[TLS] Question about TLS_RSA_WITH_3DES_EDE_CBC_SHA

Stefan Winter <stefan.winter@restena.lu> Fri, 01 July 2011 11:58 UTC

Return-Path: <stefan.winter@restena.lu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F04321F8734 for <tls@ietfa.amsl.com>; Fri, 1 Jul 2011 04:58:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7sjq4bC1Iz4g for <tls@ietfa.amsl.com>; Fri, 1 Jul 2011 04:58:27 -0700 (PDT)
Received: from smtprelay.restena.lu (smtprelay.restena.lu [IPv6:2001:a18:1::62]) by ietfa.amsl.com (Postfix) with ESMTP id A8F6321F8733 for <tls@ietf.org>; Fri, 1 Jul 2011 04:58:26 -0700 (PDT)
Received: from smtprelay.restena.lu (localhost [127.0.0.1]) by smtprelay.restena.lu (Postfix) with ESMTP id 26B7910691 for <tls@ietf.org>; Fri, 1 Jul 2011 13:58:25 +0200 (CEST)
Received: from [IPv6:2001:a18:1:8::155] (unknown [IPv6:2001:a18:1:8::155]) by smtprelay.restena.lu (Postfix) with ESMTPS id 1859E10590 for <tls@ietf.org>; Fri, 1 Jul 2011 13:58:25 +0200 (CEST)
Message-ID: <4E0DB650.5010801@restena.lu>
Date: Fri, 01 Jul 2011 13:58:08 +0200
From: Stefan Winter <stefan.winter@restena.lu>
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:5.0) Gecko/20110624 Thunderbird/5.0
MIME-Version: 1.0
To: tls@ietf.org
X-Enigmail-Version: 1.2
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigFD5CB3075FCE05F43A5123ED"
X-Virus-Scanned: ClamAV
Subject: [TLS] Question about TLS_RSA_WITH_3DES_EDE_CBC_SHA
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Jul 2011 11:58:27 -0000

Hello,

in radiusext, I need to make an assessment whether an I-D is compliant to a crypto-agility requirements document.

The draft (still) requires at least TLS 1.1 with its mandatory-to-implemnt cipher suite TLS_RSA_WITH_3DES_EDE_CBC_SHA.

The crypto-agility document requires the mandatory-to-implement algorithm to be NIST approved, "Acceptable with no deprecation date" in NIST SP-800-131A. 

That document marks 
* two-key Triple DES Encryption as an encryption with deprecation date
* three-key Triple DES Encryption as an encryption without deprecation date

I'm not sure whether TLS_RSA_WITH_3DES_EDE_CBC_SHA is a two-key or a three-key 3DES algorithm. This condition would be the only one that could downgrade the I-D in question from "unconditionally compliant" to "conditionally compliant".

So... would anybody have some insight which of the variant(s) is/are used in TLS_RSA_WITH_3DES_EDE_CBC_SHA?

Greetings,

Stefan Winter


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473