Re: [TLS] Suite B compliance of TLS 1.2

Eric Rescorla <ekr@networkresonance.com> Wed, 26 July 2006 14:42 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1G5kau-0001Gl-Sk; Wed, 26 Jul 2006 10:42:40 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1G5kau-0001Gg-5G for tls@ietf.org; Wed, 26 Jul 2006 10:42:40 -0400
Received: from raman.networkresonance.com ([198.144.196.3]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1G5kar-00072w-P4 for tls@ietf.org; Wed, 26 Jul 2006 10:42:40 -0400
Received: by raman.networkresonance.com (Postfix, from userid 1001) id DFB1E1E8C1F; Wed, 26 Jul 2006 07:42:36 -0700 (PDT)
To: martin.rex@sap.com
Subject: Re: [TLS] Suite B compliance of TLS 1.2
References: <200607261337.PAA14335@uw1048.wdf.sap.corp>
From: Eric Rescorla <ekr@networkresonance.com>
Date: Wed, 26 Jul 2006 07:42:36 -0700
In-Reply-To: <200607261337.PAA14335@uw1048.wdf.sap.corp> (Martin Rex's message of "Wed, 26 Jul 2006 15:37:28 +0200 (MET DST)")
Message-ID: <868xmgzaub.fsf@raman.networkresonance.com>
User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 5a9a1bd6c2d06a21d748b7d0070ddcb8
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: EKR <ekr@networkresonance.com>
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

Martin Rex <martin.rex@sap.com>; writes:

> Eric Rescorla wrote:
>> 
>> Wan-Teh Chang <wtchang@redhat.com>; writes:
>> > At the 2005 RSA Conference, the US National
>> > Security Agency (NSA) announced Suite B Crytography
>> > (http://www.nsa.gov/ia/industry/crypto_suite_b.cfm).
>> > This suite of cryptographic algorithms includes AES,
>> > ECDSA, ECDH, ECMQV, and SHA-256/SHA-384.
>> >
>> > I'm interested in the Suite B compliance of TLS 1.2.
>> > Simply put, it means the ability to do TLS 1.2 using
>> > only Suite B algorithms.
>> >
>> > The primary goal of TLS 1.2, to remove the protocol's
>> > dependency on the MD5 and SHA-1 digest algorithms, is
>> > in line with Suite B compliance.  I'd like to start
>> > the discussion by proposing additional goals:
>> > - merge in or reference RFC 4492
>
> AFAIK, the dependency on the combination of SHA-1 and MD5 is
> hardwired into the protection of the SSL handshake,
> and independent of the ciphersuite that is negotiated.

It is in 1.1, but not in 1.2.


> So in order to remove the dependency, one does not only need
> new TLS ciphersuite, but also a significant change in the
> handshake protocol (hashing of the handshake messages
> and the creation/verification of the finished message).

Yep. Those changes are already being made

> Hashing the handshakes messages with both, old and new hash
> algorithms and deciding later in the handshake which results
> go into creation/verification of the finished message when
> it has been determined/negotiated which algorithms to use
> should be doable, and just moderately more expensive.
>
>
> I'm slightly worried about the potential "market pressure"
> which this might cause.  I certainly don't mind adoption/offering
> of strong cryptographic protocols/technologies, but right
> now I do NOT consider TLS fundamentally broken or weak,
> and I would prefer if people focus on the acutal weaknesses
> within the technology, rather than replacing the
> (currently) strongest link in a weak chain with a much
> stronger one.

I'm sensitive to what you're saying and I have the same doubts.
On the other hand, I also worry about the attacks on MD5 and SHA-1
getting much worse and then having to explain why we didn't
do anything about it

-Ekr

_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls