[Cryptography] Chrome dropping DHE (was Re: [FORGED] Re: ratcheting DH strengths over time)
Phillip Hallam-Baker
phill at hallambaker.com
Sun Nov 22 00:48:22 EST 2015
On Sat, Nov 21, 2015 at 9:13 PM, Perry E. Metzger <perry at piermont.com> wrote:
> On Sat, 21 Nov 2015 15:40:46 -0500 Viktor Dukhovni
> <cryptography at dukhovni.org> wrote:
>>
>> > On Nov 21, 2015, at 8:24 AM, Perry E. Metzger
>> > <perry at piermont.com> wrote:
>> >
>> >> https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/dYyhKHPnrI0
>> >
>> > I can no longer recall (TLS mechanics are complicated), but is
>> > there no less radical way to impose a minimum DHE group size?
>>
>> Nothing interoperable. Until TLS 1.3 (i.e. not at this time), the
>> prime sizes are not negotiated. If the server chooses DHE, you
>> either accept its prime or close the connection and retry without
>> DHE.
>
> I suspected. This is rather an unfortunate thing.
>
> Generally, it is probably best if protocols impose a minimum common
> security level between the key exchange, signature and symmetric
> cipher portions of the system. If you're negotiating a 128 bit key
> symmetric cipher, using a key exchange that provides only (say) a 70
> bit equivalent of protection for the key exchange would seem like a
> bad move, since it obviates much of the protection of the symmetric
> cipher. The key exchange should never provide much less protection
> than the symmetric cipher used...
Doing a DHE should never have reduced the effective security.
If the cert has an RSA2048 bit key, you should never have to get less
than RSA2048 bit security. Instead, the protocol was jiggered so that
the strong key negotiated with the cert is only used to authenticate
the ephemeral key and the result of the weaker exchange is used.
I am pretty sure that was an example of 'BULLRUN' in action.
We should insist it is fixed when we move to the CFRG ciphers.
Using a 1 bit ephemeral exchange with a 255 bit static ECC key should
mean you end up with 255 bits of static security and negligible
ephemeral and not negligible security.
The keys should be constructed using H ( StaticAgreed + Ephemeral ).
It is the obvious way to do it.
More information about the cryptography
mailing list