IETF Logo Mail Archive

Re: [TLS] DSS with other than SHA-1 algorithms

Peter Gutmann <pgut001@cs.auckland.ac.nz> Fri, 29 April 2011 12:10 UTC

Return-Path: <pgut001@login01.cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 172E3E071D for <tls@ietfa.amsl.com>; Fri, 29 Apr 2011 05:10:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.499
X-Spam-Level:
X-Spam-Status: No, score=-3.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4VqQghSsK8AX for <tls@ietfa.amsl.com>; Fri, 29 Apr 2011 05:10:42 -0700 (PDT)
Received: from mx2-int.auckland.ac.nz (mx2-int.auckland.ac.nz [130.216.12.41]) by ietfa.amsl.com (Postfix) with ESMTP id C5628E06C0 for <tls@ietf.org>; Fri, 29 Apr 2011 05:10:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1304079042; x=1335615042; h=from:to:subject:cc:in-reply-to:message-id:date; z=From:=20Peter=20Gutmann=20<pgut001@cs.auckland.ac.nz> |To:=20juhovh@iki.fi,=20pgut001@cs.auckland.ac.nz |Subject:=20Re:=20[TLS]=20DSS=20with=20other=20than=20SHA -1=20algorithms|Cc:=20tls@ietf.org|In-Reply-To:=20<4DB7EB E7.8020705@iki.fi>|Message-Id:=20<E1QFmWo-0000Js-7O@login 01.fos.auckland.ac.nz>|Date:=20Sat,=2030=20Apr=202011=200 0:10:34=20+1200; bh=pX+Ck8WcLddKh1yEe//PE8LK61+4ncE8iFAqtxz2pEM=; b=Yr8MNwOmKI1t7LMliEBi/qXmwWzJWMcQgNiCKgKPoORMnRFdLVVCGs+b ALMl3EElwC+MzCk8mPPQ4UPi5DhgJmi6dFWzBVi0I4qhmWn1zjV6HYWyA jumZip0ptDEh9i1vR/CPcBRySHRIl4jUGxoVN9+0ohG+t0DP1hEpSaN3y k=;
X-IronPort-AV: E=Sophos;i="4.64,287,1301832000"; d="scan'208";a="59079326"
X-Ironport-HAT: APP-SERVERS - $RELAYED
X-Ironport-Source: 130.216.33.150 - Outgoing - Outgoing
Received: from mf1.fos.auckland.ac.nz ([130.216.33.150]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 30 Apr 2011 00:10:34 +1200
Received: from login01.fos.auckland.ac.nz ([130.216.34.40]) by mf1.fos.auckland.ac.nz with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from <pgut001@login01.cs.auckland.ac.nz>) id 1QFmWo-00072H-H0; Sat, 30 Apr 2011 00:10:34 +1200
Received: from pgut001 by login01.fos.auckland.ac.nz with local (Exim 4.69) (envelope-from <pgut001@login01.cs.auckland.ac.nz>) id 1QFmWo-0000Js-7O; Sat, 30 Apr 2011 00:10:34 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: juhovh@iki.fi, pgut001@cs.auckland.ac.nz
In-Reply-To: <4DB7EBE7.8020705@iki.fi>
Message-Id: <E1QFmWo-0000Js-7O@login01.fos.auckland.ac.nz>
Date: Sat, 30 Apr 2011 00:10:34 +1200
Cc: tls@ietf.org
Subject: Re: [TLS] DSS with other than SHA-1 algorithms
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Apr 2011 12:10:46 -0000

=?ISO-8859-1?Q?Juho_V=E4h=E4-Herttua?= <juhovh@iki.fi> writes:

>So every client sending a ClientHello SHOULD append the Supported Elliptic
>Curves extension in ClientHello itself and therefore the selected curve
>should be clear immediately after receiving the complete ServerHello
>including ServerKeyExchange.

Hmm, I'll try and explain this again... consider how the parts of the Client
Hello are processed.  For standard suites the server iterates through a list
of suites and selects the most cromulent one.  In my case I just have a list
of suite IDs and parameters sorted in order of preference and select the
lowest-ranked suite I find, I assume most implementations do something more or
less similar.

For the Chinese-menu suites, the server finds a Chinese menu selector and then
has to skip the remaining suites and other parts of the hello and process the
extensions to see whether what's in there matches up with that the Chinese-
menu selector requested.  For example if the Chinese menu said
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 but the supported-curves says P256
then you have to either hope the other side does the special-case X9.62
handling for hash truncation and gets it right (and I've never been able to
find anything that does this to test mine against so who knows whether
anything does do it, and does get it right), or not take the gamble and go
back to the cipher suites and look for another Chinese-menu option, and then
skip the rest of the hello and process the extension again to see if things
work out now, and if that doesn't work either then go back ...

In practice, with the servers I tried, it was hard enough just trying to
figure out which basic combinations they supported (the usual response was a
dropped connection or aborted handshake, so I had to use trial-and-error
probing, and with some servers I never did figure out how to do more than one
or two basic combinations), and I never got to the point of being able to
interop test any of the more exotic combinations like e.g. hash truncation.

So the sole purpose of this RFC is to try and indentify the common
combinations of parameters that everyone seems to implement anyway and list
them as conventional cipher suites, with no further parameterisation required.
The intent is to try and document what everyone's doing already anyway.

Peter.

v2.23.0 | Report a Bug | By Email