Re: [TLS] Suite B compliance of TLS 1.2

Martin Rex <martin.rex@sap.com> Wed, 26 July 2006 16:35 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1G5mLt-0006fg-QD; Wed, 26 Jul 2006 12:35:17 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1G5mLs-0006fW-MD for tls@ietf.org; Wed, 26 Jul 2006 12:35:16 -0400
Received: from smtpde03.sap-ag.de ([155.56.68.140]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1G5mLr-0000Cc-97 for tls@ietf.org; Wed, 26 Jul 2006 12:35:16 -0400
Received: from sap-ag.de (smtpde03) by smtpde03.sap-ag.de (out) with ESMTP id SAA14696; Wed, 26 Jul 2006 18:35:08 +0200 (MESZ)
From: Martin Rex <martin.rex@sap.com>
Message-Id: <200607261635.SAA18707@uw1048.wdf.sap.corp>
Subject: Re: [TLS] Suite B compliance of TLS 1.2
To: uri.blumenthal@intel.com (Blumenthal, Uri)
Date: Wed, 26 Jul 2006 18:35:08 +0200 (MET DST)
In-Reply-To: <279DDDAFA85EC74C9300A0598E7040565DBF61@hdsmsx412.amr.corp.intel.com> from "Blumenthal, Uri" at Jul 26, 6 10:53:53 am
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-SAP: out
X-SAP: out
X-Spam-Score: 0.0 (/)
X-Scan-Signature: f4c2cf0bccc868e4cc88dace71fb3f44
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: martin.rex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

Blumenthal, Uri wrote:
> 
> >> Hashing the handshakes messages with both, old and new hash
> >> algorithms and deciding later in the handshake which results
> >> go into creation/verification of the finished message when
> >> it has been determined/negotiated which algorithms to use
> >> should be doable, and just moderately more expensive.
> 
> I think the preferred direction is to hash with the new negotiated hash.
> What would be the purpose of hashing with the old one?

Aren't the client hello and server hello included in the hash?
So the client doesn't know which one has been negotiated until
after interpreting the ServerHello message (unless the client
is determined from the beginning to not interoperate with older servers).

> 
> >> I'm slightly worried about the potential "market pressure"
> >> which this might cause.  I certainly don't mind adoption/offering
> >> of strong cryptographic protocols/technologies, but right
> >> now I do NOT consider TLS fundamentally broken or weak,
> >> and I would prefer if people focus on the acutal weaknesses
> >> within the technology, rather than replacing the
> >> (currently) strongest link in a weak chain with a much
> >> stronger one.
> >
> >I'm sensitive to what you're saying and I have the same doubts.
> >On the other hand, I also worry about the attacks on MD5 and SHA-1
> >getting much worse and then having to explain why we didn't
> >do anything about it
> 
> Exactly. 
> 
> But I'm confused wrt. what Martin calls "strongest link". Clearly it's
> not RSA or SHA-1 (and hopefully not MD5 :-)?

Except for the weakness in the random number generator of the
Netscape Navigator browser over 10 years back I haven't heard about
attacks against SSL sessions (ignoring the export ciphersuites here).

However there have been and still are attacks against users that
were under the impression that their browser would protect them
through the use of SSL.

Most weaknesses were implementation flaws (XSS, use of frames
giving false impressions, incorrect certificate path validation),
but there were also design issues involved (the magic how an
awfully large number of questionable trust anchors are
created/initialized, CAs inappropriately issuing certificates,
IDNs and how they interact with HTTPS endpoint identification) 


I do agree that MD5 should no longer be used for integrity
protection because of the known weaknesses.  But when used
together with SHA-1 in the SSL/TLS handshake fashion, it is
NOT utterly useless.

-Martin

_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls