diff options
author | Jack Lloyd <[email protected]> | 2016-12-28 14:04:20 -0500 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2016-12-28 14:04:20 -0500 |
commit | 3233498b1529f267eb1d76963cba25edbb3335e2 (patch) | |
tree | a8b5f3f29d8a19bcd552d2baa772b6ce288fab3c /doc/manual | |
parent | c26c554dde9d9a4f88f91764dc5dfa1416e152ff (diff) |
Add note about CECPQ1 in TLS manual
[ci skip]
Diffstat (limited to 'doc/manual')
-rw-r--r-- | doc/manual/tls.rst | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/doc/manual/tls.rst b/doc/manual/tls.rst index 16d8e4f08..77794657c 100644 --- a/doc/manual/tls.rst +++ b/doc/manual/tls.rst @@ -609,6 +609,22 @@ policy settings from a file. Default: "CECPQ1", "ECDH", "DH" + .. note:: + + CECPQ1 key exchange provides post-quantum security to the key exchange + by combining NewHope with a standard x25519 ECDH exchange. This prevents + an attacker, even one with a quantum computer, from later decrypting the + contents of a recorded TLS transcript. The NewHope algorithm is very + fast, but adds roughly 4 KiB of additional data transfer to every TLS + handshake. And even if NewHope ends up completely broken, the 'extra' + x25519 exchange secures the handshake. + + For applications where the additional data transfer size is unacceptable, + simply allow only ECDH key exchange in the application policy. DH + exchange also often involves transferring several additional Kb (without + the benefit of post quantum security) so if CECPQ1 is being disabled for + traffic overhread reasons, DH should also be avoid. + Also allowed: "RSA", "SRP_SHA", "ECDHE_PSK", "DHE_PSK", "PSK" .. note:: |