IETF Logo Mail Archive

Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 with DSA client

"Kyle Hamilton" <aerowolf@gmail.com> Mon, 21 February 2011 00:35 UTC

Return-Path: <aerowolf@gmail.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 80E383A6CC3 for <tls@core3.amsl.com>; Sun, 20 Feb 2011 16:35:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.546
X-Spam-Level:
X-Spam-Status: No, score=-1.546 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, MIME_BASE64_TEXT=1.753, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TppKOJZnZpth for <tls@core3.amsl.com>; Sun, 20 Feb 2011 16:35:21 -0800 (PST)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by core3.amsl.com (Postfix) with ESMTP id 245003A6CF5 for <tls@ietf.org>; Sun, 20 Feb 2011 16:35:21 -0800 (PST)
Received: by gyc15 with SMTP id 15so511967gyc.31 for <tls@ietf.org>; Sun, 20 Feb 2011 16:36:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:from:to:cc:date:message-id:subject:in-reply-to :references:mime-version:content-type; bh=/u8S5mf0uwpt84Uok6SxeM8oTlv/EWdTonntX/bwZ1E=; b=BBaiCTnyqib+32UML6w3rYF8KET4yJvUK5+o7SRy7Jx+bpVA+oYM8vGxcTpKOiIVXv 0QtCJoyfTubpjIA6yn/GNCODPpe7sLzvcQUT+1tZntWu7uQa5FFhuxMaQr23XMpdjkJu U95N8SlnpiIHR/ejyBJTP1mWD4lvo1SCDdFDQ=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:cc:date:message-id:subject:in-reply-to:references :mime-version:content-type; b=qc5kMWjBcyWkjNLDk/WluaUfqvK+4NNKLJ7/M7Xb6FwG+pdo0b+FsZ8yNlrqRq2OoP LFivRlzloukhipJ9RrUpc9jiDtSg6Hnb26vyGXgpVXp0aZ4hxXr4Fs+6UWpEOKOwYkgA qgyb/ym+OK59trQESdZCyLbJYPbULQiDrqgKs=
Received: by 10.100.46.13 with SMTP id t13mr354405ant.116.1298248560927; Sun, 20 Feb 2011 16:36:00 -0800 (PST)
Received: from [127.0.0.1] (c-71-202-74-146.hsd1.ca.comcast.net [71.202.74.146]) by mx.google.com with ESMTPS id c7sm5989550ana.17.2011.02.20.16.35.58 (version=SSLv3 cipher=OTHER); Sun, 20 Feb 2011 16:35:59 -0800 (PST)
From: Kyle Hamilton <aerowolf@gmail.com>
To: Juho Vähä-Herttua <juhovh@iki.fi>
Date: Sun, 20 Feb 2011 16:36:07 -0800
Message-ID: <gkenods8sa0ezu8850jezwJv4X.penango@mail.gmail.com>
In-Reply-To: <201102181928.p1IJSThD006475@fs4113.wdf.sap.corp>
References: <AANLkTikNYQ2h=fLnwscf-d=CfQoFoH0bZ9_MAnLNX86J@mail.gmail.com> from "Eric Rescorla" at Feb 17, 11 12:54:35 pm <201102181928.p1IJSThD006475@fs4113.wdf.sap.corp>
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; charset="x-user-defined"; boundary="gmsm1.6.0eqgkenoduk8a7ejtvfzc2"
Cc: tls@ietf.org
Subject: Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 with DSA client
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Feb 2011 00:35:23 -0000


On Fri, Feb 18, 2011 at 2:39 PM, Juho Vähä-Herttua <juhovh@iki.fi> wrote:
> On 18.2.2011, at 21.28, Martin Rex wrote:
> Forcing the TLS implementation to buffer all handshake messages is one thing that probably a performance problem in TLSv1.2, but it's not a compatibility issue and as someone said fixing it would require releasing TLSv1.3. However I don't see ANY sensible reasons why TLS would care about which signature algorithm is used for signing the actual certificate. As long as the certificate contains the keys necessary to sign the key exchange it should be fine just like it was before.

Because TLS is the layer where communications policies are negotiated.  The client is informing the server that (e.g.) it doesn't accept MD5 as a valid hash algorithm for realtime communication.  If it doesn't accept it for realtime communication, there is also no reason to accept it for an offline proof -- because an attacker has that much more time to find a preimage.

> Yes, it might be possible for a client to for example only support one single hash and one single signature algorithm, which is most likely a combination included in signature_algorithms. In that case, I would support that the server SHOULD choose the certificate chain according to the sent signature_algorithms if possible. However if there is no such certificate chain available, it MUST continue the handshake by sending some valid certificate. The server has no way to know if the client can verify certificate chains outside the defined TLS signature algorithms, therefore it would be plain stupid for the server to abort the handshake just because it has a certificate which is signed with an algorithm not supported by TLS. (especially if both sides can handle it)

Two reasons why this is inappropriate.  First, if the server doesn't have a certificate chain the client will accept, it doesn't need to waste the bandwidth (it doesn't need to broadcast the server's details to someone who won't accept them anyway).  Second, TLS already specifies a valid unauthenticated mode.  The only reason why unauthenticated modes are unpopular is because of the commonly-held view of "if you don't know who you're talking to, what's the point?"

-Kyle H

v2.23.0 | Report a Bug | By Email