On 8/3/22 12:07 AM, Peter Gutmann wrote:
Peter Saint-Andre <stpeter@xxxxxxxxxx> writes:
Hi Cullen, having looked more closely at the text that's already in 7525bis,
I have a few questions inline...
Me too, specifically in regard to the "DHE negotiation is broken" comment.
The draft says:
However, TLS 1.2 implementations SHOULD
NOT negotiate cipher suites based on ephemeral finite-field
Diffie-Hellman key agreement (i.e., "TLS_DHE_*" suites). This is
justified by the known fragility of the construction (see
[RACCOON])
Raccoon relies on reuse of ephemeral values. If a DH*Ephemeral*
implementation reuses the ephemeral values it's not TLS_DHE_whatever any more,
it's TLS_DH_whatever. So this isn't a valid criticism of DHE, since it's not
DHE.
It's really not that hard to do DHE properly. The solution isn't to throw out
all use of DHE [0] but to specify what to do to avoid doing DHE badly.
Given that we already discuss these matters in Section 7.4, I don't see
the need for additional text.
Peter
--
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call