Re: [TLS] Suite B compliance of TLS 1.2
Eric Rescorla <ekr@networkresonance.com> Wed, 26 July 2006 14:42 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1G5kau-0001Gl-Sk; Wed, 26 Jul 2006 10:42:40 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1G5kau-0001Gg-5G for tls@ietf.org; Wed, 26 Jul 2006 10:42:40 -0400
Received: from raman.networkresonance.com ([198.144.196.3]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1G5kar-00072w-P4 for tls@ietf.org; Wed, 26 Jul 2006 10:42:40 -0400
Received: by raman.networkresonance.com (Postfix, from userid 1001) id DFB1E1E8C1F; Wed, 26 Jul 2006 07:42:36 -0700 (PDT)
To: martin.rex@sap.com
Subject: Re: [TLS] Suite B compliance of TLS 1.2
References: <200607261337.PAA14335@uw1048.wdf.sap.corp>
From: Eric Rescorla <ekr@networkresonance.com>
Date: Wed, 26 Jul 2006 07:42:36 -0700
In-Reply-To: <200607261337.PAA14335@uw1048.wdf.sap.corp> (Martin Rex's message of "Wed, 26 Jul 2006 15:37:28 +0200 (MET DST)")
Message-ID: <868xmgzaub.fsf@raman.networkresonance.com>
User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 5a9a1bd6c2d06a21d748b7d0070ddcb8
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: EKR <ekr@networkresonance.com>
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
Martin Rex <martin.rex@sap.com> writes: > Eric Rescorla wrote: >> >> Wan-Teh Chang <wtchang@redhat.com> writes: >> > At the 2005 RSA Conference, the US National >> > Security Agency (NSA) announced Suite B Crytography >> > (http://www.nsa.gov/ia/industry/crypto_suite_b.cfm) >> > This suite of cryptographic algorithms includes AES, >> > ECDSA, ECDH, ECMQV, and SHA-256/SHA-384. >> > >> > I'm interested in the Suite B compliance of TLS 1.2. >> > Simply put, it means the ability to do TLS 1.2 using >> > only Suite B algorithms. >> > >> > The primary goal of TLS 1.2, to remove the protocol's >> > dependency on the MD5 and SHA-1 digest algorithms, is >> > in line with Suite B compliance. I'd like to start >> > the discussion by proposing additional goals: >> > - merge in or reference RFC 4492 > > AFAIK, the dependency on the combination of SHA-1 and MD5 is > hardwired into the protection of the SSL handshake, > and independent of the ciphersuite that is negotiated. It is in 1.1, but not in 1.2. > So in order to remove the dependency, one does not only need > new TLS ciphersuite, but also a significant change in the > handshake protocol (hashing of the handshake messages > and the creation/verification of the finished message). Yep. Those changes are already being made > Hashing the handshakes messages with both, old and new hash > algorithms and deciding later in the handshake which results > go into creation/verification of the finished message when > it has been determined/negotiated which algorithms to use > should be doable, and just moderately more expensive. > > > I'm slightly worried about the potential "market pressure" > which this might cause. I certainly don't mind adoption/offering > of strong cryptographic protocols/technologies, but right > now I do NOT consider TLS fundamentally broken or weak, > and I would prefer if people focus on the acutal weaknesses > within the technology, rather than replacing the > (currently) strongest link in a weak chain with a much > stronger one. I'm sensitive to what you're saying and I have the same doubts. On the other hand, I also worry about the attacks on MD5 and SHA-1 getting much worse and then having to explain why we didn't do anything about it -Ekr _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] Suite B compliance of TLS 1.2 Wan-Teh Chang
- Re: [TLS] Suite B compliance of TLS 1.2 Eric Rescorla
- Re: [TLS] Suite B compliance of TLS 1.2 Martin Rex
- Re: [TLS] Suite B compliance of TLS 1.2 Eric Rescorla
- RE: [TLS] Suite B compliance of TLS 1.2 Blumenthal, Uri
- Re: [TLS] Suite B compliance of TLS 1.2 Martin Rex
- RE: [TLS] Suite B compliance of TLS 1.2 Blumenthal, Uri
- Re: [TLS] Suite B compliance of TLS 1.2 Wan-Teh Chang
- Re: [TLS] Suite B compliance of TLS 1.2 Eric Rescorla
- Re: [TLS] Suite B compliance of TLS 1.2 Brian Minard
- Re: [TLS] Suite B compliance of TLS 1.2 Brian Minard
- Re: [TLS] Suite B compliance of TLS 1.2 David Hopwood
- Re: [TLS] Suite B compliance of TLS 1.2 Martin Rex
- RE: [TLS] Suite B compliance of TLS 1.2 Blumenthal, Uri
- RE: [TLS] Suite B compliance of TLS 1.2 Blumenthal, Uri
- Re: [TLS] Suite B compliance of TLS 1.2 Eric Rescorla
- RE: [TLS] Suite B compliance of TLS 1.2 Blumenthal, Uri
- Re: [TLS] Suite B compliance of TLS 1.2 Wan-Teh Chang
- Re: [TLS] Suite B compliance of TLS 1.2 Vipul Gupta