[Cryptography] Chrome dropping DHE (was Re: [FORGED] Re: ratcheting DH strengths over time)
Perry E. Metzger
perry at piermont.com
Sat Nov 21 21:13:58 EST 2015
On Sat, 21 Nov 2015 15:40:46 -0500 Viktor Dukhovni
<cryptography at dukhovni.org> wrote:
>
> > On Nov 21, 2015, at 8:24 AM, Perry E. Metzger
> > <perry at piermont.com> wrote:
> >
> >> https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/dYyhKHPnrI0
> >
> > I can no longer recall (TLS mechanics are complicated), but is
> > there no less radical way to impose a minimum DHE group size?
>
> Nothing interoperable. Until TLS 1.3 (i.e. not at this time), the
> prime sizes are not negotiated. If the server chooses DHE, you
> either accept its prime or close the connection and retry without
> DHE.
I suspected. This is rather an unfortunate thing.
Generally, it is probably best if protocols impose a minimum common
security level between the key exchange, signature and symmetric
cipher portions of the system. If you're negotiating a 128 bit key
symmetric cipher, using a key exchange that provides only (say) a 70
bit equivalent of protection for the key exchange would seem like a
bad move, since it obviates much of the protection of the symmetric
cipher. The key exchange should never provide much less protection
than the symmetric cipher used...
Perry
--
Perry E. Metzger perry at piermont.com
More information about the cryptography
mailing list