[TLS] Consistency for Signature Algorithms?
Hubert Kario <hkario@redhat.com> Fri, 21 July 2017 13:23 UTC
Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 209A11317D5 for <tls@ietfa.amsl.com>; Fri, 21 Jul 2017 06:23:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.923
X-Spam-Level:
X-Spam-Status: No, score=-6.923 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MFyprCdrRjG9 for <tls@ietfa.amsl.com>; Fri, 21 Jul 2017 06:23:21 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33BDE12EBF7 for <tls@ietf.org>; Fri, 21 Jul 2017 06:23:21 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id C35389782C for <tls@ietf.org>; Fri, 21 Jul 2017 13:23:20 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com C35389782C
Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=hkario@redhat.com
DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com C35389782C
Received: from pintsize.usersys.redhat.com (unknown [10.43.21.223]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 928528BE20 for <tls@ietf.org>; Fri, 21 Jul 2017 13:23:20 +0000 (UTC)
From: Hubert Kario <hkario@redhat.com>
To: tls@ietf.org
Date: Fri, 21 Jul 2017 15:23:13 +0200
Message-ID: <3586282.tDsyLpRkWM@pintsize.usersys.redhat.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart8341702.FB2rcLZfQP"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Fri, 21 Jul 2017 13:23:20 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/IS8hkNZ2Sf4oKUH142ubKK7P4rc>
Subject: [TLS] Consistency for Signature Algorithms?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Jul 2017 13:23:23 -0000
Signature Algorithms for ECDSA now define both the curve and the hash algorithm: ecdsa_secp256r1_sha256(0x0403), ecdsa_secp384r1_sha384(0x0503), ecdsa_secp521r1_sha512(0x0603), This is in contrast to the TLS 1.2 protocol, where any hash can be used with any curve. There are good reasons for that change: - less combinations to test - establishes the low water mart for security I see few problems with that though: 1). there are not insignificant number of clients that advertise support for all (at least P-256 and P-384) curves, but don't advertise support for hashes stronger than SHA-256 with ECDSA[1] 2). This is inconsistent with RSA-PSS behaviour, where key size is completely detached from the used hash algorithm. 3). This is not how ECDSA signatures in X.509 work, so it doesn't actually limit the signatures on certificates (in other words, as an implementer you need to support all hashes with all curves either way) With the implementers hat on, I'd prefer to drop the curves from signature algorithm names/specifications and return to TLS 1.2 behaviour. With my security hat on, I'd say that we should set the minimal key sizes for RSA-PSS signatures too, as we did with ECDSA. Any other ideas? 1 - Nick Sullivan from Cloudflare provided me with some stats from random 50000 client hellos from early 2017: Sigalgs: ECDSA + SHA-256 = 39104 (78.2%) ECDSA + (SHA-256 + SHA-384 + SHA-512) = 28678 (57.4%) ECDSA + (SHA-256 + SHA-384 + !SHA-512) = 8934 (17.9%) ECDSA + (SHA-256 + !SHA-384 + !SHA-512) = 1492 (2.98%) Note: many of the 1492 seem to be on iOS and only support: [RSA-SHA-384, RSA-SHA-256, RSA-SHA1, ECDSA-SHA256, ECDSA-SHA1] Curves: none = 757 (1.51%) P-256 = 49243 (98.5%) P-384 = 49233 (98.5%) P-256 + P-384 = 49233 (98.5%) P-256 + !P-384 = 10 (0.02%) !P-256 + P-384 = 0 (0%) -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
- [TLS] Consistency for Signature Algorithms? Hubert Kario
- Re: [TLS] Consistency for Signature Algorithms? Benjamin Kaduk
- Re: [TLS] Consistency for Signature Algorithms? Dr Stephen Henson
- Re: [TLS] Consistency for Signature Algorithms? Hubert Kario
- Re: [TLS] Consistency for Signature Algorithms? Ilari Liusvaara
- Re: [TLS] Consistency for Signature Algorithms? Watson Ladd
- Re: [TLS] Consistency for Signature Algorithms? Benjamin Kaduk
- Re: [TLS] Consistency for Signature Algorithms? Dr Benjamin Kaduk
- Re: [TLS] Consistency for Signature Algorithms? Dr Stephen Henson
- Re: [TLS] Consistency for Signature Algorithms? Dr Stephen Henson
- Re: [TLS] Consistency for Signature Algorithms? Hubert Kario
- Re: [TLS] Consistency for Signature Algorithms? Benjamin Kaduk
- Re: [TLS] Consistency for Signature Algorithms? Viktor Dukhovni
- Re: [TLS] Consistency for Signature Algorithms? Hubert Kario
- Re: [TLS] Consistency for Signature Algorithms? Eric Rescorla
- Re: [TLS] Consistency for Signature Algorithms? Blumenthal, Uri - 0553 - MITLL