Re: [TLS] TLS 1.2 hash agility
Eric Rescorla <ekr@networkresonance.com> Mon, 17 September 2007 19:02 UTC
Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IXLr8-0003rC-DC; Mon, 17 Sep 2007 15:02:02 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IXLr6-0003qn-8j for tls@ietf.org; Mon, 17 Sep 2007 15:02:00 -0400
Received: from [74.95.2.169] (helo=delta.rtfm.com) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1IXLr5-0000Hm-FH for tls@ietf.org; Mon, 17 Sep 2007 15:02:00 -0400
Received: from delta.rtfm.com (localhost.rtfm.com [127.0.0.1]) by delta.rtfm.com (Postfix) with ESMTP id 6E7CC33C3A; Mon, 17 Sep 2007 11:58:20 -0700 (PDT)
Date: Mon, 17 Sep 2007 11:58:20 -0700
From: Eric Rescorla <ekr@networkresonance.com>
To: Mike <mike-list@pobox.com>
Subject: Re: [TLS] TLS 1.2 hash agility
In-Reply-To: <46EC2AE7.9040903@pobox.com>
References: <46ABB82D.8090709@pobox.com> <46ACCCCB.8000201@pobox.com> <B356D8F434D20B40A8CEDAEC305A1F24046B2496@esebe105.NOE.Nokia.com> <20070914215611.0342933C21@delta.rtfm.com> <46EB102E.2070900@pobox.com> <20070914225606.9E9B433C21@delta.rtfm.com> <46EC2AE7.9040903@pobox.com>
User-Agent: Wanderlust/2.14.0 (Africa) Emacs/21.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20070917185820.6E7CC33C3A@delta.rtfm.com>
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 7da5a831c477fb6ef97f379a05fb683c
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
At Sat, 15 Sep 2007 11:56:39 -0700, Mike wrote: > I have an idea. Change the Cert Hash Types extension to the Supported > Signature Algorithms extension, and allow the server to respond with > its supported algorithms (only if the client sends its list, of course). > > struct { > SignatureAlgorithm supported_algorithms<2..2^16-2>; > } SupportedSignatureAlgorithms; > > If the client doesn't send the extension, the server would assume the > client supports rsa_with_sha1, rsa_with_md5 (?), and dsa_with_sha1 > (and the appropriate ecdsa algorithms if an ECDSA cipher suite is > negotiated). Since the server can't send its list if the client > doesn't, the client must assume that the server only supports the same > list of algorithms. I don't see how this solves the major problem, which is that you are advertising your public key algorithm support in two places. - In the case of the ServerKeyExchange, the client signals his support in this extension *and* in the cipher suite. - In the case of the CertificateVerify, the server signals his support in the CertificateRequest and in this extension. Taking the ServerKeyExchange as the paradigmatic example, ISTM that we either need to rework the entire negotiation scheme, e.g., to create new cipher suites which specify also the digest used for signature, or just live with this duplication. The former seems superior. So, I propose we simply replace the HashTypes type with a signature algorithms type that specifies both hash algorithm and signature algorithm. As you suggest: struct { SignatureAlgorithm supported_algorithms<2..2^16-2>; } SupportedSignatureAlgorithms; This would go wherever HashTypes goes now. However, the interpretation rules need to be extremely clear, as below. CERTIFICATEREQUEST For signatures by the client (i.e., CertificateVerify and Certificate), the following rules apply: struct { ClientCertificateType certificate_types<1..2^8-1>; SignatureAlgorithm signature_types<1..2^16-1>; DistinguishedName certificate_authorities<0..2^16-1>; } CertificateRequest; - Any certificate offered by the client must be signed with an algorithm described in signature_types. - The certificate must contain a public key with an algorithm specified in certificate_types. - The CertificateVerify must be signed with a signature algorithm in signature_types. Consider the following examples: (1) certificate_types = rsa_sign signature_types = rsa_sha1, rsa_sha256 In this case: - The client's certificate must be signed with rsa_sha1 or rsa_sha256 - The client must sign with either rsa_sha1 or rsa_sha256 (2) certificate_types = rsa_sign signature_types = rsa_sha1, rsa_sha256, dsa_sha1 In this case: - The client's certificate must be signed with rsa_sha1 or rsa_sha256, or dsa_sha1 - The client must sign with rsa_sha1 or rsa_sha256, but NOT DSA (3) certificate_types = rsa_sign, dsa_sign signature_types = rsa_sha1, rsa_sha256 In this case: - The client's certificate must be signed with rsa_sha1 or rsa_sha256 - The client must sign with either rsa_sha1 or rsa_sha256 Note that even though the server advertised dsa, it didn't advertise any hashes so it's not actually usable. SIGNATUREALGORITHMS As you suggest, the client would offer a SignatureAlgorithms extension. The rules would be similar: - Any certificate offered by the server must be signed with an algorithm described in signature_types. - The certificate key must contain a public key which has an algorithm that matches the cipher suite, either for signing (in the case of cipher suites which have it) or encryption (in the case of cipher suites which don't). - The ServerKeyExchange must be signed with an algorithm that matches signature_types. Examples: (1) cipher suite = TLS_RSA_WITH_AES_128_CBC_SHA signature_types = rsa_sha1, rsa_sha256 In this case: - The server's certificate must be signed with rsa_sha1 or rsa_sha256 - The server's certificate must contain an RSA key. (2) cipher suite = TLS_RSA_DHE_WITH_AES_128_CBC_SHA signature_types = rsa_sha1, rsa_sha256 - The server's certificate must be signed with rsa_sha1 or rsa_sha256 - The server's certificate must contain an RSA key. - The ServerKeyExchange MUST be signed with rsa_sha1 or rsa_sha256 -Ekr _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] TLS 1.2 Eric Rescorla
- Re: [TLS] TLS 1.2 Steven M. Bellovin
- Re: [TLS] TLS 1.2 Peter Gutmann
- Re: [TLS] TLS 1.2 Steven M. Bellovin
- Re: [TLS] TLS 1.2 Bodo Moeller
- [TLS] TLS 1.2 Mike
- [TLS] TLS 1.2 Mike
- [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 Mike
- [TLS] TLS 1.2 MAC calculation Mike
- Antwort: [TLS] TLS 1.2 MAC calculation Axel.Heider
- Re: Antwort: [TLS] TLS 1.2 MAC calculation Bodo Moeller
- Re: [TLS] TLS 1.2 interoperating Mike
- RE: [TLS] TLS 1.2 hash agility Pasi.Eronen
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- RE: [TLS] TLS 1.2 hash agility Pasi.Eronen
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Mike
- RE: [TLS] TLS 1.2 hash agility Pasi.Eronen
- RE: [TLS] TLS 1.2 hash agility Pasi.Eronen
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- RE: [TLS] TLS 1.2 hash agility Russ Housley
- RE: [TLS] TLS 1.2 hash agility Pasi.Eronen
- RE: [TLS] TLS 1.2 hash agility Pasi.Eronen