IETF Logo Mail Archive

Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)

Andrei Popov <Andrei.Popov@microsoft.com> Tue, 14 July 2015 19:30 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3096C1B2AE3 for <tls@ietfa.amsl.com>; Tue, 14 Jul 2015 12:30:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.102
X-Spam-Level:
X-Spam-Status: No, score=-0.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_22=0.6, J_CHICKENPOX_24=0.6, J_CHICKENPOX_34=0.6, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VT6TzznozRUg for <tls@ietfa.amsl.com>; Tue, 14 Jul 2015 12:30:39 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0106.outbound.protection.outlook.com [207.46.100.106]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39ABE1B2ADE for <tls@ietf.org>; Tue, 14 Jul 2015 12:30:39 -0700 (PDT)
Received: from BLUPR03MB1396.namprd03.prod.outlook.com (10.163.81.142) by BLUPR03MB1394.namprd03.prod.outlook.com (10.163.81.140) with Microsoft SMTP Server (TLS) id 15.1.213.14; Tue, 14 Jul 2015 19:30:37 +0000
Received: from BLUPR03MB1396.namprd03.prod.outlook.com ([10.163.81.142]) by BLUPR03MB1396.namprd03.prod.outlook.com ([10.163.81.142]) with mapi id 15.01.0213.000; Tue, 14 Jul 2015 19:30:38 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)
Thread-Index: AQHQuMqGail83kPeBUGeFeksHA1hqJ3QLTyAgAAI+QCAAAQ1gIAADWmAgAA2FYCAAVxcgIAAAVqAgAAEyoCAAVE1AIABlogAgAAEJoCAAAXGgIAACRQAgAADNACAAAGWgIAAA+QAgAAQkpCAAUrngIAADsEAgAAC7oCAABbWgIAANnyAgAAH4ACAAAoZgIAAB+GAgAAMDwCAAAXygIAAI+yAgAADFACAAd8BsIAACoIAgADHX/CAABhggIAAFePggAAu+ACAAADfAIAATQqAgAC4IQCAAFw0gIAAAPZA
Date: Tue, 14 Jul 2015 19:30:38 +0000
Message-ID: <BLUPR03MB13969324E4C95B2D6DC9A7558C9B0@BLUPR03MB1396.namprd03.prod.outlook.com>
References: <20150714024710.GR28047@mournblade.imrryr.org> <20150714134612.F2DFF1A1DE@ld9781.wdf.sap.corp> <20150714191613.GC28047@mournblade.imrryr.org>
In-Reply-To: <20150714191613.GC28047@mournblade.imrryr.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;
x-originating-ip: [2001:4898:80e8:ee31::2]
x-microsoft-exchange-diagnostics: 1; BLUPR03MB1394; 5:8ZPDYsTKXwkcckr5qnVVX1CkMgmHICgfH+vq5pS4sOF55X5AOfILHOZ2Y5V7OcQLXodYIKPitBvCDeOv3XrOJSA6HtpsI/NjpcRTIMiIR3fkjIXv+XgVPg4a8ijvkwUQr3zeoHtB0NGO2QxDOnt5Gw==; 24:8W8UmwrrPIAnXSBxRG07GAbE7cGbppD2VGZMQ0HtcGbufC/j3eCcAaUKNdISgmt/8BXu5SdfAV4zwAtdcjWP7lW7s+PTMZbKPV/HQ6YB9L0=; 20:O6ooDZqmTgzyz1EcieAHPU0jWdL0oa627B0CexKGrduNa8XTShVuN+4zNuY6ZovQGk0UHvPA7OFGlDdhXrixyw==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BLUPR03MB1394;
blupr03mb1394: X-MS-Exchange-Organization-RulesExecuted
x-microsoft-antispam-prvs: <BLUPR03MB13942FD3F131AF4A5F8B59898C9B0@BLUPR03MB1394.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(3002001); SRVR:BLUPR03MB1394; BCL:0; PCL:0; RULEID:; SRVR:BLUPR03MB1394;
x-forefront-prvs: 0637FCE711
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(13464003)(51704005)(24454002)(377454003)(50986999)(19580395003)(106116001)(76176999)(19580405001)(86612001)(54356999)(86362001)(46102003)(87936001)(2656002)(2351001)(76576001)(77156002)(74316001)(5001960100002)(110136002)(122556002)(107886002)(2900100001)(40100003)(99286002)(5003600100002)(2501003)(2950100001)(15975445007)(5002640100001)(62966003)(33656002)(102836002)(77096005)(450100001)(92566002)(189998001)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:BLUPR03MB1394; H:BLUPR03MB1396.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Jul 2015 19:30:38.1264 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR03MB1394
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/9e_gIDQztplVVg5eF6ldL2AkILw>
Subject: Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jul 2015 19:30:41 -0000

Using anonymous cipher suites for opportunistic connections allows the server operator to explicitly enable anonymous connections, and it saves bytes on the wire.

The downside is of course that the attacker can easily distinguish opportunistic clients from server-authenticating ones. Is this a concern for the opportunistic TLS community?

-----Original Message-----
From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Viktor Dukhovni
Sent: Tuesday, July 14, 2015 12:16 PM
To: tls@ietf.org
Subject: Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)

On Tue, Jul 14, 2015 at 03:46:12PM +0200, Martin Rex wrote:

[ There's no need to belabour the obvious, yes unauthenticated TLS
  does not protect against active attacks, absent authenticated
  channel binding post handshake.  This does not mean that the are
  no appropriate use-cases for anon_DH and anon_ECDH. ]

>    https://tools.ietf.org/html/rfc2246#page-55
> 
>    The following cipher suites are used for completely anonymous
>    Diffie-Hellman communications in which neither party is
>    authenticated. Note that this mode is vulnerable to man-in-the-middle
>    attacks and is therefore deprecated.
> 
>     CipherSuite TLS_DH_anon_EXPORT_WITH_RC4_40_MD5     = { 0x00,0x17 };
>     CipherSuite TLS_DH_anon_WITH_RC4_128_MD5           = { 0x00,0x18 };
>     CipherSuite TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA  = { 0x00,0x19 };
>     CipherSuite TLS_DH_anon_WITH_DES_CBC_SHA           = { 0x00,0x1A };
>     CipherSuite TLS_DH_anon_WITH_3DES_EDE_CBC_SHA      = { 0x00,0x1B };

Which still leaves us with (sorry about the OpenSSL-specific names):

    AECDH-AES256-SHA        SSLv3 Kx=ECDH     Au=None Enc=AES(256)  Mac=SHA1
    ADH-AES256-GCM-SHA384   TLSv1.2 Kx=DH     Au=None Enc=AESGCM(256) Mac=AEAD
    ADH-AES256-SHA256       TLSv1.2 Kx=DH     Au=None Enc=AES(256)  Mac=SHA256
    ADH-AES256-SHA          SSLv3 Kx=DH       Au=None Enc=AES(256)  Mac=SHA1
    ADH-CAMELLIA256-SHA     SSLv3 Kx=DH       Au=None Enc=Camellia(256) Mac=SHA1
    AECDH-AES128-SHA        SSLv3 Kx=ECDH     Au=None Enc=AES(128)  Mac=SHA1
    ADH-AES128-GCM-SHA256   TLSv1.2 Kx=DH     Au=None Enc=AESGCM(128) Mac=AEAD
    ADH-AES128-SHA256       TLSv1.2 Kx=DH     Au=None Enc=AES(128)  Mac=SHA256
    ADH-AES128-SHA          SSLv3 Kx=DH       Au=None Enc=AES(128)  Mac=SHA1
    ADH-CAMELLIA128-SHA     SSLv3 Kx=DH       Au=None Enc=Camellia(128) Mac=SHA1
    AECDH-RC4-SHA           SSLv3 Kx=ECDH     Au=None Enc=RC4(128)  Mac=SHA1

As for "ADH" and "AECDH" being "insecure", that rather depends on the threat model, and presumption of lack of channel binding.

For opportunistic TLS in SMTP, the threat model does not include active attacks.  Active attackers can in any case suppress "STARTTLS", use some random certificate (the client performs no authentication anyway), ... Denying the client anon TLS is pointless, and loses audit information on the server side.

    https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-19#section-1.3
    https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-19#section-8.2

If the recently proposed changes to cipher suite negotiation bear fruit, perhaps there'll some day again be a reasonably complete/current set of anon_ECDH ciphers to work with.

-- 
	Viktor.

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email