IETF Logo Mail Archive

Re: [TLS] security levels for TLS

Mike <mike-list@pobox.com> Wed, 10 October 2007 16:47 UTC

Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Ifeih-0005Ge-Lt; Wed, 10 Oct 2007 12:47:39 -0400
Received: from tls by megatron.ietf.org with local (Exim 4.43) id 1Ifeig-0005C0-45 for tls-confirm+ok@megatron.ietf.org; Wed, 10 Oct 2007 12:47:38 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Ifeif-00056C-QI for tls@lists.ietf.org; Wed, 10 Oct 2007 12:47:37 -0400
Received: from rune.pobox.com ([208.210.124.79]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IfeiT-0008Dh-PE for tls@lists.ietf.org; Wed, 10 Oct 2007 12:47:35 -0400
Received: from rune (localhost [127.0.0.1]) by rune.pobox.com (Postfix) with ESMTP id 2E990145CD5 for <tls@lists.ietf.org>; Wed, 10 Oct 2007 12:46:32 -0400 (EDT)
Received: from [192.168.1.8] (wsip-24-234-114-35.lv.lv.cox.net [24.234.114.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by rune.sasl.smtp.pobox.com (Postfix) with ESMTP id EE9A0145CD3 for <tls@lists.ietf.org>; Wed, 10 Oct 2007 12:46:31 -0400 (EDT)
Message-ID: <470D0243.3050009@pobox.com>
Date: Wed, 10 Oct 2007 09:48:03 -0700
From: Mike <mike-list@pobox.com>
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: tls@lists.ietf.org
Subject: Re: [TLS] security levels for TLS
References: <c331d99a0710080621g7c0ec91et35c46553c23f4402@mail.gmail.com> <p0624082fc331b0ed0ecc@[192.168.1.100]> <FA998122A677CF4390C1E291BFCF59890849871E@EXCH.missi.ncsc.mil>
In-Reply-To: <FA998122A677CF4390C1E291BFCF59890849871E@EXCH.missi.ncsc.mil>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: f60d0f7806b0c40781eee6b9cd0b2135
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

There are two aspects to this that I see:

   1) a TLS client should be configurable such
      that it will reject negotiated sessions
      that don't satisfy its requirements.  The
      configurable parameters would include the
      minimum acceptable size for RSA and DSA
      keys, and DH parameters (p).  This can be
      done now without any changes to TLS, but
      has the problem that several attempts may
      be necessary to establish an acceptable
      connection.

   2) a TLS client might want to tell the server
      that if TLS_DHE_RSA_WITH_AES_128_CBC_SHA1
      is the negotiated cipher, it will accept
      a minimum RSA key size of X and a minimum
      DH parameter size of Y.  If the server
      has several sets of DH parameters (such as
      those in RFC 3526), it would select one
      that meets the minimum and is smallest for
      best performance.  If the server doesn't
      have the ability to satisfy the minimums,
      it could return an insufficient_security
      fatal alert.

Support for (2) could be added using an extension:

   enum {
       RSA,
       DHE_RSA,
       DHE_DSS,
       ...
   } KeyExchangeAlgorithm;

   struct {
       CipherSuite         cipher_suite;
       HashType            mac_algorithm<0..255>; // possible
       select (KeyExchangeAlgorithm) {
           case RSA:
               uint16      rsa_key_size;          // bytes
               uint16      premaster_secret_size; // possible
           case DHE_RSA:
               uint16      rsa_key_size;          // bytes
               uint16      dh_group_size;         // bytes
           case DHE_DSS:
               uint16      dsa_key_size;          // bytes
               uint16      dh_group_size;         // bytes
           case ....
       };
   } SecurityRequirements;

The client would package up SecurityRequirements
structures for each of the cipher suites listed in
its ClientHello message.

Notice the possibility to change the MAC algorithm
without needing to define new cipher suites.  A list
is used to be able to specify preferences (and can be
empty for AEAD ciphers).

The server would return a single SecurityRequirements
corresponding to the selected cipher suite, containing
the parameters chosen (MAC algorithm, premaster secret
size, etc.).

Mike



_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email