[Cryptography] Chrome dropping DHE (was Re: [FORGED] Re: ratcheting DH strengths over time)
Bill Frantz
frantz at pwpconsult.com
Sun Nov 22 14:32:45 EST 2015
On 11/21/15 at 6:13 PM, perry at piermont.com (Perry E. Metzger) wrote:
>On Sat, 21 Nov 2015 15:40:46 -0500 Viktor Dukhovni
><cryptography at dukhovni.org> wrote:
>>
>>Nothing interoperable. Until TLS 1.3 (i.e. not at this time), the
>>prime sizes are not negotiated. If the server chooses DHE, you
>>either accept its prime or close the connection and retry without
>>DHE.
>
>I suspected. This is rather an unfortunate thing.
Yes, it is unfortunate. TLS 1.3 is shaping up to be a big
improvement over previous versions. The current roadmap has RFC
publication in late Q1 or early Q2 2016. One of the unsolved
issues is how to get quick, widespread, adoption.
>Generally, it is probably best if protocols impose a minimum common
>security level between the key exchange, signature and symmetric
>cipher portions of the system. If you're negotiating a 128 bit key
>symmetric cipher, using a key exchange that provides only (say) a 70
>bit equivalent of protection for the key exchange would seem like a
>bad move, since it obviates much of the protection of the symmetric
>cipher. The key exchange should never provide much less protection
>than the symmetric cipher used...
The security of a system should be judge by its weakest link.
However, it may make good engineering sense to have some links
considerably stronger if the costs are low. Then a successful
weakening of their security may still leave a satisfactory
safety margin.
Cheers - Bill
-------------------------------------------------------------------------
Bill Frantz | When it comes to the world | Periwinkle
(408)356-8506 | around us, is there any choice | 16345
Englewood Ave
www.pwpconsult.com | but to explore? - Lisa Randall | Los Gatos,
CA 95032
More information about the cryptography
mailing list