Make ssl_GetECGroupForServerSocket better

NEW
Unassigned

Status

NSS
Libraries
P3
normal
2 years ago
8 months ago

People

(Reporter: fkiefer, Unassigned)

Tracking

trunk

Firefox Tracking Flags

(Not tracked)

Details

ssl_GetECGroupForServerSocket current does the following

> Find the "weakest link".  Get the strength of the signature and symmetric
> keys and choose a curve based on the weakest of those two.

We shouldn't do this, i.e. we shouldn't reduce strength of the key exchange if the certificate key is weak. Instead we should make the curve strength dependent on the strength of the record protection.

Comment 1

2 years ago
But this would imply that I should use P521 with ChaCha, even though I use P256 with AES-128. That seems unfortunate.
(In reply to Eric Rescorla (:ekr) from comment #1)
> But this would imply that I should use P521 with ChaCha, even though I use
> P256 with AES-128. That seems unfortunate.

Yeah, I agree that's not ideal. But we have to find a better way to choose the right curve. From a crypto point something like P521 should go together with ChaCha. But if ChaCha is used only for better performance and not the additional security, something smaller than P521 should probably be allowed.
Considering that we only support 128-bit secure curves right now we don't pick a small curve only because the server cert is 2048 bit RSA. So maybe there's nothing to do here right now. But the algorithm we use here doesn't make me particularly happy.
Maybe we can try to be a little less mathematical.

if (256-bit cipher) {
  curve_min_bits = 384;
} else {
  curve_min_bits = 255;
}

The same logic might apply to FFDHE, substitute 3072 and 2048.  Yeah, those don't even come close in terms of strength, but we have to balance performance here.
(In reply to Martin Thomson [:mt:] from comment #3)
> Maybe we can try to be a little less mathematical.
> 
> if (256-bit cipher) {
>   curve_min_bits = 384;
> } else {
>   curve_min_bits = 255;
> }

This sounds reasonable to me. Unfortunately it breaks quite some tests, which makes me think that it might break more. In particular do we use P256 for AES256 but would force 384 with this approach. If it's really only fixing tests, that's fine with me. But I'm not sure if we wouldn't break compatibility with many other implementations.

Updated

8 months ago
Priority: -- → P3

Updated

8 months ago
Duplicate of this bug: 1236760
You need to log in before you can comment on or make changes to this bug.