Re: [TLS] security levels for TLS
Mike <mike-list@pobox.com> Wed, 10 October 2007 16:47 UTC
Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Ifeih-0005Ge-Lt; Wed, 10 Oct 2007 12:47:39 -0400
Received: from tls by megatron.ietf.org with local (Exim 4.43) id 1Ifeig-0005C0-45 for tls-confirm+ok@megatron.ietf.org; Wed, 10 Oct 2007 12:47:38 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Ifeif-00056C-QI for tls@lists.ietf.org; Wed, 10 Oct 2007 12:47:37 -0400
Received: from rune.pobox.com ([208.210.124.79]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IfeiT-0008Dh-PE for tls@lists.ietf.org; Wed, 10 Oct 2007 12:47:35 -0400
Received: from rune (localhost [127.0.0.1]) by rune.pobox.com (Postfix) with ESMTP id 2E990145CD5 for <tls@lists.ietf.org>; Wed, 10 Oct 2007 12:46:32 -0400 (EDT)
Received: from [192.168.1.8] (wsip-24-234-114-35.lv.lv.cox.net [24.234.114.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by rune.sasl.smtp.pobox.com (Postfix) with ESMTP id EE9A0145CD3 for <tls@lists.ietf.org>; Wed, 10 Oct 2007 12:46:31 -0400 (EDT)
Message-ID: <470D0243.3050009@pobox.com>
Date: Wed, 10 Oct 2007 09:48:03 -0700
From: Mike <mike-list@pobox.com>
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: tls@lists.ietf.org
Subject: Re: [TLS] security levels for TLS
References: <c331d99a0710080621g7c0ec91et35c46553c23f4402@mail.gmail.com> <p0624082fc331b0ed0ecc@[192.168.1.100]> <FA998122A677CF4390C1E291BFCF59890849871E@EXCH.missi.ncsc.mil>
In-Reply-To: <FA998122A677CF4390C1E291BFCF59890849871E@EXCH.missi.ncsc.mil>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: f60d0f7806b0c40781eee6b9cd0b2135
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
There are two aspects to this that I see: 1) a TLS client should be configurable such that it will reject negotiated sessions that don't satisfy its requirements. The configurable parameters would include the minimum acceptable size for RSA and DSA keys, and DH parameters (p). This can be done now without any changes to TLS, but has the problem that several attempts may be necessary to establish an acceptable connection. 2) a TLS client might want to tell the server that if TLS_DHE_RSA_WITH_AES_128_CBC_SHA1 is the negotiated cipher, it will accept a minimum RSA key size of X and a minimum DH parameter size of Y. If the server has several sets of DH parameters (such as those in RFC 3526), it would select one that meets the minimum and is smallest for best performance. If the server doesn't have the ability to satisfy the minimums, it could return an insufficient_security fatal alert. Support for (2) could be added using an extension: enum { RSA, DHE_RSA, DHE_DSS, ... } KeyExchangeAlgorithm; struct { CipherSuite cipher_suite; HashType mac_algorithm<0..255>; // possible select (KeyExchangeAlgorithm) { case RSA: uint16 rsa_key_size; // bytes uint16 premaster_secret_size; // possible case DHE_RSA: uint16 rsa_key_size; // bytes uint16 dh_group_size; // bytes case DHE_DSS: uint16 dsa_key_size; // bytes uint16 dh_group_size; // bytes case .... }; } SecurityRequirements; The client would package up SecurityRequirements structures for each of the cipher suites listed in its ClientHello message. Notice the possibility to change the MAC algorithm without needing to define new cipher suites. A list is used to be able to specify preferences (and can be empty for AEAD ciphers). The server would return a single SecurityRequirements corresponding to the selected cipher suite, containing the parameters chosen (MAC algorithm, premaster secret size, etc.). Mike _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] security levels for TLS Nikos Mavrogiannopoulos
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Nikos Mavrogiannopoulos
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Yngve Nysaeter Pettersen
- Re: [TLS] security levels for TLS Paul Hoffman
- RE: [TLS] security levels for TLS Kemp, David P.
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Nicolas Williams
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Steven M. Bellovin
- Re: [TLS] security levels for TLS Nicolas Williams
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Paul Hoffman
- Re: [TLS] security levels for TLS Nikos Mavrogiannopoulos
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Nicolas Williams
- Re: [TLS] security levels for TLS Nicolas Williams
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Nicolas Williams
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Mike
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Eric Rescorla
- Re: [TLS] security levels for TLS Paul Hoffman