Re: [TLS] TLS 1.3 signature algorithms in TLS 1.2
David Benjamin <davidben@chromium.org> Tue, 12 July 2016 19:53 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A38012D61C for <tls@ietfa.amsl.com>; Tue, 12 Jul 2016 12:53:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.986
X-Spam-Level:
X-Spam-Status: No, score=-3.986 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9hmpqtJDevur for <tls@ietfa.amsl.com>; Tue, 12 Jul 2016 12:53:53 -0700 (PDT)
Received: from mail-it0-x22a.google.com (mail-it0-x22a.google.com [IPv6:2607:f8b0:4001:c0b::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7EE612D61A for <tls@ietf.org>; Tue, 12 Jul 2016 12:53:52 -0700 (PDT)
Received: by mail-it0-x22a.google.com with SMTP id j8so4598747itb.1 for <tls@ietf.org>; Tue, 12 Jul 2016 12:53:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=cpIhShgxR2uH1DDqJ4GiKOEJrKF+KHOeLRUlMvEM36U=; b=mZdfGoEYBWFhoa94umxvwfTO0aZUIBcwO+vIXtBiQTUwmsiUPig2cjavRjoNamqcJp qzl6P0IMHvnkqL8CaWCWJlOHfdSIUci4Q7xGRNKVELA650mYhBfCDf0Nz1EMgz0MJkhC PX6lJzdorUt5PzeCVGRsGGRutGbDMaSel5VwA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=cpIhShgxR2uH1DDqJ4GiKOEJrKF+KHOeLRUlMvEM36U=; b=lcPTWPHuvolrGJRW+JhyE62adYAiJtT7RkYYg6oigO10HK2kNdrVDv5QToyYrinoUD 4AWJN/AWynwaZjAMyOgXvUWeM+GgjMXMuJTMxwtyXp7OrNMROJyk/s/aiXPSvhbz8i8F y8gUrOiy8ZPK1BgDZzn5vFnm3J5ugqMm7wKInJGPeVImrCuiCwiyxHMWfzuuZvybAqjd sg0Vy/31fbhW88JoMykPrbab1pVolJABmuURJ2BaxVUhNByavMsN4mVoxGMxZClZjMqy z3RI4ppiUKjfD85+v963P0eZz3Fj67c9mprULFMD4/itbMbzi2kqCwMJiRJ/4cQk8LYc lO/w==
X-Gm-Message-State: ALyK8tKlCXn4F+56Ex/T8Ehf7pLMyS9gqQJ0g3jAFC5PqAV9PW+FavqaUhu6Hw4pu5hJgjE+bN56RItuzUHw/YtY
X-Received: by 10.36.230.5 with SMTP id e5mr5096496ith.92.1468353231991; Tue, 12 Jul 2016 12:53:51 -0700 (PDT)
MIME-Version: 1.0
References: <CABcZeBMiLmwBeuLt=v4qdcJwe5rdsK_9R4-2TUXYC=sttmwH-g@mail.gmail.com> <20160712041624.GA30472@LK-Perkele-V2.elisa-laajakaista.fi> <CAF8qwaDcf99O46F1v5ZK8_0079iWgkSoGwD+w-KFd-cRqM_sdw@mail.gmail.com> <20160712192929.GA32063@LK-Perkele-V2.elisa-laajakaista.fi>
In-Reply-To: <20160712192929.GA32063@LK-Perkele-V2.elisa-laajakaista.fi>
From: David Benjamin <davidben@chromium.org>
Date: Tue, 12 Jul 2016 19:53:41 +0000
Message-ID: <CAF8qwaB_h_k0bvnemKfbTBGNXYN4VYjrJ0+iZ_R7gF2w4wJX7w@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Content-Type: multipart/alternative; boundary="94eb2c11c82ecc8185053775a03b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/EIMvK9Rz5RpdajVHqRjXBI7Mk8c>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS 1.3 signature algorithms in TLS 1.2
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jul 2016 19:53:55 -0000
On Tue, Jul 12, 2016 at 3:29 PM Ilari Liusvaara <ilariliusvaara@welho.com> wrote: > On Tue, Jul 12, 2016 at 05:47:26PM +0000, David Benjamin wrote: > > [Changing subject since the other thread is about something else.] > > > > I believe, as the text stands right now, RSA-PSS and EdDSA do *not* exist > > in 1.2 because we're not touching the 1.2 registries. But this should be > > clarified in the spec. I would actually prefer they stay 1.3-only. I > > personally could live with either, but that's because we've backported > the > > 1.3 mechanism to 1.2 (and 1.1 and 1.0 and half[*] of SSL 3.0 with some > > minor weirdness). I did intentionally mean for the scheme to be > > backportable, but I do not think it should be mandated that > implementations > > do so. > > If client signals TLS 1.2 or 1.3 and RSA-PSS and/or EdDSA, it damn better > be able to gracefully deal with server picking on the offer, even after > downnegotiation. Anything else, and you risk interop failures. > Right, there is a risk of interop failures if two implementations disagree on whether the algorithms exist in 1.2. Since getting these algorithms into 1.2 is not that important, I want everyone to standardize on the easier option (that is, they do *not* exist in 1.2). Otherwise we risk some implementations backporting (because the spec says to) and some not (because it is easier not to). > Also, neither RSA-PSS nor EdDSA can properly work in TLS 1.1 or older > (no problems there: The server won't be able to pick on the offer). > > > 1.2 and 1.3 signatures have different interfaces. 1.2 is decomposed into > a > > hash function and a signature algorithm which takes a pre-hashed value. A > > 1.3 signature scheme is a function that takes a message. This means that, > > to backport to TLS 1.2, implementations must remove all pre-hash steps > and: > > The current signature algorithm numbers are messed up. I would have > assigned > 0x0404, 0x0504 and 0x0604 for RSA-PSS, and some 0x00yy numbers for EdDSA. > > (That way the signature algorithms have proper hash designations, and yes > 0x00 is hash designation for "unhashed"). > TLS 1.3 SignatureScheme intentionally does away with the decomposition. It thinks of a "signature algorithm" at the level of messages, which means implementations shouldn't care about this. This also gives us more breathing room to allocate ed25519-style IDs (which I would like to be the norm, rather than parametrizing everything). We get most of our 2^16 space rather than just 2^8. > > 1. For ServerKeyExchange, assemble the client_random || server_random || > > ServerKeyExchange payload and then pass it into the signature scheme. > > Current logic probably hashes and then feeds the hash in. > > If one has proper signature primitive, it takes a message and internally > hashes it the way needed. > Yup, that's why TLS 1.3's version looks the way it does. But if one has such a primitive, one shouldn't care about how the numbers are decomped (above). :-) > > 2. Client CertificateVerify in TLS 1.2 messed up. We sign the full > > handshake transcript, so there's interactions with the PRF. I've seen > > implementations which require signing hash match the PRF hash, sometimes > > with a backup SHA-1 hash (NSS), at the cost of hash negotiation being a > > mess. I've also seen implementations which decouple them, at the cost of > > maintaining the raw handshake buffer (OpenSSL, BoringSSL). Backporting > > forces the second choice. > > By the time CertificateRequest is sent, the server knows the final > protocol, so it can omit algorithms it knows it can't handle. Also, > the client picks the actual algorithm, so it too can avoid algorithms > it can't handle. So client auth isn't the interop hazard server auth > is. > When we first added TLS 1.2 to Chrome via NSS, we hit exactly that interop hazard. Clients don't know a priori which hash functions the server will accept and may be using some crappy smartcard. The original implementation only accepted the PRF hash (SHA-256) and we ran into both servers and client smartcards that could only sign SHA-1. As a result, NSS maintains a rolling SHA-1 "backup hash" here. (The failure mode was, of course, everyone's favorite TLS version fallback.) I am sure that, were we still using NSS when we added AES_256_GCM (SHA-384 PRF), we would have hit more problems with smartcards that can only sign SHA-256. But this is all sort of beside the point. The way to avoid this interop hazard is to maintain the full handshake buffer which is also how you backport. :-) I'm more worried about implementations which don't do the backport because it's more work or they don't want to pay the handshake buffer. > > Notably, if backporting EdDSA, there is no rolling hash one can maintain > > for CertificateVerify anyway. EdDSA is inherently message-based, which > > motivated the 1.3 change. (That and simpler interfaces.) > > Well, proper crypto libs only have message-based signature APIs anyway > (because hash-based ones are trouble). > > > There is a middle ground: we backport RSA-PSS (then we should assign it > in > > the 1.2 style and allocate corresponding 1.3-style numbers) and not > EdDSA. > > I intentionally did not do this. I did not want, many years down the line > > when EdDSA certificates actually exist, for implementations to discover > the > > message-based scheme is trouble. I wanted RSA-PSS to be done in 1.3 style > > so any questions about the new scheme would be resolved early. > > Well, RFC4492bis is likely have EdDSA, in way that is compatible with > TLS 1.3... > (s/TLS 1.3/TLS 1.2/?) Yeah, I don't think defining it for 1.2 makes much sense. I expect 1.3 will get deployed much faster than EdDSA PKIs. > > (We've implemented the message-based scheme and it seems to be just fine. > > If you're willing to pay the cost of the backport to all versions, it > > actually ends up quite tidy.) > > Yeah, it seems annoying with TLS 1.2 Client CertificateVerify, but > there either side can decide just not to support it. No such luck > with clients that implement the algorithm for server certificates in > any version. > > > -Ilari >
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Atul Luykx
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt David McGrew
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt David McGrew
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Peter Gutmann
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Atul Luykx
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt David McGrew
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Watson Ladd
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Atul Luykx
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Hubert Kario
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Benjamin Kaduk
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Eric Rescorla
- Re: [TLS] TLS 1.3 signature algorithms in TLS 1.2 David Benjamin
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Ilari Liusvaara
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Benjamin Kaduk
- Re: [TLS] TLS 1.3 signature algorithms in TLS 1.2 Ilari Liusvaara
- Re: [TLS] TLS 1.3 signature algorithms in TLS 1.2 Ilari Liusvaara
- Re: [TLS] TLS 1.3 signature algorithms in TLS 1.2 David Benjamin
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Atul Luykx
- Re: [TLS] TLS 1.3 signature algorithms in TLS 1.2 Ilari Liusvaara
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Scott Fluhrer (sfluhrer)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] TLS 1.3 signature algorithms in TLS 1.2 David Benjamin
- [TLS] TLS 1.3 signature algorithms in TLS 1.2 David Benjamin
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Scott Fluhrer (sfluhrer)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- [TLS] New draft: draft-ietf-tls-tls13-14.txt Eric Rescorla
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Ilari Liusvaara
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dave Garrett
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Ilari Liusvaara
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny