Re: [Int-dir] Intdir last call review of draft-ietf-tls-md5-sha1-deprecate-04

Ted Lemon <mellon@fugue.com> Sun, 01 November 2020 21:53 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: int-dir@ietfa.amsl.com
Delivered-To: int-dir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 800783A098D for <int-dir@ietfa.amsl.com>; Sun, 1 Nov 2020 13:53:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.888
X-Spam-Level:
X-Spam-Status: No, score=-1.888 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NO_DNS_FOR_FROM=0.001, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kwaOJ80X35E8 for <int-dir@ietfa.amsl.com>; Sun, 1 Nov 2020 13:53:45 -0800 (PST)
Received: from mail-qk1-x730.google.com (mail-qk1-x730.google.com [IPv6:2607:f8b0:4864:20::730]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C23053A0985 for <int-dir@ietf.org>; Sun, 1 Nov 2020 13:53:45 -0800 (PST)
Received: by mail-qk1-x730.google.com with SMTP id p3so9981929qkk.7 for <int-dir@ietf.org>; Sun, 01 Nov 2020 13:53:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=ISk9KTcm6/gengRlF1KwFyjVyAi6oUB6TGo9fa5AfUM=; b=gXM9dlZ5tAP1WmRQy4j6P8G4hKKdNKXdq5ckIe5hrBtq4OK/r/dZI5VobqavOlBnbG 1OEkiduxY8v3t2wNmo9PH5I046fujWoZqKlhI9lmqDxCDwesJd0SpR1vI+KBzkk4LiOC 6zrpkKQV9wa9TDAnKdQEsK9wdz+cJS7ZLqmyD5sIbcOqucQz46VCRXbozFdf411KaPgv CeB6cFOO8IeGs1JkofIF7JJAxKE8ENTC43s+8AKQJQ4CGhDx3MdUlUyJajsEQxqdMy4e uDRoPQ/EARKOMw+OYIsAA92KqiQodSO0sCqFVAAwQ2p1U/e3G2oSdHfJCak+ADd5Jg2U FzNA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=ISk9KTcm6/gengRlF1KwFyjVyAi6oUB6TGo9fa5AfUM=; b=EWeM+WamOmTz/FqqZm8iV2So9QrSApYJDuK+R2+kDsS1+D+5B5XrfY+fiWYO/XgLGy HFki1/v0+HoJpWLQ28XPUw+kF/0cHkeh9w2wgAF/L+OKUTiioQ/q/C06+6OsW4D38flw yB0lPok6iJLWGlkUOCoUAm+pobcIWqxv/seliH00d1ok2I7NnNv9mqCto/OoSNyaF7yX JAGpJdCpcE92CFW+675ZgGTwzf4ztmfN5zZ4Zhqnt2hh4U2oV81LTAyMBewzCKfCUr/R AGlcI7kt284hadaLVqoFZaya3EStUuSIg2qgl4/q3qVtMSOaXct2RAGeKI6vJoRVY22D Fqjw==
X-Gm-Message-State: AOAM530VnsK6Iiw+YOxJ2R+iWTAZNVX4VNJt2ol3OsilAiZsq/W9wNds crWPV5hhtmqrOR0yY85nSj3NNg==
X-Google-Smtp-Source: ABdhPJz0SZ9co57cb2Vvg2oVdcBJCLNrdR8H00bVzdsn/iLaF7ukFHwl6a6NheMdoyQ+spVkuWrr7g==
X-Received: by 2002:a37:6fc5:: with SMTP id k188mr12412992qkc.317.1604267624169; Sun, 01 Nov 2020 13:53:44 -0800 (PST)
Received: from [192.168.4.114] (c-24-91-177-160.hsd1.ma.comcast.net. [24.91.177.160]) by smtp.gmail.com with ESMTPSA id o187sm6646293qkb.120.2020.11.01.13.53.43 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 01 Nov 2020 13:53:43 -0800 (PST)
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
From: Ted Lemon <mellon@fugue.com>
Mime-Version: 1.0 (1.0)
Date: Sun, 1 Nov 2020 16:53:41 -0500
Message-Id: <558A253B-FB53-4B00-9C67-9DF7AA37C952@fugue.com>
References: <20201101180925.GR39170@kduck.mit.edu>
Cc: int-dir@ietf.org, last-call@ietf.org, draft-ietf-tls-md5-sha1-deprecate.all@ietf.org, tls@ietf.org
In-Reply-To: <20201101180925.GR39170@kduck.mit.edu>
To: Benjamin Kaduk <kaduk@mit.edu>
X-Mailer: iPhone Mail (18B84)
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-dir/uOTfMO9SMvtn1eKSKFjxMbii46o>
Subject: Re: [Int-dir] Intdir last call review of draft-ietf-tls-md5-sha1-deprecate-04
X-BeenThere: int-dir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This list is for discussion between the members of the Internet Area directorate." <int-dir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-dir>, <mailto:int-dir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-dir/>
List-Post: <mailto:int-dir@ietf.org>
List-Help: <mailto:int-dir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-dir>, <mailto:int-dir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Nov 2020 21:53:48 -0000

FWIW my nit was simply that algorithms aren’t getting weaker: attacks are getting stronger. Sorry if I worded the suggested text badly. 

> On Nov 1, 2020, at 13:09, Benjamin Kaduk <kaduk@mit.edu> wrote:
> 
> Hi Ted,
> 
> Thanks for the review, especially for thinking about the point that Éric
> requested.
> 
> I don't really agree with your nit, though, as there have been improved
> crypanalysis and correspondingly improved cryptographic attacks on both
> algorithms over time (SHA1 more recently than MD5).  Increased
> computational power to take advantage of those cryptographic weaknesses is
> certainly a factor in moving to deprecate the vulnerable algorithms, but it
> is not the only factor.
> 
> -Ben
> 
>> On Wed, Oct 28, 2020 at 08:56:13AM -0700, Ted Lemon via Datatracker wrote:
>> Reviewer: Ted Lemon
>> Review result: Ready with Nits
>> 
>> This document is ready for publication, with one minor nit, which is included
>> at the end.
>> 
>> Éric additionally made the following request:
>>  As those hash algorithms were 'cheap' for TLS, I would appreciate a review of
>>  the impact if those algorithms are deprecated in TLS 1.2.
>> 
>> I am not in a position to do any practical tests, but I will point out several
>> things. First, deprecating MD5 is not going to cause a performance problem
>> because it's slower than SHA1, so we really only need to worry about whether
>> deprecating SHA1 will cause a problem. This document only deprecates SHA1 for
>> use in digital signatures. It "does not deprecate SHA-1 in HMAC for record
>> protection." Given the way TLS uses digital signatures, this should not be a
>> serious concern. At worst case, SHA256 is about 24% slower than SHA1. Best case
>> (shorter text) it is less than 16% slower. It's reasonable to expect that in
>> common use in TLS, the texts being digested will be shorter, not longer.
>> Further, the bulk of the computational burden of TLS is not in the generation
>> of digests for digital signatures. Therefore it seems reasonable to expect that
>> the performance impact of this change is vastly overshadowed by one of the very
>> factors that motivates it: the increased speed of hash computation over time. 
>> Even assuming constant speed legacy hardware, the performance impact is not
>> sufficient to cause concern when considering it as part of the total system
>> that would be using TLS 1.2.
>> 
>> Nit:
>> 
>> In the abstract:
>>   The MD5 and SHA-1 hashing algorithms are steadily weakening in
>>   strength and their deprecation process should begin for their use in
>>   TLS 1.2 digital signatures.
>> 
>> Technically, the strength of these algorithms hasn't changed. What's changed is
>> that their strength is no longer sufficient to prevent realistic attacks. So it
>> might be better to say something like "The vulnerability of MD5 and SHA-1
>> algorithms to practical attacks is steadly increasing and ..."
>> 
>> 
>>