IETF Logo Mail Archive

Re: [TLS] Adam Roach's No Objection on draft-ietf-tls-ecdhe-psk-aead-04: (with COMMENT)

Daniel Migault <daniel.migault@ericsson.com> Wed, 24 May 2017 12:39 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2060C129AE5; Wed, 24 May 2017 05:39:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.398
X-Spam-Level:
X-Spam-Status: No, score=-2.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YE8M_MDoMh1Y; Wed, 24 May 2017 05:39:10 -0700 (PDT)
Received: from mail-lf0-x234.google.com (mail-lf0-x234.google.com [IPv6:2a00:1450:4010:c07::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CEE42129AD0; Wed, 24 May 2017 05:39:09 -0700 (PDT)
Received: by mail-lf0-x234.google.com with SMTP id m18so66699158lfj.0; Wed, 24 May 2017 05:39:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=qjaGb39B3jm7ADS27tVPHiL0doItOTMWjzosMz+z654=; b=Hp4RG6eKRqmKhHeczdnRO8xPdQyLI+uKouU7TlQLy6NQrhS8RcijV1yGQCG3Xp2iL0 JS+wMmobIdEfI5vvaZRCNikOmRErWVB08/Effdt5o9nuoZgevn5tw+i6F2qfeIOJLq1G 0Slvc7Kvx/qltHdViHSVvV+ZB/AGy+y2G7nmLFAyMUb6GN1cIUEn+LNHkRfKcxASzf+c gIhB4U5gq6ruXfgiX8AqVl6LswSyfM3KQ5qmv0CQvFswXiWcUoinWb6Tgoz0qoKyQ8bf CsHQFdR8Z3bRDq2+zmFJP9NG1AdCcRnRpatuzLnz+eG+DtQPcMirVK7Ia0X3GzoO6dG8 V4hA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=qjaGb39B3jm7ADS27tVPHiL0doItOTMWjzosMz+z654=; b=LgXWHvGiDKo6ImH4XNr5EoP9ixJoqIh6+Dw0qjjfEBtk7p8sgxgpRn9LbZa3cPqzQG 8hVOtHtaFtFxTkUQ1G/F0Xa5DjyaixgHXtzwTkjzv7weWPmT4b8EvWJXnharLmW6fOAf WH/sabUgt5dfR2vbAfmE26fY/EY9HYKc8yYt+D1P69gl2FV2gxSAlGvXOTiHd3CKLBQp 2If2EPG4YQvvsWfn31ARbcof6Ngx9Moog2HlK9z5ZQK3qJjboPja6PpTVQmdl/YbH1he e4FeYWAPDSUEgCF3Zk//fiIgsP8Jx9tPEEdPkU/TOGOemfXdR0J3I6Wn3RJM95Anzkvb Mjmg==
X-Gm-Message-State: AODbwcDlfKNY7C3LwukuCurAOZ69kpV28Vaq057ZNWMGJMjMa9TEy0Vo lvZUNNi+eHcJ4B5XHJxuqsN3Eusk2g==
X-Received: by 10.46.76.1 with SMTP id z1mr8591744lja.128.1495629548100; Wed, 24 May 2017 05:39:08 -0700 (PDT)
MIME-Version: 1.0
Sender: mglt.ietf@gmail.com
Received: by 10.46.0.14 with HTTP; Wed, 24 May 2017 05:39:07 -0700 (PDT)
In-Reply-To: <25caac84-190f-cc51-848b-a7b2e9ee6f17@nostrum.com>
References: <149556730804.28545.6150805815075208815.idtracker@ietfa.amsl.com> <20170523193453.CF9761A6A6@ld9781.wdf.sap.corp> <CADZyTkngnUCNOrTJTd7Se+8seghnfE3DXBTbj1s3mw4Nt09Yjg@mail.gmail.com> <CABkgnnVg=ex5nP6qexprE=jU49nOgPSZj41yeXuZMVo9H9zXSA@mail.gmail.com> <CADZyTk=9dLstaUZHmx6OT3FTweQ4DCzgGjMJD_w1CSNdAajoyQ@mail.gmail.com> <25caac84-190f-cc51-848b-a7b2e9ee6f17@nostrum.com>
From: Daniel Migault <daniel.migault@ericsson.com>
Date: Wed, 24 May 2017 08:39:07 -0400
X-Google-Sender-Auth: wVnDrCUvjuArklceyHyhx5cFCjg
Message-ID: <CADZyTkk9Bkd3+Ai+edS1-rP+vN3tYik+2rMAOMWRuGovfFc=Kg@mail.gmail.com>
To: Adam Roach <adam@nostrum.com>
Cc: Martin Thomson <martin.thomson@gmail.com>, "mrex@sap.com" <mrex@sap.com>, tls-chairs <tls-chairs@ietf.org>, draft-ietf-tls-ecdhe-psk-aead@ietf.org, The IESG <iesg@ietf.org>, tls <tls@ietf.org>
Content-Type: multipart/alternative; boundary="f403045ea6daee24d60550446397"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/5-gV56uNItWUyv2flljV2lGwn3o>
Subject: Re: [TLS] Adam Roach's No Objection on draft-ietf-tls-ecdhe-psk-aead-04: (with COMMENT)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 May 2017 12:39:12 -0000

Hi Adam,

The text you mention is from version 04. Version 05 has been submitted, but
is somewhere in the datatracker. For some reason I am not able to confirm
the submission, so I have attached it to my response to Eric. The text of
the current version 05 is:

Yours,
Daniel
"""
4.     Applicable TLS Versions

   The cipher suites defined in this document MUST NOT be negotiated for
   any version of (D)TLS other than TLS 1.2.  Clients MUST NOT offer one
   of these cipher suites with a (D)TLS version that differs from TLS
   1.2.  Servers MUST NOT select one of these cipher suites with a TLS
   version that differs from TLS 1.2.  A client MUST treat the selection
   of these cipher suites in combination with a version of TLS as an
   error and generate a fatal 'illegal_parameter' TLS alert.




Mattsson & Migault      Expires November 24, 2017               [Page 3]
^L
Internet-Draft               ECDHE_PSK_AEAD                     May 2017


   TLS version 1.3 and later negotiate these features in a different
   manner.  Unlike TLS 1.2, TLS 1.3 separates authentication and cipher
   suite negotiation [I-D.ietf-tls-tls13] Section 1.2.  TLS 1.3 supports
   PSK with ECDHE key exchange and the cipher suites
   TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384,
   TLS_AES_128_CCM_8_SHA256 and TLS_AES_128_CCM_SHA256 are part of the
   specification.  As a result, TLS 1.3 and higher versions, negotiate
   and support these cipher suites in a different way.

   The cipher suites defined in this document make use of the
   authenticated encryption with additional data (AEAD) defined in TLS
   1.2 [RFC5246] and DTLS 1.2 [RFC6347].  Earlier versions of TLS do not
   have support for AEAD and consequently, the cipher suites defined in
   this document MUST NOT be negotiated in TLS versions prior to 1.2.
   In addition, it is worth noting that TLS 1.0 [RFC2246] and TLS 1.2
   [RFC4346] split the pre-master into two parts.  The PRF results from
   mixing the two pseudorandom streams with distinct hash functions (MD5
   and SHA-1) by exclusive-ORing them together.  In the case of
   ECDHE_PSK authentication, the PSK and ECDHE shared secret are treated
   by distinct hash function with distinct properties.  This may
   introduce vulnerabilities over the expected security provided by the
   constructed pre-master.  As such, all ECDHE_PSK ciphers, including
   those defined in this document, SHOULD NOT be negotiated in TLS
   versions prior to 1.2.
"""

On Tue, May 23, 2017 at 10:48 PM, Adam Roach <adam@nostrum.com> wrote:

> On 5/23/17 9:33 PM, Daniel Migault wrote:
>
>> The current version does not consider that proposing the cipher suites of
>> the document implicitly assumes the client supports TLS1.2.
>>
>
> Really? Can you clarify the meaning of the following passage? Because I
> can't read it in any way other than to contradict your assertion above:
>
>
>    A server receiving a ClientHello and a client_version indicating
>    (3,1) "TLS 1.0" or (3,2) "TLS 1.1" and any of the cipher suites from
>    this document in ClientHello.cipher_suites can safely assume that the
>    client supports TLS 1.2 and is willing to use it.
>
>
>
> /a
>

v2.23.0 | Report a Bug | By Email