Re: [TLS] No cypher overlap
mrex@sap.com (Martin Rex) Sun, 02 August 2015 14:35 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 477151A8761 for <tls@ietfa.amsl.com>; Sun, 2 Aug 2015 07:35:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.651
X-Spam-Level:
X-Spam-Status: No, score=-4.651 tagged_above=-999 required=5 tests=[HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FPLYd4iuhgnH for <tls@ietfa.amsl.com>; Sun, 2 Aug 2015 07:35:46 -0700 (PDT)
Received: from smtpde02.smtp.sap-ag.de (smtpde02.smtp.sap-ag.de [155.56.68.140]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27F391A1B77 for <tls@ietf.org>; Sun, 2 Aug 2015 07:35:45 -0700 (PDT)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde02.smtp.sap-ag.de (Postfix) with ESMTPS id 1F36D44796; Sun, 2 Aug 2015 16:35:43 +0200 (CEST)
X-purgate-ID: 152705::1438526143-0000413A-71D365DC/0/0
X-purgate-size: 2481
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate-type: clean
X-SAP-SPAM-Status: clean
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id 10F8A40A23; Sun, 2 Aug 2015 16:35:43 +0200 (CEST)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 05C621A21C; Sun, 2 Aug 2015 16:35:43 +0200 (CEST)
In-Reply-To: <87wpxezoz1.fsf@mid.deneb.enyo.de>
To: Florian Weimer <fw@deneb.enyo.de>
Date: Sun, 02 Aug 2015 16:35:42 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20150802143543.05C621A21C@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/1AEpG8gcwG0rGpvXjA_QcfoACis>
Cc: tls@ietf.org
Subject: Re: [TLS] No cypher overlap
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Aug 2015 14:35:48 -0000
Florian Weimer wrote: > * Viktor Dukhovni: > >> In that case, it should be said that a client MUST NOT advertise >> TLS 1.3 unless it offers at least one of the TLS 1.3 MTI ciphers >> (or perhaps less restrictive at least one TLS 1.3 compatible cipher). > > Or the server should negotiate TLS 1.2 instead. > > Servers should already do something similar today: For an > extension-less TLS 1.2 handshake, they should negotiate TLS 1.1 > instead, to get a stronger PRF. The facts and reasoning in this short statement is flawed. The TLSv1.2 PRF uses SHA256 throughout, and the hash of the PRF in TLS is *NOT* negotiated through extensions, but through TLS cipher suites (which do not need extensions). TLSv1.2 has exactly one mandatory to implement ciphersuite: https://tools.ietf.org/html/rfc5246#section-9 TLS_RSA_WITH_AES_128_CBC_SHA and this cipher suite works perfectly fine without TLS extensions, and will be used with a SHA-1 PRF for TLSv1.0 & TLSv1.1 and with a SHA-256 PRF with TLSv1.2. The highest security level (in the NIST SP800-57 part1 sense) that you can get with this cipher suite is the equivalent of 128-bit -- but that requires that you use server certificates with RSA keys of at least 3072-bit. The most commonly used server certificates today use 2048-bit RSA keys and limit the security to 112-bit. The use of a SHA-1 PRF in TLSv1.0 and TLSv1.1 is perfectly OK with NIST SP800-57 part1 for 128-bit security. The "weakness" of extension-less TLSv1.2 affects only the the weakened digitally-signed transform and the behaviour suggested in rfc5246 section 7.4.1.4.1 for the absence of the signature_algorithms extension, and the incredibly behaviour that some implementations exhibit. In the history of TLS RFCs there are two examples of completely botched descriptions of default behaviour for a TLS extension when it is not sent. The first extreme is in the informational document rfc4492 (TLS cipher suites with Elliptic Curves), where it says, when the extension is absent, assume that the peer supports *EVERYTHING*. The opposite extreme nonsense is what TLSv1.2 describes for the TLSv1.2 signature extension when the extension is not sent, because it suggest a braindead self-limitation to an algorithm that had already been deprecated and end-of-lifed with only 2 years left when TLSv1.2 was published, and no such limitation exists in earlier TLS versions. -Martin
- [TLS] No cypher overlap (was: ban more old crap) Hubert Kario
- Re: [TLS] No cypher overlap (was: ban more old cr… Viktor Dukhovni
- Re: [TLS] No cypher overlap (was: ban more old cr… Hubert Kario
- Re: [TLS] No cypher overlap Florian Weimer
- Re: [TLS] No cypher overlap Florian Weimer
- Re: [TLS] No cypher overlap Martin Rex
- Re: [TLS] No cypher overlap Hubert Kario
- Re: [TLS] No cypher overlap Simon Josefsson