Peter Saint-Andre <stpeter@xxxxxxxxxx> writes:
>Hi Cullen, having looked more closely at the text that's already in 7525bis,
>I have a few questions inline...
Me too, specifically in regard to the "DHE negotiation is broken" comment.
The draft says:
However, TLS 1.2 implementations SHOULD
NOT negotiate cipher suites based on ephemeral finite-field
Diffie-Hellman key agreement (i.e., "TLS_DHE_*" suites). This is
justified by the known fragility of the construction (see
[RACCOON])
Raccoon relies on reuse of ephemeral values. If a DH*Ephemeral*
implementation reuses the ephemeral values it's not TLS_DHE_whatever any more,
it's TLS_DH_whatever. So this isn't a valid criticism of DHE, since it's not
DHE.
It's really not that hard to do DHE properly. The solution isn't to throw out
all use of DHE [0] but to specify what to do to avoid doing DHE badly.
Peter.
[0] A problem all too common in crypto protocols, instead of specifying a few
simple steps to fix this one we'll throw the whole thing out and invent a
completely new one, and start again from scratch with a new set of flaws
to discover over time.
--
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call
