Slashdot Mirror

← Back to Stories (view on slashdot.org)

TLS 1.3 Draft Prepares to Drop Static RSA Key Exchange

Posted by Unknown on from the forward-secrecy-for-all dept.

msm1267 (2804139) writes with a bit of news from last week that seems to have slipped under the radar. The IETF TLS working group has reached consensus on dropping static RSA cipher suites from TLS 1.3, instead requiring the use of Diffie-Hellman Exchange (or the faster ellipitic curve variant). Static DH and not just ephemeral DH key exchange will be supported, so not all connections will have forward secrecy. The consensus is subject to change before the final TLS 1.3 specification is released, and there are still details to be worked out. The changes to the draft are pending as a git pull request.

8 of 51 comments (clear)

  1. Temporary RSA keys? by Anonymous Coward · · Score: 5, Insightful

    I've wondered why there isn't a protocol similar to what was used in SSH 1.x, where every x amount of time (default was ten minutes), there was a set of RSA keys generated and kept in memory, used for transactions (and signed with the permanent set of keys), then tossed.

    In theory, PFS should be the core of TLS... negotiate the protocol, use DH or the elliptic curve variant to hammer out a session key, re-negotiate the session key every so often, and in any case, toss the session key for good. Having a temporary set of RSA keys similar to SSH 1.x provides protection because it make the permanent host keys essentially signing keys only, not used for encryption, so less data would be encrypted by those keys.

    1. Re:Temporary RSA keys? by goddidit · · Score: 2

      Generating RSA keys is more costly than, for example, ECDH keys. Checks for primality for the p and q, are needed for it to be secure for RSA. In my understangin, any big enough integer is a valid DH private key.

      Static RSA would be nice for certain applications, since it is computationally cheaper to do for the client. Also, with DANE for instance, the same primitives can be used to check signatures. Yet, RSA might be costly in the future keylengths. For instance, some say that 256-bit symmetric keys are equivalent with 15k RSA keys.

      --
      This .sig is exactly 120 characters long.
  2. OpenSSL gets patch for another years old flaw by Anonymous Coward · · Score: 2, Informative

    In other news, OpenSSL gets a 4-year-old flaw patched. The catch here is that the bug was not only 4 years in the codebase, but it was publicly reported (CVE-2010-5298) for 4 years, without no one taking the responsibility to fix it.

    OpenBSD developer Ted Unangst made a detailed report of the bug. It's not as severe as Heartbleed, but still allows remote attackers to inject data across sessions or cause a denial of service (use-after-free and parsing error) via an SSL connection in a multithreaded environment.

    1. Re:OpenSSL gets patch for another years old flaw by just_another_sean · · Score: 2

      Yeah, I've been trying to keep up. It's heavy stuff and a little over my head sometimes but never the less very interesting (and sometimes very amusing).

      --
      Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal
  3. Explained to a single digit year old by tepples · · Score: 2

    There are some things you want to share, and there are some things you don't want to share, which are called "private". And there are people in other countries who want to hurt you, who are called "terrorists". There's a part of the government called the NSA that looks at other people's private things in order to stop terrorists from hurting you. But some people don't like strange people looking at their private things.

    Sometimes you want to share your private things with other people you trust. One of the ways to make sure nobody else can see your private things is to use encryption. Encryption does complicated math problems on your private things. If something is encrypted, only the person you're sharing it with can see it because other people watching your Internet connection won't be able to solve the math problems. This involves another math problem called a "key exchange". A piece of software on your computer called a "crypto library" does encryption and key exchanges.

    What happened here is that some people think RSA, a company that makes key exchanges, was working with the NSA to help it look at your private things. And someone found a different solution to RSA's key exchange. That's why people who make a popular crypto library want to stop using RSA's key exchange.

    1. Re:Explained to a single digit year old by Anonymous Coward · · Score: 2, Informative

      Nice and simple language, but factually all wrong. This has nothing to do with the NSA or the RSA.

      The RSA in TFA is a cryptographic primitive. It should not be confused with the company RSA Security LLC, though both are named after the cryptographers Ron Rivest, Adi Shamir, and Len Adleman.

      RSA is not considered broken or backdoored, but has some disadvantages compared to elliptic curve based alternatives, including lack of forward secrecy, and long key lengths at high security levels.

  4. Re:Static DH is not better than Static RSA by bytesex · · Score: 2

    Are you purposely, or ignorantly, confusing RSA, the company, with RSA, the assymetric cipher suite based on primes?

    --
    Religion is what happens when nature strikes and groupthink goes wrong.
  5. Re:wat by viperidaenz · · Score: 2

    Oh my god, where are your parents?