Re: [TLS] Negotiate only symmetric cipher via cipher suites (was: Ala Carte Cipher suites - was: DSA should die)

[Ilari Liusvaara <ilari.liusvaara@elisanet.fi>]

On Mon, Apr 13, 2015 at 02:29:49PM -0400, Daniel Kahn Gillmor wrote:
> On Mon 2015-04-13 13:35:42 -0400, Blumenthal, Uri - 0553 - MITLL wrote:
> > On 4/13/15, 13:31 , "Daniel Kahn Gillmor" <dkg@fifthhorseman.net> wrote:
> >
> >>On Mon 2015-04-13 13:25:20 -0400, Dave Garrett wrote:
> >>>> So if we have to have non-(EC)DHE PSK, what would it mean if a TLS peer
> >>>> were to try to negotiate:
> >>>> 
> >>>>   key agreement: PSK
> >>>>  authentication: RSA-PSS
> >>>> 
> >>>> Do we just say "don't do that"?
> >>>
> >>> SGTM
> >>
> >>……...
> >>Once the full cartesian explosion is available by multidimensional
> >>enumeration, we have to mark out which corners of the space are actually
> >>bad ideas, and we have to make sure our implementations don't stumble
> >>into those corners by accident.
> >>
> >>This isn't impossible to do, but it seems ripe for subtle implementation
> >>bugs.
> >
> > Cryptographically sound algorithms and protocols should be immune to this
> > concern. And we should accept only cryptographically sound algorithms &
> > protocols. :-)
> 
> What do you think an implementation should do when a peer tries to
> negotiate the combination above?  Require an RSA-PSS signature from the
> server over some material derived in part from the PSK key agreement
> mechanism?

To me it seems like that combo is quite insecure, unless one handles it as
a special case (in which case it is just equivalent to PSK in security,
just wastes time with a certificate).


As list, the key exchange methods TLS v1.2 actually supports (after merging
some non-significant distinctions) are:
- RSA [going away]
- RSA_EXPORT [you have deimplemented this already, right?]
- DH_CERT [going away]
- DHE_CERT [supported]
- DHE_ANON [???]
- KRB5 [going away]
- PSK [???]
- DHE_PSK [???]
- RSA_PSK [going away]
- SRP [???]
- SRP_CERT [???]



-Ilari