[TLS] 3GPP forbids support of MD5, SHA-1, non-AEAD, and non-PFS in TLS
John Mattsson <john.mattsson@ericsson.com> Sat, 07 March 2020 00:03 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A6CC3A0DF5 for <tls@ietfa.amsl.com>; Fri, 6 Mar 2020 16:03:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5kY8leEahkCw for <tls@ietfa.amsl.com>; Fri, 6 Mar 2020 16:03:02 -0800 (PST)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2084.outbound.protection.outlook.com [40.107.21.84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89FEC3A0DF3 for <TLS@ietf.org>; Fri, 6 Mar 2020 16:03:01 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=F1tbnqFlx4Eco+O4lkprPFrhoI/0H5attnrsHYRpgGXtY5Fh+n58Togb4FmPdDHN76awb6RDZuiGawy93fpE6WhjWv5C2XO+GBCh0+JeZr69LodYBe7iiA26i7xeEDtD6mMQ2D+DmxyhYMOSlt61luNvgZOGrCfPT3jpzhnVS+4U6AdGfnzjIQlcaBzKk6LIYTmJaAMJSYM+PpThBSNvOHxve1mHoA+qZls/uG93EfkDTcWI1AKZHrrLO55sauSCCkzM7NSJKVYd5MXmUPh3pKEIYayJ2I29Ehg7T4cX4AS7PvyUdy4zHSryVQ/A4R6YHIlGxy+uaGSi4MJ0LtsVBw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=YFIdHPMlDFggUBMyBk2bQa0yNxrwrvIhGcfikyuK9G0=; b=LmAanmHWe/s5cReeawnvpg4ww3no3NWn0Ejz7w/GU2e5nRIY0AYTCtCMeH5cUaqILD96OlYuB4oY3+iIj1LYhlaW2tDPkcYzaHZaHRhvRRZ658A1BCZaIH3Z4aqC8PlLoI8mEVHDxJDsBXvrSx0CNHe1vsfV0XtoX1pp8XnUFNKTLG6TdiTnZOGzTSzv4uJx4t14vrnxOaPKhRNnYX23E48gLIFE4guaQ5U+dQLx3elm+C52JiE5lMv2ijaEYfEng+UOVLkr5oCRnv1Ra1fsFoYpJ1P/0oIxbcfPEaPb7MLLePChnTqBzLFAd7M14mcVimuhfBENH5wsIGP9i1Sz5g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=YFIdHPMlDFggUBMyBk2bQa0yNxrwrvIhGcfikyuK9G0=; b=JJMkLmQ13WM0NvX2J0VRqGv8lPiuIkUJ5igAvfzf4cTSkwtZYrRyffuaHykCyt2sAL2BZeyIzlonli8bpJHmJYu1XVkHjy6EMnSuruCTUk555l9aPyIhzC8jfBdFbAkyWStfLwjS1e64K+JwS01dBHMujBpiS7lTEt4u2PRvwCk=
Received: from AM6PR07MB4134.eurprd07.prod.outlook.com (52.134.114.155) by AM6PR07MB4567.eurprd07.prod.outlook.com (20.177.38.88) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2814.6; Sat, 7 Mar 2020 00:02:59 +0000
Received: from AM6PR07MB4134.eurprd07.prod.outlook.com ([fe80::501f:822f:f9b5:eb71]) by AM6PR07MB4134.eurprd07.prod.outlook.com ([fe80::501f:822f:f9b5:eb71%7]) with mapi id 15.20.2814.007; Sat, 7 Mar 2020 00:02:58 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "TLS@ietf.org" <TLS@ietf.org>
Thread-Topic: 3GPP forbids support of MD5, SHA-1, non-AEAD, and non-PFS in TLS
Thread-Index: AQHV9BPCTswNupXhbUykd3UML3xl6Q==
Date: Sat, 07 Mar 2020 00:02:58 +0000
Message-ID: <3643757B-1DE7-4240-98E1-5AA04B005603@ericsson.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.22.0.200209
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-originating-ip: [82.214.46.143]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 6d72dd61-2468-40d8-9515-08d7c22ae565
x-ms-traffictypediagnostic: AM6PR07MB4567:|AM6PR07MB4567:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <AM6PR07MB4567F5D5A7B7DCF99E0004A989E00@AM6PR07MB4567.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 03355EE97E
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(346002)(376002)(366004)(39860400002)(396003)(199004)(189003)(186003)(44832011)(5660300002)(6916009)(8676002)(478600001)(2616005)(66946007)(91956017)(76116006)(6486002)(36756003)(64756008)(66476007)(66556008)(66446008)(6506007)(71200400001)(86362001)(33656002)(6512007)(26005)(81166006)(81156014)(316002)(2906002)(8936002)(966005)(19623455009); DIR:OUT; SFP:1101; SCL:1; SRVR:AM6PR07MB4567; H:AM6PR07MB4134.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: nUzlyFU0EgUJ5z53HegLw76q/KUApvcB4t5+ieEj0/gbKjyx8vUj9N2fNNLfYGJH26y3Y11HQ5c4qALBfid7XGCN02T1Rds5fZlFOW3uHIKDJ/fkfBLNELaUkolYJB8wrYhnX+5vdWofdlOlugX1t9y1K9DlYby/j+r0nyHkd5pSlqejC+UKQaVT//0Q2q+pWQBmIoJJrOw/ZxCGmABr9h8XyD0XVzuMo88apjZu8GAnK79qLgQRngyoz/b2AKXtLK0aWSZw2vd7FYs1n4Gk/dVNw8x3bYUNhuaWAQzD9q86AtabyM8+pm2uMr7epoWYK0GDuO1tavqS6Mx1wLhrxz76wRm8vgUArE4+aeD/vAoWq4YaCqFwmfLBzGgw3BUt3nN1wvUN21A8wbu8QrOgs4VpGapJqAjy3CZSVQmEEz0ck33T6sFEfzukzEGOH/+x6K7/RqUxWoZJSEalbZFT4jbzU8W+mTv9iXCYfsMdxgrMCtL5FbFn8MKet/K/3vBElE/5FOUgZKqt2j5As0MJX6fDw1Evlo6ifRXWzmIOFLFvurW+m9UKVhWUOlDRLmAyJ3TUc6b2dHGyWBZTcJAaAQ==
x-ms-exchange-antispam-messagedata: DS//tpywojV//OhK+ZfLLBkaYrs3b82zSi1/2TjvcZSskyN7QInULWCdW7KS3kR5YLYjKMULGmPlVN4QQga+RDDm3/6ARAzs94h+qWWODpGI/C81TO+9F5tJmr1SEKIvioVlNEMfnp5w+bB0nQMpaQ==
Content-Type: text/plain; charset="utf-8"
Content-ID: <2A43786CD0847E4F82BA4C4B0714F877@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6d72dd61-2468-40d8-9515-08d7c22ae565
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Mar 2020 00:02:58.8299 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 7pKsGM63+X+cbFf1mvbEPQvbYqB67KoBWFMr7um1UpsvMbq+MF2cB2jxiV50Gu/UJk92NOs9KDLpozoTlmSYEHr+E0OeCMOK1GyECmIg26E=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR07MB4567
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/6dugCMN7f4viJI3IiXBLbDHLwps>
Subject: [TLS] 3GPP forbids support of MD5, SHA-1, non-AEAD, and non-PFS in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Mar 2020 00:03:04 -0000
Hi, I am happy to report that 3GPP just took the decision to forbid support of MD5 and SHA-1, as well as all non-AEAD and non-PFS cipher suites in TLS. The changes apply to all Rel-16 3GPP systems that use TLS and DTLS, which are quite many. 3GPP had already mandaded support of TLS 1.3, forbidden support of TLS 1.1, and mandated minimum key lengths of 2048 for RSA/FFDH and 255 for ECC. 3GPP will likely mandate support of DTLS 1.3 soon after it has been published. I hope this inspire other organisations to do the same. The changes [2][3] were approved today and an updated complete version of the new 3GPP TLS profile can be found here [1]. Any comments or suggestions on the 3GPP TLS profile are very welcome. Cheers, John [1] https://github.com/EricssonResearch/CBOR-certificates/raw/master/3GPP%20TLS%20Profile%206%20march%202020.pdf [2] http://www.3gpp.org/ftp/TSG_SA/WG3_Security/TSGS3_98e/Docs/S3-200332.zip [3] https://www.3gpp.org/ftp/tsg_sa/WG3_Security/TSGS3_98e/Inbox/Drafts/draft_S3-200333-r1.doc
- [TLS] 3GPP forbids support of MD5, SHA-1, non-AEA… John Mattsson
- Re: [TLS] 3GPP forbids support of MD5, SHA-1, non… Eric Rescorla
- Re: [TLS] 3GPP forbids support of MD5, SHA-1, non… Tony Rutkowski
- Re: [TLS] 3GPP forbids support of MD5, SHA-1, non… Tony Rutkowski
- Re: [TLS] 3GPP forbids support of MD5, SHA-1, non… John Levine
- Re: [TLS] 3GPP forbids support of MD5, SHA-1, non… Tony Rutkowski
- Re: [TLS] 3GPP forbids support of MD5, SHA-1, non… Stephen Farrell
- Re: [TLS] 3GPP forbids support of MD5, SHA-1, non… John Levine
- Re: [TLS] 3GPP forbids support of MD5, SHA-1, non… Tony Rutkowski
- Re: [TLS] 3GPP forbids support of MD5, SHA-1, non… Stephen Farrell
- Re: [TLS] 3GPP forbids support of MD5, SHA-1, non… Tony Rutkowski
- Re: [TLS] 3GPP forbids support of MD5, SHA-1, non… Joseph Salowey