Re: [TLS] Negotiate only symmetric cipher via cipher suites (was: Ala Carte Cipher suites - was: DSA should die)

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Mon, 13 April 2015 18:55 UTC

Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 855551B2FC7 for <tls@ietfa.amsl.com>; Mon, 13 Apr 2015 11:55:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tTDlMA8nvi0m for <tls@ietfa.amsl.com>; Mon, 13 Apr 2015 11:55:15 -0700 (PDT)
Received: from emh04.mail.saunalahti.fi (emh04.mail.saunalahti.fi [62.142.5.110]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42FA71B2FBB for <tls@ietf.org>; Mon, 13 Apr 2015 11:55:14 -0700 (PDT)
Received: from LK-Perkele-VII (a88-112-44-140.elisa-laajakaista.fi [88.112.44.140]) by emh04.mail.saunalahti.fi (Postfix) with ESMTP id A9DF11A25E0; Mon, 13 Apr 2015 21:55:05 +0300 (EEST)
Date: Mon, 13 Apr 2015 21:55:05 +0300
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Message-ID: <20150413185505.GA1016@LK-Perkele-VII>
References: <CAK9dnSyKf7AY11h1i1h+SudRc-NmTZE5wC682YKhNsxnfV5ShQ@mail.gmail.com> <201504131200.00384.davemgarrett@gmail.com> <874mokug5y.fsf@alice.fifthhorseman.net> <201504131325.20590.davemgarrett@gmail.com> <871tjoue8v.fsf@alice.fifthhorseman.net> <D1517606.23FD5%uri@ll.mit.edu> <87vbgzubj6.fsf@alice.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <87vbgzubj6.fsf@alice.fifthhorseman.net>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/DNhNL5lWTsO1ZMAA8Xmj2xk-72A>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Negotiate only symmetric cipher via cipher suites (was: Ala Carte Cipher suites - was: DSA should die)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Apr 2015 18:55:17 -0000

On Mon, Apr 13, 2015 at 02:29:49PM -0400, Daniel Kahn Gillmor wrote:
> On Mon 2015-04-13 13:35:42 -0400, Blumenthal, Uri - 0553 - MITLL wrote:
> > On 4/13/15, 13:31 , "Daniel Kahn Gillmor" <dkg@fifthhorseman.net> wrote:
> >
> >>On Mon 2015-04-13 13:25:20 -0400, Dave Garrett wrote:
> >>>> So if we have to have non-(EC)DHE PSK, what would it mean if a TLS peer
> >>>> were to try to negotiate:
> >>>> 
> >>>>   key agreement: PSK
> >>>>  authentication: RSA-PSS
> >>>> 
> >>>> Do we just say "don't do that"?
> >>>
> >>> SGTM
> >>
> >>……...
> >>Once the full cartesian explosion is available by multidimensional
> >>enumeration, we have to mark out which corners of the space are actually
> >>bad ideas, and we have to make sure our implementations don't stumble
> >>into those corners by accident.
> >>
> >>This isn't impossible to do, but it seems ripe for subtle implementation
> >>bugs.
> >
> > Cryptographically sound algorithms and protocols should be immune to this
> > concern. And we should accept only cryptographically sound algorithms &
> > protocols. :-)
> 
> What do you think an implementation should do when a peer tries to
> negotiate the combination above?  Require an RSA-PSS signature from the
> server over some material derived in part from the PSK key agreement
> mechanism?

To me it seems like that combo is quite insecure, unless one handles it as
a special case (in which case it is just equivalent to PSK in security,
just wastes time with a certificate).


As list, the key exchange methods TLS v1.2 actually supports (after merging
some non-significant distinctions) are:
- RSA [going away]
- RSA_EXPORT [you have deimplemented this already, right?]
- DH_CERT [going away]
- DHE_CERT [supported]
- DHE_ANON [???]
- KRB5 [going away]
- PSK [???]
- DHE_PSK [???]
- RSA_PSK [going away]
- SRP [???]
- SRP_CERT [???]



-Ilari