Scott Fluhrer (sfluhrer) <[email protected]> writes:
>The problem is that it is hard for the client to distinguish between a well
>designed server vs a server that isn't as well written, and selects the DH
>group in a naïve way.
What should the client do if it could detect this? And how would it
distinguish between a server that selects bad DH parameters, a server that
uses time() to seed its RNG for prime generation, a server that has a buffer
overflow allowing RCE, and a server whose ACLs allow read/write access to any
file on the filesystem including its private key(s)?
>Now, as I mentioned in the WG meeting, it would be possible to detect if the
>server proposes a safe prime (it's not especially cheap, being several times
>as expensive as the rest of the DH operations, but it's possible),
Or you could use TLS-LTS, which sends { p, q, g } allowing the client to
verify certain properties about the primes being used at next to no cost.
Peter.
_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls
