Internet Engineering Task Force D. Gillmor Internet-Draft ACLU Updates: 4492, 5246, 4346, 2246 (if March 28, 2015 approved) Intended status: Informational Expires: September 29, 2015 Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS draft-ietf-tls-negotiated-ff-dhe-08 Abstract Traditional finite-field-based Diffie-Hellman (DH) key exchange during the TLS handshake suffers from a number of security, interoperability, and efficiency shortcomings. These shortcomings arise from lack of clarity about which DH group parameters TLS servers should offer and clients should accept. This document offers a solution to these shortcomings for compatible peers by using a section of the TLS "EC Named Curve Registry" to establish common finite-field DH parameters with known structure and a mechanism for peers to negotiate support for these groups. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on September 29, 2015. Copyright Notice Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of Gillmor Expires September 29, 2015 [Page 1]
Internet-Draft Negotiated-FF-DHE-for-TLS March 2015 publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 1.2. Vocabulary . . . . . . . . . . . . . . . . . . . . . . . 4 2. Named Group Overview . . . . . . . . . . . . . . . . . . . . 4 3. Client Behavior . . . . . . . . . . . . . . . . . . . . . . . 5 4. Server Behavior . . . . . . . . . . . . . . . . . . . . . . . 6 5. Optimizations . . . . . . . . . . . . . . . . . . . . . . . . 7 5.1. Checking the Peer's Public Key . . . . . . . . . . . . . 7 5.2. Short Exponents . . . . . . . . . . . . . . . . . . . . . 7 5.3. Table Acceleration . . . . . . . . . . . . . . . . . . . 8 6. Operational Considerations . . . . . . . . . . . . . . . . . 8 6.1. Preference Ordering . . . . . . . . . . . . . . . . . . . 8 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 9. Security Considerations . . . . . . . . . . . . . . . . . . . 9 9.1. Negotiation resistance to active attacks . . . . . . . . 10 9.2. Group strength considerations . . . . . . . . . . . . . . 11 9.3. Finite-Field DHE only . . . . . . . . . . . . . . . . . . 11 9.4. Deprecating weak groups . . . . . . . . . . . . . . . . . 11 9.5. Choice of groups . . . . . . . . . . . . . . . . . . . . 12 9.6. Timing attacks . . . . . . . . . . . . . . . . . . . . . 12 9.7. Replay attacks from non-negotiated FFDHE . . . . . . . . 12 9.8. Forward Secrecy . . . . . . . . . . . . . . . . . . . . . 13 9.9. False Start . . . . . . . . . . . . . . . . . . . . . . . 13 10. Privacy Considerations . . . . . . . . . . . . . . . . . . . 14 10.1. Client fingerprinting . . . . . . . . . . . . . . . . . 14 11. References . . . . . . . . . . . . . . . . . . . . . . . . .