Re: [TLS] Suite B compliance of TLS 1.2
Martin Rex <martin.rex@sap.com> Wed, 26 July 2006 16:35 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1G5mLt-0006fg-QD; Wed, 26 Jul 2006 12:35:17 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1G5mLs-0006fW-MD for tls@ietf.org; Wed, 26 Jul 2006 12:35:16 -0400
Received: from smtpde03.sap-ag.de ([155.56.68.140]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1G5mLr-0000Cc-97 for tls@ietf.org; Wed, 26 Jul 2006 12:35:16 -0400
Received: from sap-ag.de (smtpde03) by smtpde03.sap-ag.de (out) with ESMTP id SAA14696; Wed, 26 Jul 2006 18:35:08 +0200 (MESZ)
From: Martin Rex <martin.rex@sap.com>
Message-Id: <200607261635.SAA18707@uw1048.wdf.sap.corp>
Subject: Re: [TLS] Suite B compliance of TLS 1.2
To: uri.blumenthal@intel.com
Date: Wed, 26 Jul 2006 18:35:08 +0200
In-Reply-To: <279DDDAFA85EC74C9300A0598E7040565DBF61@hdsmsx412.amr.corp.intel.com> from "Blumenthal, Uri" at Jul 26, 6 10:53:53 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
X-SAP: out
X-Spam-Score: 0.0 (/)
X-Scan-Signature: f4c2cf0bccc868e4cc88dace71fb3f44
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: martin.rex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
Blumenthal, Uri wrote: > > >> Hashing the handshakes messages with both, old and new hash > >> algorithms and deciding later in the handshake which results > >> go into creation/verification of the finished message when > >> it has been determined/negotiated which algorithms to use > >> should be doable, and just moderately more expensive. > > I think the preferred direction is to hash with the new negotiated hash. > What would be the purpose of hashing with the old one? Aren't the client hello and server hello included in the hash? So the client doesn't know which one has been negotiated until after interpreting the ServerHello message (unless the client is determined from the beginning to not interoperate with older servers). > > >> I'm slightly worried about the potential "market pressure" > >> which this might cause. I certainly don't mind adoption/offering > >> of strong cryptographic protocols/technologies, but right > >> now I do NOT consider TLS fundamentally broken or weak, > >> and I would prefer if people focus on the acutal weaknesses > >> within the technology, rather than replacing the > >> (currently) strongest link in a weak chain with a much > >> stronger one. > > > >I'm sensitive to what you're saying and I have the same doubts. > >On the other hand, I also worry about the attacks on MD5 and SHA-1 > >getting much worse and then having to explain why we didn't > >do anything about it > > Exactly. > > But I'm confused wrt. what Martin calls "strongest link". Clearly it's > not RSA or SHA-1 (and hopefully not MD5 :-)? Except for the weakness in the random number generator of the Netscape Navigator browser over 10 years back I haven't heard about attacks against SSL sessions (ignoring the export ciphersuites here). However there have been and still are attacks against users that were under the impression that their browser would protect them through the use of SSL. Most weaknesses were implementation flaws (XSS, use of frames giving false impressions, incorrect certificate path validation), but there were also design issues involved (the magic how an awfully large number of questionable trust anchors are created/initialized, CAs inappropriately issuing certificates, IDNs and how they interact with HTTPS endpoint identification) I do agree that MD5 should no longer be used for integrity protection because of the known weaknesses. But when used together with SHA-1 in the SSL/TLS handshake fashion, it is NOT utterly useless. -Martin _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] Suite B compliance of TLS 1.2 Wan-Teh Chang
- Re: [TLS] Suite B compliance of TLS 1.2 Eric Rescorla
- Re: [TLS] Suite B compliance of TLS 1.2 Martin Rex
- Re: [TLS] Suite B compliance of TLS 1.2 Eric Rescorla
- RE: [TLS] Suite B compliance of TLS 1.2 Blumenthal, Uri
- Re: [TLS] Suite B compliance of TLS 1.2 Martin Rex
- RE: [TLS] Suite B compliance of TLS 1.2 Blumenthal, Uri
- Re: [TLS] Suite B compliance of TLS 1.2 Wan-Teh Chang
- Re: [TLS] Suite B compliance of TLS 1.2 Eric Rescorla
- Re: [TLS] Suite B compliance of TLS 1.2 Brian Minard
- Re: [TLS] Suite B compliance of TLS 1.2 Brian Minard
- Re: [TLS] Suite B compliance of TLS 1.2 David Hopwood
- Re: [TLS] Suite B compliance of TLS 1.2 Martin Rex
- RE: [TLS] Suite B compliance of TLS 1.2 Blumenthal, Uri
- RE: [TLS] Suite B compliance of TLS 1.2 Blumenthal, Uri
- Re: [TLS] Suite B compliance of TLS 1.2 Eric Rescorla
- RE: [TLS] Suite B compliance of TLS 1.2 Blumenthal, Uri
- Re: [TLS] Suite B compliance of TLS 1.2 Wan-Teh Chang
- Re: [TLS] Suite B compliance of TLS 1.2 Vipul Gupta