Re: [TLS] Sending Custom DHE Parameters in TLS 1.3

Mon, 12 Oct 2020 22:44:20 -0700 

On 2020-10-12 19:28, Ilari Liusvaara wrote:

On Mon, Oct 12, 2020 at 12:36:06PM -0400, Michael D'Errico wrote:


It appears that there may be a need to revert to the
old way of sending Diffie-Hellman parameters that
the server generates.  I see that TLS 1.3 removed
this capability*; is there any way to add it back?


The Diffie-Hellman support in TLS 1.2 is severly broken. There is no
way to use it safely on client side. This has lead to e.g., all the web
browers to remove support for it.



You have to excuse me, but there is a fair amount of noise in this 
group, and it is sometimes hard to find the information you are looking 
for, in past discussions held years or even decades ago.



But surely DHE support can't be considered broken at the protocol level, 
because the client can't confirm that the server implementation of DHE 
parameter generation isn't broken? There are gazillion of ways the 
server implementation might be broken, that the client has absolutely no 
way to test, regardless of which TLS protocol it supports. I do not 
think I have to go into details.



If I remember correctly, the problem was rather that some of the most 
common implementations had made a habit out of using poorly chosen 
parameters, and the automated security testing tools couldn't easily 
tell flawed servers, from servers that had fixed this issue. It wasn't 
really a protocol issue, but purely an implementation issue.


Correct me if I remember incorrectly.



There is no way to ensure that the parameters sent are not totally
broken, e.g.:

- Modulus too small.
- Modulus too large.
- Modulus not prime (has been used as a backdoor!).
- Modulus is weak (possibly backdoored).
- Subgroup order does not have large prime factor.

Even checking the third would require primality test, and primality
tests at relevant sizes are slow. And the fourth and fifth can not be
checked at all in general case.


For ECDHE, TLS 1.2 allowed server to specify custom curve to do the
key exchange with. Rightfully pretty much nobody implemented that.


I think TLS WG should withdraw recommendation (as flawed) on all
TLS_DHE_* ciphersuites.


-Ilari

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls







Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature


_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls






















					Reply via email to