[OWASP-cheat-sheets] ECDHE is better

Jim Manico jim.manico at owasp.org
Sat Jun 21 18:17:54 UTC 2014


Torsten,

(from another expert who shall remain nameless)

If your threat model includes the NSA -- which are suspected to be
behind the parameters of the NIST curves -- then you shouldn't be using TLS
in the first place. That line of thinking isn't very productive. 99.99% of
sites don't have the NSA as their adversary.

It's important to understand what you're defending against.

Some further points:

- I haven't seen any actual _evidence_ that the NIST curves are insecure.
They might or might not be (insecure), but you can't make decisions based
on speculation alone.

- Without ECDHE you're unlikely to have _any_ forward secrecy with
Microsoft platforms. SSL Labs warns about this for OWASP:

https://dev.ssllabs.com/ssltest/analyze.html?d=owasp.org&hideResults=on

- As a rule of thumb, resumption works 50% of the time.

- Curve 25519 is being added to TLS.

- OWASP's DH parameters are only 1024 DH bits, which is about 80 bits
of security. With ECDHE, you'd have super-strong 128 bits. That's a
fact, not speculation ;)

--
Jim Manico
@Manicode
(808) 652-3805

On Jun 19, 2014, at 5:01 PM, Torsten Gigler <torsten.gigler at owasp.org>
wrote:

 Hi Jim,

Thank you for forwarding the feedback.

Yes DHE versus ECDHE a very interesting part of the latest discussion, how
to set up Perfect Secrecy.
I have not found *any open Whitelist* saying this or that Elliptic Curve
defined for TLS and used by server and client implementations is secure (as
far as this can be proved today). I found only 4 Curves in
http://safecurves.cr.yp.to, that were all 4 marked *not* to be safe! From
those marked to be safe, I did not find any that match to the definitions
of TLS (RFC4492, Appendix A).

Do you see any possibility as OWASP to support researches on this, or to
add Curves like Curve 25519 to the TLS standard?

As conclusion for the cheat sheet, I do think to favor a slower and more
secure TLS Cipher over a faster and less secure one (ECDHE) as long as
there do not appear any new inependantly approved Elliptic Curves.
Additionally the disadvantage of the the speed is concerning only the TLS
handshake . This happens only at the begin of a SSL/TLS connection and if
necessary following renegotiation phases, *not* the Data Encryption itself.

I added a hint on this discussion, and a link to the Note about the CPU
usage to the wiki:

"* Favor DHE over ECDHE (and monitor the CPU usage, see Notes below), ECDHE
lacks now of really reliable Elliptic Curves, see discussion about
secp{224,256,384,521}r1 and secp256k1, cf. [2] <http://safecurves.cr.yp.to>,
[3]
<https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html#c1675929>;
One solution might be to use Edwards Curves
<http://eprint.iacr.org/2007/286>. The most promising candidate is
'Curve25519' <https://tools.ietf.org/html/draft-josefsson-tls-curve25519-05>,
that is not yet defined for TLS, cf. IANA
<http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8>
...
*Notes:*
* ...**Monitor the performance of your server, e.g. the TLS handshake with
DHE hinders the CPU abt 2.4 times more than ECDHE, cf. Vincent Bernat, 2011
<http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html#some-benchmarks>
."

Kind Regards
Torsten

PS: By the way: 'owap. org' does not support any ECDHE ciphers at the
moment, the first 6 Ciphers for TLSv12 are DHE ones ;-)
owasp.org,   443, TLSv12 (0x0303), no SNI, Server Order, 0x0300009E,
DHE-RSA-AES128-GCM-SHA256       , DHE_RSA_WITH_AES_128_GCM_SHA256
owasp.org,   443, TLSv12 (0x0303), no SNI, Server Order, 0x0300009F,
DHE-RSA-AES256-GCM-SHA384       , DHE_RSA_WITH_AES_256_GCM_SHA384
owasp.org,   443, TLSv12 (0x0303), no SNI, Server Order, 0x03000067,
DHE-RSA-AES128-SHA256           , DHE_RSA_WITH_AES_128_SHA256
owasp.org,   443, TLSv12 (0x0303), no SNI, Server Order, 0x03000033,
DHE-RSA-AES128-SHA              , DHE_RSA_WITH_AES_128_SHA
owasp.org,   443, TLSv12 (0x0303), no SNI, Server Order, 0x0300006B,
DHE-RSA-AES256-SHA256           , DHE_RSA_WITH_AES_256_SHA256
owasp.org,   443, TLSv12 (0x0303), no SNI, Server Order, 0x03000039,
DHE-RSA-AES256-SHA              , DHE_RSA_WITH_AES_256_SHA
owasp.org,   443, TLSv12 (0x0303), no SNI, Server Order, 0x0300009C,
AES128-GCM-SHA256               , RSA_WITH_AES_128_GCM_SHA256
owasp.org,   443, TLSv12 (0x0303), no SNI, Server Order, 0x0300009D,
AES256-GCM-SHA384               , RSA_WITH_AES_256_GCM_SHA384
owasp.org,   443, TLSv12 (0x0303), no SNI, Server Order, 0x0300003C,
AES128-SHA256                   , RSA_WITH_AES_128_SHA256
owasp.org,   443, TLSv12 (0x0303), no SNI, Server Order, 0x0300002F,
AES128-SHA                      , RSA_WITH_AES_128_SHA
owasp.org,   443, TLSv12 (0x0303), no SNI, Server Order, 0x0300003D,
AES256-SHA256                   , RSA_WITH_AES_256_SHA256
owasp.org,   443, TLSv12 (0x0303), no SNI, Server Order, 0x03000035,
AES256-SHA                      , RSA_WITH_AES_256_SHA
owasp.org,   443, TLSv12 (0x0303), no SNI, Server Order, 0x03000005,
RC4-SHA                         , RSA_RC4_128_SHA
owasp.org,   443, TLSv12 (0x0303), no SNI, Server Order, 0x03000088,
DHE-RSA-CAMELLIA256-SHA         , DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
owasp.org,   443, TLSv12 (0x0303), no SNI, Server Order, 0x03000084,
CAMELLIA256-SHA                 , RSA_WITH_CAMELLIA_256_CBC_SHA
owasp.org,   443, TLSv12 (0x0303), no SNI, Server Order, 0x03000045,
DHE-RSA-CAMELLIA128-SHA         , DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
owasp.org,   443, TLSv12 (0x0303), no SNI, Server Order, 0x03000041,
CAMELLIA128-SHA                 , RSA_WITH_CAMELLIA_128_CBC_SHA

If a commonly accepted cipher string is found, I'd suggest to set up
owasp.org as a reference installation ....

Am 18.06.2014 10:33, schrieb Jim Manico:

PS: ECDHE is _much_ faster and generally should be more secure.

(From Ivan)

--
Jim Manico
@Manicode
(808) 652-3805
_______________________________________________
OWASP-cheat-sheets mailing
listOWASP-cheat-sheets at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-cheat-sheets
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-cheat-sheets/attachments/20140621/7b044545/attachment.html>


More information about the OWASP-cheat-sheets mailing list