[TLS] Re: TLS 1.2 hash agility (Mike)
"Mark Tillinghast" <Mark_Tillinghast@symantec.com> Mon, 17 September 2007 20:24 UTC
Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IXN9N-0000D0-MP; Mon, 17 Sep 2007 16:24:57 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IXN9M-0000B8-N3 for tls@lists.ietf.org; Mon, 17 Sep 2007 16:24:56 -0400
Received: from extu-mxob-1.symantec.com ([216.10.194.28]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IXN9G-0000Pq-C0 for tls@lists.ietf.org; Mon, 17 Sep 2007 16:24:56 -0400
Received: from tus1opsmtapin01.ges.symantec.com (tus1opsmtapin01.ges.symantec.com [192.168.214.43]) by extu-mxob-1.symantec.com (8.14.1/8.14.1) with ESMTP id l8HKOUrP027095 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <tls@lists.ietf.org>; Mon, 17 Sep 2007 13:24:35 -0700
Received: from reserved-155-64-230-19.ges.symantec.com ([155.64.230.19] helo=TUS1XCHECNPIN02.enterprise.veritas.com) by tus1opsmtapin01.ges.symantec.com with esmtp (Exim 4.67) (envelope-from <Mark_Tillinghast@symantec.com>) id 1IXN8m-0002RB-L1 for tls@lists.ietf.org; Mon, 17 Sep 2007 13:24:20 -0700
Received: from TUS1XCHEVSPIN02.enterprise.veritas.com ([155.64.230.42]) by TUS1XCHECNPIN02.enterprise.veritas.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 17 Sep 2007 13:24:20 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Mon, 17 Sep 2007 13:24:19 -0700
Message-ID: <1D526804BA83A2459C60E28CA73ABD9002252473@TUS1XCHCLUPIN03.enterprise.veritas.com>
In-Reply-To: <E1IWwXa-0008Tu-EV@megatron.ietf.org>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: TLS 1.2 hash agility (Mike)
Thread-Index: Acf4erGVxQcYi1imQGmbblMxq5f7GAA7LwNg
From: Mark Tillinghast <Mark_Tillinghast@symantec.com>
To: tls@lists.ietf.org
X-OriginalArrivalTime: 17 Sep 2007 20:24:20.0181 (UTC) FILETIME=[BA5B5050:01C7F968]
X-Spam-Score: -2.3 (--)
X-Scan-Signature: 3fbd9b434023f8abfcb1532abaec7a21
Subject: [TLS] Re: TLS 1.2 hash agility (Mike)
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
I must admit that I have no clean solution, but to continue to accept as default that which is demonstrably broken seems a bad idea. A client that supports FORWARD LOOKING SECURITY is a client that requires requires "better" algorithms than MD5 and SHA-1. A client that supports FORWARD LOOKING SECURITY MUST abort the session if it doesn't receive the extension in the ServerHello, or if the list doesn't contain an acceptable algorithm. Make FORWARD LOOKING SECURITY optional, but there is at least one profile in which it is mandatory. Mark -----Original Message----- From: tls-request@lists.ietf.org [mailto:tls-request@lists.ietf.org] Sent: Sunday, September 16, 2007 09:00 To: tls@lists.ietf.org Subject: TLS Digest, Vol 38, Issue 11 Send TLS mailing list submissions to tls@lists.ietf.org To subscribe or unsubscribe via the World Wide Web, visit https://www1.ietf.org/mailman/listinfo/tls or, via email, send a message with subject or body 'help' to tls-request@lists.ietf.org You can reach the person managing the list at tls-owner@lists.ietf.org When replying, please edit your Subject line so it is more specific than "Re: Contents of TLS digest..." Today's Topics: 1. Re: TLS 1.2 hash agility (Mike) 2. RE: Issue 49: Finished.verify length (Pasi.Eronen@nokia.com) ---------------------------------------------------------------------- Message: 1 Date: Sat, 15 Sep 2007 11:56:39 -0700 From: Mike <mike-list@pobox.com> Subject: Re: [TLS] TLS 1.2 hash agility To: tls@ietf.org Message-ID: <46EC2AE7.9040903@pobox.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed I have an idea. Change the Cert Hash Types extension to the Supported Signature Algorithms extension, and allow the server to respond with its supported algorithms (only if the client sends its list, of course). struct { SignatureAlgorithm supported_algorithms<2..2^16-2>; } SupportedSignatureAlgorithms; If the client doesn't send the extension, the server would assume the client supports rsa_with_sha1, rsa_with_md5 (?), and dsa_with_sha1 (and the appropriate ecdsa algorithms if an ECDSA cipher suite is negotiated). Since the server can't send its list if the client doesn't, the client must assume that the server only supports the same list of algorithms. If the client sends its list, and the server doesn't respond with the extension, the client must assume that the server only supports the algorithms mentioned above. A client that requires better algorithms than MD5 and SHA-1, can abort the session if it doesn't receive the extension in the ServerHello, or if the list doesn't contain an acceptable algorithm. You can remove the HashType list from the CertificateRequest message since it is handled by the server's SupportedSignatureAlgorithms extension. The client also chooses a certificate signed with a listed algorithm. If the Signature becomes (as Pasi suggested): struct { SignatureAlgorithm signature_algorithm; opaque signature_value<0..2^16-1>; } Signature; we'd also need to add a null signature algorithm: enum { null(0), rsa_with_md5(1), rsa_with_sha1(2), rsa_with_sha256(3), rsa_with_sha384(4), rsa_with_sha512(5), dsa_with_sha1(6), (65535) } SignatureAlgorithm; for use with anonymous exchanges. Mike ------------------------------ Message: 2 Date: Sun, 16 Sep 2007 11:36:20 +0300 From: <Pasi.Eronen@nokia.com> Subject: RE: [TLS] Issue 49: Finished.verify length To: <ekr@networkresonance.com> Cc: tls@ietf.org Message-ID: <B356D8F434D20B40A8CEDAEC305A1F2404966DF0@esebe105.NOE.Nokia.com> Content-Type: text/plain; charset="us-ascii" Eric Rescorla wrote: > OK, I see where you're going with this, but I'm not sure it > requires us to do anything now. If we're confronted with such a > cipher suite, we can just have the document Update TLS 1.2, since > it would only be applicable to that new cipher suite. I don't > think this needs a version revision. > > Unless you're proposing making this a variable length vector, > whcih seems like a bad idea, since it should be defined in the > cipher suite. Yes, the length should be defined by the cipher suite, but I'd like to avoid the "Updates: TLS 1.2" part (in general, ciphersuites shouldn't need that). And we could avoid that by changing the wire encoding to a variable-length vector now, i.e. change struct { opaque verify_data[12]; } Finished; to struct { opaque verify_data<0..255>; } Finished; (And say that the verify_data length is 12 octets unless explicitly specified otherwise by the ciphersuite) Best regards, Pasi ------------------------------ _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls End of TLS Digest, Vol 38, Issue 11 *********************************** _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] Re: TLS 1.2 hash agility (Mike) Mark Tillinghast