[Ach] favor DHE over ECDHE? (was: preference of curves in ECC - ECDSA, ECDH)

Torsten Gigler torsten.gigler at owasp.org
Mon Mar 10 10:21:15 CET 2014 

Hi,

propabely you discussed this already, but I did not find it in the List:

What do you think about to favor generally DHE ciphers over ECDHE, as long
it is not clear which EC curves are save available by clients ans servers?
I tried to priorize them also according to BSI TR-02102-2:
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
...

I do think about to suggest this in our OWASP Project 'Top 10 fuer
Entwickler' (OWASP: Top 10 fuer Entwickler-2013 (Verteidigungs-Option 2a
gegen 'Verlust der Vertraulichkeit sensibler Daten')
<https://www.owasp.org/index.php/Germany/Projekte/Top_10_fuer_Entwickler-2013/A6-Verlust_der_Vertraulichkeit_sensibler_Daten>

Any pros or cons?

Kind regards
Torsten

2014-03-09 20:37 GMT+01:00 Aaron Zauner <azet at azet.org>:

>
>
> Pepi Zawodsky wrote:
> > Actually secp256r1 and secp384r1 are supported in all clients that do
> ECC.
> Those are the mentioned NIST curves :)
>
> > So if we can really specify a list of ECC curves via OpenSSL that would
> open a whole bunch of curves we can support server side. We'll need to test
> this of course.
> The problem I see is with verifying the security of those curves. We do
> not have proper research to base any recommendation on. The safecurve
> stuff by bernstein is nice, but we cannot only refer to one publication.
> Also he considers some of the curves to be "unsafe" although some of the
> mentioned issues might not have any practical relevance to the security
> of the mentioned curve when implemented.
>
> Dan Boneh (stanford) also recently voiced concern about the NIST cuves
> at RSA conference [sic!].
>
> Aaron
>
>
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20140310/2fb34fac/attachment.html>

More information about the Ach mailing list