Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 with DSA client cert and
Michael D'Errico <mike-list@pobox.com> Thu, 17 February 2011 00:03 UTC
Return-Path: <mike-list@pobox.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E83D73A6D9E for <tls@core3.amsl.com>; Wed, 16 Feb 2011 16:03:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vFR6CMldBf6Y for <tls@core3.amsl.com>; Wed, 16 Feb 2011 16:03:05 -0800 (PST)
Received: from sasl.smtp.pobox.com (a-pb-sasl-sd.pobox.com [64.74.157.62]) by core3.amsl.com (Postfix) with ESMTP id 8D2063A6D98 for <tls@ietf.org>; Wed, 16 Feb 2011 16:03:05 -0800 (PST)
Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-sd.pobox.com (Postfix) with ESMTP id D5A653524; Wed, 16 Feb 2011 19:04:41 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=message-id :date:from:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=EFKTURQDGO37 Khng4Nt3GotvIcY=; b=PIqgAuRwFC1tD9ojU0gl21Pd9KWvOeOVupl0/hubRThT 9DY7eg/VG4mXDVbN1lbTAb5rLxMILjhjqCODYMrG3P4YD/HmdfvQNh/+z57Q4cYa y8ipgIMkSslRT7YzA8TvNuluNNvrhz8481u7nstoD9kYIm+Oprba+KovD87lAb8=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=message-id:date :from:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=CcAEsy 6sqEuUBeu/Wz7CLTar0boft5S/ws8IMG/ErEvcUAdd4eb5uy88lCoe4GhdhhF/sl MiDw7EDEsHBT/dglc6bOWDV7jUbyEvj0DOnCQjopWlwWRL4D6FGWMTf8yz92XyG1 qsGvAq0hx1FJwVcmJoJMBqAwORbt6mNnY+ECc=
Received: from a-pb-sasl-sd.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-sd.pobox.com (Postfix) with ESMTP id BDCAD3523; Wed, 16 Feb 2011 19:04:40 -0500 (EST)
Received: from iMac.local (unknown [24.234.114.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by a-pb-sasl-sd.pobox.com (Postfix) with ESMTPSA id F02E83522; Wed, 16 Feb 2011 19:04:38 -0500 (EST)
Message-ID: <4D5C65D2.4060502@pobox.com>
Date: Wed, 16 Feb 2011 16:03:30 -0800
From: Michael D'Errico <mike-list@pobox.com>
User-Agent: Thunderbird 2.0.0.21 (Macintosh/20090302)
MIME-Version: 1.0
To: mrex@sap.com
References: <201102162335.p1GNZ0Yd009478@fs4113.wdf.sap.corp>
In-Reply-To: <201102162335.p1GNZ0Yd009478@fs4113.wdf.sap.corp>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Pobox-Relay-ID: 8435C770-3A29-11E0-BF58-AF401E47CF6F-38729857!a-pb-sasl-sd.pobox.com
Cc: tls@ietf.org
Subject: Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 with DSA client cert and
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Feb 2011 00:03:07 -0000
I see the potential problem. For me, though, I just hold onto all of the handshake messages until the handshake concludes. It may use a bit more memory for a short amount of time, but the issue you raise is completely avoided. Call it a space <-> code complexity trade-off. In TLS 1.2, a CertificateRequest message is where the server tells the client which signature algorithms are acceptable. I don't think it's allowed to be an empty list, but if it is, the sensible thing to do is to assume the same hash functions are supported as previous versions which didn't have that parameter. In other words choose rsa/sha1, rsa/md5 or dsa/sha1. This issue would have been avoided if the supported_signature_algorithms extension was symmetric and allowed the server to specify its list of algorithms in a ServerHello extension. Alas, that was not the design we ended up with. Mike Martin Rex wrote: > > The more I think about it, the more I believe it is, in fact, a > design flaw in TLSv1.2 responsible for a handshake performance issue > (at least when a client certificate is requested). > > > While the PRF was changed from SSLv3->TLSv1.0, there was no change to > the CertificateVerify handshake message. So for creating and > verifying a CertificateVerify handshake message, two hashes must > be maintained over all handshake messages: MD5 + SHA1. > > With TLSv1.2, if a server does not want to artificially limit the > signature algorithms on acceptable client certificates, it must > send a long list of acceptable combinations > > (sha1,rsa), (sha1,dsa), (sha256,rsa), (sha384,rsa), (sha512,rsa), > (sha224,dsa), (sha256,dsa), ... > > So unless both, server and client must either hold on to all handshake > messages up to CertificateVerify or carry along hash contexts for all > of the possible algorithms. > > Compare: > SSLv3, TLSv1.0/1.1 md5 + sha1 > TLSv1.2 md5 + sha1 + sha224 + sha256 + sha384 + sha512 > > If you look at this list, look at how TLS uses hashes for digital > signatures and think about the algorithmic relationships between > sha224&sha256 and between sha384&sha52, then sha224 and sha384 > are utterly useless fifth and sixth wheel on the TLS cart. > For TLS itself, sha256 -- or maybe even sha256 alone would have > been PERFECTLY sufficent, and a LOT less work. > > > What I also don't understand is the idea behind "default signature > algorithms". For implementing TLSv1.2, SHA-256 _must_ be supported, > but unless explicitly negotiated with the TLS SignatureAlgorithm > extension, SHA-256 appears not allowed to be used for CertificateVerify. > > That would mean, when TLSv1.2 is negotiated, but no SignatureAlgorithms > extension exchanged, the resulting signature with an RSA client cert > in CertificateVerify no longer uses MD5+SHA-1 as in TLS up to v1.1, > but _only_ SHA-1 (which slightly weakens that signature compared to > prior protocol versions...). The use of SHA-256 is prohibited!??! > > Weird, really. > > -Martin
- [TLS] TLSv1.2 with DSA client cert and key size >… Martin Rex
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Wan-Teh Chang
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Martin Rex
- [TLS] TLS v1.2 performance (was Re: TLSv1.2 with … Michael D'Errico
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Nikos Mavrogiannopoulos
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Dr Stephen Henson
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Martin Rex
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Dr Stephen Henson
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Martin Rex
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Kemp, David P.
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Martin Rex
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Michael D'Errico
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Wan-Teh Chang
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Yoav Nir
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Nikos Mavrogiannopoulos
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Eric Rescorla
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Nikos Mavrogiannopoulos
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Eric Rescorla
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Nikos Mavrogiannopoulos
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Michael D'Errico
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Eric Rescorla
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Nikos Mavrogiannopoulos
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Martin Rex
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Juho Vähä-Herttua
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Michael D'Errico
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Peter Gutmann
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Peter Gutmann
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Martin Rex
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Marsh Ray
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Peter Gutmann
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Juho Vähä-Herttua
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Nikos Mavrogiannopoulos
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Nikos Mavrogiannopoulos
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Juho Vähä-Herttua
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Kyle Hamilton
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Nikos Mavrogiannopoulos
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Matt DeMoss
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Michael D'Errico
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Martin Rex
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Geoffrey Keating
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Martin Rex
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Geoffrey Keating
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Peter Gutmann
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Michael D'Errico
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Martin Rex
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Peter Gutmann
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Matt DeMoss
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Geoffrey Keating
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Martin Rex
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Sean Turner
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Martin Rex