Re: [TLS] DSA should die

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Thu, 02 April 2015 17:48 UTC

Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C9B01B2DA3 for <tls@ietfa.amsl.com>; Thu, 2 Apr 2015 10:48:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Crt0WgfNu9iZ for <tls@ietfa.amsl.com>; Thu, 2 Apr 2015 10:48:29 -0700 (PDT)
Received: from emh03.mail.saunalahti.fi (emh03.mail.saunalahti.fi [62.142.5.109]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D726A1B2DA2 for <tls@ietf.org>; Thu, 2 Apr 2015 10:48:28 -0700 (PDT)
Received: from LK-Perkele-VII (a88-112-44-140.elisa-laajakaista.fi [88.112.44.140]) by emh03.mail.saunalahti.fi (Postfix) with ESMTP id 68023188780; Thu, 2 Apr 2015 20:48:26 +0300 (EEST)
Date: Thu, 2 Apr 2015 20:48:26 +0300
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Nico Williams <nico@cryptonector.com>
Message-ID: <20150402174826.GA7414@LK-Perkele-VII>
References: <20150401201221.163745c2@pc1.fritz.box> <20150402002646.GR17637@mournblade.imrryr.org> <551C9008.5030605@cs.tcd.ie> <201504012115.09048.davemgarrett@gmail.com> <CAK3OfOhazGCtR7nmSz7szyN2GDAOnU9RJ=YDxHHbwuSZpe7c9Q@mail.gmail.com> <CAK9dnSyKf7AY11h1i1h+SudRc-NmTZE5wC682YKhNsxnfV5ShQ@mail.gmail.com> <CAK3OfOgPbADQ1CvOs=8T7ee6f_T+bi3F6GCdBtxufQpznzYbQA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <CAK3OfOgPbADQ1CvOs=8T7ee6f_T+bi3F6GCdBtxufQpznzYbQA@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/A_2n0HYWkJ-oflDSFY_Kv1NtUeg>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] DSA should die
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Apr 2015 17:48:31 -0000

On Thu, Apr 02, 2015 at 11:45:35AM -0500, Nico Williams wrote:
> On Thu, Apr 2, 2015 at 2:39 AM, CodesInChaos <codesinchaos@gmail.com> wrote:
> > Nico Williams nico@cryptonector.com wrote:
> >> Yes, we could patch in a-la-carte ciphersuite negotiation by having
> >> non-functional ciphersuites that wild-card all but the one kind of
> >> thing.  You offer those.  A matching functional ciphersuite gets
> >> selected.  Done.
> >>
> >> TLS_*_*_WITH_AES_GCM_*
> >> TLS_*_*_WITH_*_*_SHA384
> >> TLS_ECDHE_*_WITH_*_*_*
> >> ...
> >
> > I think full a-la-carte is too complex. But I'm for negotiating the
> > handshake and symmetric crypto separately. They're already very
> > loosely coupled and most proposals that introduce/obsolete
> > ciphersuites are only interested in one of the two sides, with the
> > other being only an afterthought.
> 
> That would be a huge improvement over what we have now.

I say if one splits symmetric/asymmetric, then the hash should go
to the asymmetric part, since it is used there.

And furthermore, since there are group and cert type negotiation
mechanism already can do unified DH/w certs.

So (with some added in):

TLS13_A_DH_CERT_SHA256
TLS13_A_DH_CERT_SHA384
TLS13_S_AES_128_GCM
TLS13_S_AES_256_GCM
TLS13_S_ARIA_128_GCM
TLS13_S_ARIA_256_GCM
TLS13_S_CAMELLIA_128_GCM
TLS13_S_CAMELLIA_256_GCM
TLS13_S_AES_128_CCM
TLS13_S_AES_256_CCM
TLS13_S_AES_128_CCM8
TLS13_S_AES_256_CCM8
TLS13_S_CHACHA20_POLY1305

(I included a cipher if it had an existing codepoint or
was in wide use and was TLS 1.3 compatible).

I'm on fence about splitting hash out:

TLS13_A_DH_CERT
TLS13_H_SHA256
TLS13_H_SHA384
TLS13_S_*

As it seems to me that symmetric algorithm, key exchange and
hash to use are relatively independent concerns (I know gnutls
has internal mapping table that breaks ciphersuites to internal
component parts).

Regarding ServerHello parts of this, the ServerHello could be
redesigned, except for the version field, which is convinently
the first.

So one could put two or three ciphersuite fields, one for
each type there.


If one wanted to add anonDH and PSK:

TLS13_A_DH_ANON
TLS13_A_DH_PSK
TLS13_A_PSK

Giving 17 ciphers that span cartesian space of 88 cipher-
suites.


-Ilari