Re: [TLS] [Last-Call] Last Call: <draft-ietf-tls-md5-sha1-deprecate-04.txt> (Deprecating MD5 and SHA-1 signature hashes in TLS 1.2) to Proposed Standard

Benjamin Kaduk <kaduk@mit.edu> Sat, 17 October 2020 23:31 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F09AB3A116A; Sat, 17 Oct 2020 16:31:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jQltsL9CDzuj; Sat, 17 Oct 2020 16:31:41 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C2923A1168; Sat, 17 Oct 2020 16:31:40 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 09HNVUtk009824 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 17 Oct 2020 19:31:35 -0400
Date: Sat, 17 Oct 2020 16:31:29 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Martin Rex <mrex@sap.com>
Cc: last-call@ietf.org, rdd@cert.org, draft-ietf-tls-md5-sha1-deprecate@ietf.org, tls-chairs@ietf.org, IETF-Announce <ietf-announce@ietf.org>, tls@ietf.org
Message-ID: <20201017233129.GE39170@kduck.mit.edu>
References: <160270080535.5894.280254092203286109@ietfa.amsl.com> <20201015095605.670E5404C@ld9781.wdf.sap.corp>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20201015095605.670E5404C@ld9781.wdf.sap.corp>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/HZ3wsGwEE7jO0nockCt_K4rKqT4>
Subject: Re: [TLS] [Last-Call] Last Call: <draft-ietf-tls-md5-sha1-deprecate-04.txt> (Deprecating MD5 and SHA-1 signature hashes in TLS 1.2) to Proposed Standard
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Oct 2020 23:31:43 -0000

Hi Martin,

On Thu, Oct 15, 2020 at 11:56:05AM +0200, Martin Rex wrote:
> The IESG <iesg-secretary@ietf.org> wrote:
> > 
> > The IESG has received a request from the Transport Layer Security WG (tls) to
> > consider the following document: - 'Deprecating MD5 and SHA-1 signature
> > hashes in TLS 1.2'
> >
> >   <draft-ietf-tls-md5-sha1-deprecate-04.txt> as Proposed Standard
> > 
> > The IESG plans to make a decision in the next few weeks, and solicits final
> > comments on this action. Please send substantive comments to the
> > last-call@ietf.org mailing lists by 2020-10-28. Exceptionally, comments may
> > be sent to iesg@ietf.org instead. In either case, please retain the beginning
> > of the Subject line to allow automated sorting.
> 
> 
> The new, backwards-incompatible and interop-fatal behaviour proposed in

"Backwards-incompatible" I can see, but "interop-fatal" seems yet to be
proven...

> section 2 of the current draft must be changed to reflect the updated
> rationale from section 6 of the very same document, and to promote
> safe and secure interoperability instead of a needless total interop failure.
> 
> Requesting interop failure where instead safe and secure interop can
> be easily obtained, as the current draft does, would be in serious
> violation of section 6 of RFC 2119 about where an imperative MUST
> is not allowed for the given situation.
> 
> 
> 
> Section 6 of the current draft says:
> 
>    6.  Updates to RFC5246
> 
>    [RFC5246], The Transport Layer Security (TLS) Protocol Version 1.2,
>    suggests that implementations can assume support for MD5 and SHA-1 by
>    their peer.  This update changes the suggestion to assume support for
>    SHA-256 instead, due to MD5 and SHA-1 being deprecated.
> 
>    In Section 7.4.1.4.1: the text should be revised from:
> 
>    OLD:
> 
>    "Note: this is a change from TLS 1.1 where there are no explicit
>    rules, but as a practical matter one can assume that the peer
>    supports MD5 and SHA- 1."
> 
>    NEW:
> 
>    "Note: This is a change from TLS 1.1 where there are no explicit
>    rules, but as a practical matter one can assume that the peer
>    supports SHA-256."
> 
> 
> and therefore the behaviour in section 2 about the "Signature Algorithms"
> extension ought to say:
> 
>    2.  Signature Algorithms
> 
>    Clients MUST NOT include MD5 and SHA-1 in the signature_algorithms
>    extension.  If a client does not send a signature_algorithms
>    extension, then the server MUST use (sha256,rsa) for
>    digitally_signed on the ServerKeyExchange handshake message for
>    TLS cipher suites using RSA authentication, and the server MUST use
>    (sha256,ecdsa) for TLS cipher suites using ECDSA authentication.

... since your propsal here seems to be resulting in TLS servers
prior-to-this-RFC and TLS servers implementing this RFC using a different
interpretation for what the absence of a "signature_algorithms" extension
means.  That itself, seems like a recipe for interoperability failure,
absent some comprehensive case-by-case analysis showing that it is safe.
I, for one, will not support publication of a document including your
proposed change in the absence of such an analysis.

Furthermore, there is perhaps some awkward interaction between the way this
document refers to the contents of the "signature_algorithms" extensions
and the changes to that extension (and the corresponding IANA registry)
made by RFC 8446.  In the current state of the registry, there is not a
separate 'hash algorithm' field, and instead we must deal with combined
SignatureScheme codepoints.  One might argue that this document should
specifically enumerate the 16-bit SignatureScheme codepoints that are
prohibited.

(The SignatureScheme formulation also allows signature types other than RSA
and ECDSA, of course.)

>    The server behaviour ought to be consistent for both, receipt of an
>    extension-less SSLv3+ ClientHello handshake message, and for a
>    backwards-compatible SSL VERSION 2 CLIENT-HELLO (which can not convey
>    any TLS extensions) as described in Appendix-E.2 of rfc5246,
>    and as permitted in bullet 2 in section 3 of RFC6176.

I note that we prohibited SSLv2-compatible ClientHello for TLS 1.3
implementations.  If we are to assume the current formulation of the draft
where absence of the "signature_algorithms" extension continues to imply
inferred support for SHA-1 and MD5, which are now forbidden, then it is a
natural consequence that the SSLv2-compatible ClientHello cannot
successfully negotiate a handshake, and is de facto forbidden.  I am not
entirely sure why you feel there is a need in the ecosystem to continue to
support the SSLv2-compatible ClientHello; do you, perhaps, know of some
implementation that cannot generate an SSLv3/TLS ClientHello but would
otherwise interoperate (using your formulation where no
"signature_algorithms" means inferred SHA-256 support) with a server that
adheres to this draft's strictures?

> 
> 
> As desribed in RFC6151, collision attacks on MD5 were appearing in
> publications already in 2004, 2005, 2006 & 2007, the TLSv1.2 spec
> rfc5246 should have never *NEWLY* added support for (md5,rsa) in
> TLSv1.2 digitally_signed.
> 
> Similarily, since the sunset date for SHA1-signatures had been
> announced by NIST *before* TLSv1.2 (rfc5246) was published,
> TLSv1.2 (rfc5246) should have never *NEWLY* added support for
> (sha1,rsa) in TLSv1.2 digitally_signed, but have used (sha256,rsa)
> from the beginning.  sha256 has been required for the TLSv1.2 PRF
> and for HMAC-SHA256 of several cipher suites anyway, so there
> was no excuse for not using sha256 in TLSv1.2 digitally_signed
> in the first place.

I've lost count of the number of times that you have mentioned this.
Saying it again is not going to change what RFC 5246 says or help us in
coping with the fallout of what RFC 5246 says.

Thanks,

Ben