Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Negotiated FFDHE parameters #256

Merged
merged 12 commits into from
Nov 29, 2017
Merged

Negotiated FFDHE parameters #256

merged 12 commits into from
Nov 29, 2017

Conversation

ocheron
Copy link
Contributor

@ocheron ocheron commented Nov 24, 2017

After ECDH this is to improve validation in DH key exchange:

  • support for named FFDHE groups (RFC 7919), in addition to custom groups we have today
  • minimal validation of DH parameters (but which is enough when using named FFDHE groups)
  • optional client callback to implement policy about custom groups

When DHE params match a named group, internally module Crypto.IES is used and the
implementation generates short exponents as optimisation.

Unfortunately because of compatibility this means we get 3 sets of APIs with some redundancy:

  • Crypto.DH is used when groups are custom
  • Crypto.IES has new compatibility functions with data types like in Crypto.DH and removal of leading zeros (TLS <= 1.2)
  • Crypto.IES existing hybrid group functions are kept and extended with FFDH validation checks and use of short exponents, so they should still be usable for TLS 1.3

@ocheron
Use name containing "EC" when groups are elliptic curves
2e64864
@ocheron
Send finite-field groups in ClientHello extension
de99782
@ocheron
Minimal validation of DH parameters
d6c746e 
Adds the check related to dh_Ys explained in RFC 7919 section 3.

Client still accepts any custom group the server chooses.
@ocheron
Advise to use safe primes as DHE params
a2e9ec0
@ocheron
Also check DH parameters with IES
fc51559
@ocheron
Use short exponents in IES
421495b 
As precaution bit sizes are slightly larger than minimum described in
RFC 7919 appendix A.  What is used instead is next multiple of 16.
@ocheron
Prefer named FFDHE group when possible
54d0cdc 
This is server behavior from RFC 7919 section 4.

Now DHE ciphers do not need serverDHEParams when finite-field
groups are negotiated.
@ocheron
Test FFDHE groups
d08d5b3
@ocheron
Add callback to validate usage of custom FFDHE groups
a2d2c77 
This may be used:

* to reject all custom groups between peers compatible with RFC 7919

* to implement local policy about minimum/maximum group size
  or other properties
@ocheron
Use calculatePublic
102eab7
@ocheron
Use IES module when DHParams match a FFDHE group
ba4e837 
With short exponents this little overhead brings huge benefit when the
match is successful.
kazu-yamamoto
kazu-yamamoto approved these changes Nov 28, 2017
View reviewed changes
Copy link
Collaborator

@kazu-yamamoto kazu-yamamoto left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For TLS 1.3, please define/export availableGroups (availableECGroups ++ availableFFGroups.
Except that, this PR looks good to me.

@ocheron
Copy link
Contributor Author

ocheron commented Nov 28, 2017

Thank you for reviewing, I've added availableGroups.
You can merge if you like or I'll do it in a few days.

For information in haskell-crypto/cryptonite#204 I put some measurements about the groups we have.

kazu-yamamoto added a commit to kazu-yamamoto/hs-tls that referenced this pull request Nov 29, 2017
@kazu-yamamoto
Merge PR haskell-tls#256.
06b49f1
@kazu-yamamoto kazu-yamamoto merged commit ad136c6 into haskell-tls:master Nov 29, 2017
@kazu-yamamoto
Copy link
Collaborator

I have confirmed that my tls13 branch on this works well. So, I have merged this PR.

@ocheron ocheron deleted the dhe-groups branch November 29, 2017 18:30
@ocheron ocheron mentioned this pull request Dec 6, 2017
Open
@kazu-yamamoto kazu-yamamoto mentioned this pull request Dec 11, 2017
Closed
15 tasks
@kazu-yamamoto kazu-yamamoto mentioned this pull request Sep 13, 2018
Closed
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kazu-yamamoto kazu-yamamoto kazu-yamamoto approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@ocheron @kazu-yamamoto