Re: [TLS] Static DH timing attack

Sat, 12 Sep 2020 05:17:10 -0700 

2020-09-12 05:48 GMT+02:00 Peter Gutmann <pgut...@cs.auckland.ac.nz>:
> Filippo Valsorda <fili...@ml.filippo.io> writes:
> 
> >I feel like there should be nothing controversial in the context of TLS.
> >
> >   Non-ephemeral FFDHE ciphersuites in TLS 1.0–1.2 (TLS_DH_*) ought to be a
> > MUST NOT, because they can't be implemented securely.
> >
> >   Reusing ephemeral shares for ECDHE and DHE ought to be a MUST NOT in all
> > TLS versions, because it's unnecessary and has been a requirement for many
> > attacks now.
> >
> >   Non-ephemeral ECDH ciphersuites (TLS_ECDH_*) ought to be a SHOULD NOT,
> > because again ECDH share reuse enables a whole class of attacks.
> >
> >   FFDHE ciphersuites in TLS 1.0–1.2 (TLS_DHE_*) ought to be a SHOULD NOT,
> > because they are specified in a dangerous way that is not secure if shares
> > are reused.
> 
> I agree with the first two but not the last.  Why is non-ephemeral DH a MUST
> NOT but non-ephemeral ECDH a SHOULD NOT?  There's nothing magic about the EC
> form that makes it any better or safer.

Non-ephemeral DH is affected by the Raccoon attack, ECDH is not.

> And for the FFDHE ciphersuites, they're not specified in a dangerous way,
> people implement them in a dangerous way.  You really have to go out of your
> way to get it wrong, in the case of RACCOON it's actually more effort to get
> it wrong (keep old copies of values floating around and reuse them over and
> over) than to get it right (generate a fresh value every time).  So it doesn't
> need a "don't do FFDHE", it needs a "here's a lot of stupid things you can do
> with FFDHE if you put your mind to it.  Don't do any of them".
> 
> Or maybe it can be turned into a more general "here are some dumb things that
> people have done with TLS over the years.  Check your server to make sure
> you're not doing them".  Posting your web server's private key as a .p12 file
> in a subdirectory below $DocumentRoot, for example, would be high on my list.

There are two peers involved in ciphersuite selection, so recommending everyone 
avoids an unsafe ciphersuite can protect connections even if only one side 
takes the advice, and even if it's not the side that made the implementation 
error.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Reply via email to