draft-thomson-http-encryption-00 - Logjam

The end of Section 4.2 states:

"
   Specifications that rely on an Diffie-Hellman exchange for
   determining input keying material MUST either specify the parameters
   for Diffie-Hellman (group parameters, or curves and point format)
   that are used, or describe how those parameters are negotiated
   between sender and receiver.
"

As has been seen with IKEv1. Having a specification determine explicit
parameters leads directly to it becoming vulnerable when that parameter
group is broken. see <https://weakdh.org/>

I believe that should be changed to remove the requirement to specify an
exact group.
New text:
"
   Specifications that rely on an Diffie-Hellman exchange for
   determining input keying material MUST specify how the parameters
   for Diffie-Hellman (group parameters, or curves and point format)
   that are negotiated between sender and receiver.
"

Security Considerations should probably also be updated to mention the
possibility of Logjam attack against weak parameter groups.

Amos

Received on Friday, 22 May 2015 08:49:36 UTC