements		7. Acknowledgements
	Thanks to Fedor Brunner, Dave Fergemann, Niels Ferguson, Sandy		Thanks to Fedor Brunner, Dave Fergemann, Niels Ferguson, Sandy
	Harris, Watson Ladd, Nikos Mavrogiannopolous, Niels Moeller, Bodo		Harris, Tero Kivinen, Watson Ladd, Nikos Mavrogiannopolous, Niels
	Moeller, Kenny Paterson, Eric Rescorla, Tom Ritter, Rene Struik,		Moeller, Bodo Moeller, Kenny Paterson, Eric Rescorla, Tom Ritter,
	Martin Thomson, Sean Turner, and other members of the TLS Working		Rene Struik, Martin Thomson, Sean Turner, and other members of the
	Group for their comments and suggestions on this draft. Any mistakes		TLS Working Group for their comments and suggestions on this draft.
	here are not theirs.		Any mistakes here are not theirs.
	8. IANA Considerations		8. IANA Considerations
	IANA maintains the registry currently known as EC Named Curves		IANA maintains the registry currently known as EC Named Curves
	(originally defined in [RFC4492] and updated by [RFC7027]) at [1].		(originally defined in [RFC4492] and updated by [RFC7027]) at [1].
	This document expands the semantics of this registry slightly, to		This document expands the semantics of this registry slightly, to
	include groups based on finite fields in addition to groups based on		include groups based on finite fields in addition to groups based on
	elliptic curves. It should add a range designation to that registry,		elliptic curves. It should add a range designation to that registry,
	indicating that values from 256-511 (inclusive) are set aside for		indicating that values from 256-511 (inclusive) are set aside for
	skipping to change at page 16, line 51 ¶		skipping to change at page 16, line 51 ¶
	parameters were derived.		parameters were derived.
	New additions of FFDHE groups MUST use a safe prime as the modulus to		New additions of FFDHE groups MUST use a safe prime as the modulus to
	enable the inexpensive peer verification described in Section 5.1.		enable the inexpensive peer verification described in Section 5.1.
	A.1. ffdhe2048		A.1. ffdhe2048
	The 2048-bit group has registry value 256, and is calcluated from the		The 2048-bit group has registry value 256, and is calcluated from the
	following formula:		following formula:
	The modulus is: p = 2^2048 - 2^1984 + {[2^1918 * e] + 560315 } * 2^64		The modulus is: p = 2^2048 - 2^1984 + {[2^1918 * e] + 560316 } * 2^64
	- 1		- 1
	The hexadecimal representation of p is:		The hexadecimal representation of p is:
	FFFFFFFF FFFFFFFF ADF85458 A2BB4A9A AFDC5620 273D3CF1		FFFFFFFF FFFFFFFF ADF85458 A2BB4A9A AFDC5620 273D3CF1
	D8B9C583 CE2D3695 A9E13641 146433FB CC939DCE 249B3EF9		D8B9C583 CE2D3695 A9E13641 146433FB CC939DCE 249B3EF9
	7D2FE363 630C75D8 F681B202 AEC4617A D3DF1ED5 D5FD6561		7D2FE363 630C75D8 F681B202 AEC4617A D3DF1ED5 D5FD6561
	2433F51F 5F066ED0 85636555 3DED1AF3 B557135E 7F57C935		2433F51F 5F066ED0 85636555 3DED1AF3 B557135E 7F57C935
	984F0C70 E0E68B77 E2A689DA F3EFE872 1DF158A1 36ADE735		984F0C70 E0E68B77 E2A689DA F3EFE872 1DF158A1 36ADE735
	30ACCA4F 483A797A BC0AB182 B324FB61 D108A94B B2C8E3FB		30ACCA4F 483A797A BC0AB182 B324FB61 D108A94B B2C8E3FB
	B96ADAB7 60D7F468 1D4F42A3 DE394DF4 AE56EDE7 6372BB19		B96ADAB7 60D7F468 1D4F42A3 DE394DF4 AE56EDE7 6372BB19
End of changes. 6 change blocks.
	10 lines changed or deleted		10 lines changed or added
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/