Re: [TLS] Ala Carte Cipher suites - was: DSA should die

Brian Sniffen <bsniffen@akamai.com> Tue, 07 April 2015 23:25 UTC

Return-Path: <bsniffen@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEEC81A913E for <tls@ietfa.amsl.com>; Tue, 7 Apr 2015 16:25:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JBl4IgF-Pfye for <tls@ietfa.amsl.com>; Tue, 7 Apr 2015 16:25:36 -0700 (PDT)
Received: from prod-mail-xrelay02.akamai.com (prod-mail-xrelay02.akamai.com [72.246.2.14]) by ietfa.amsl.com (Postfix) with ESMTP id 005D41A9140 for <tls@ietf.org>; Tue, 7 Apr 2015 16:25:35 -0700 (PDT)
Received: from prod-mail-xrelay02.akamai.com (localhost [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id 3323328539; Tue, 7 Apr 2015 23:25:35 +0000 (GMT)
Received: from prod-mail-relay06.akamai.com (prod-mail-relay06.akamai.com [172.17.120.126]) by prod-mail-xrelay02.akamai.com (Postfix) with ESMTP id 1E6742852B; Tue, 7 Apr 2015 23:25:35 +0000 (GMT)
Received: from tereva.kendall.corp.akamai.com (sfo-wp8n3.kendall.corp.akamai.com [172.19.34.11]) by prod-mail-relay06.akamai.com (Postfix) with ESMTP id ECF182026; Tue, 7 Apr 2015 23:25:34 +0000 (GMT)
From: Brian Sniffen <bsniffen@akamai.com>
To: Tony Arcieri <bascule@gmail.com>, "Salz, Rich" <rsalz@akamai.com>
In-Reply-To: <CAHOTMV+j2VECFme_iizE_9UnPfebSGETnfx0Cwv7BZQ-Oc902w@mail.gmail.com>
References: <20150401201221.163745c2@pc1.fritz.box> <CAK9dnSyKf7AY11h1i1h+SudRc-NmTZE5wC682YKhNsxnfV5ShQ@mail.gmail.com> <CAK3OfOgPbADQ1CvOs=8T7ee6f_T+bi3F6GCdBtxufQpznzYbQA@mail.gmail.com> <201504021257.09955.davemgarrett@gmail.com> <CAOgPGoDJTcLn4j90wNu=mhCZJnb2WUuAvM5TN6KOO7RdC==qHQ@mail.gmail.com> <551DE914.4010804@nthpermutation.com> <CAFewVt6jKaQh9Z-ySQJr_9PWsBvn41RNk6PNXMdouLwywn8-wA@mail.gmail.com> <54c69c7ac7074ba8a2e71734843bf106@ustx2ex-dag1mb2.msg.corp.akamai.com> <CAHOTMV+j2VECFme_iizE_9UnPfebSGETnfx0Cwv7BZQ-Oc902w@mail.gmail.com>
User-Agent: Notmuch/0.19 (http://notmuchmail.org) Emacs/24.4.1 (x86_64-apple-darwin14.0.0)
Date: Tue, 07 Apr 2015 19:25:34 -0400
Message-ID: <m2oamzwmfl.fsf@tereva.kendall.corp.akamai.com>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/IwawvRIlONyOrN1ksVXLNVm9sGo>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Ala Carte Cipher suites - was: DSA should die
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Apr 2015 23:25:38 -0000

> As myself and many others have described, we're essentially being
> asked to compute the combinatorial explosion of different ciphersuite
> configurations by hand.  Guess what happens when you do that? People
> make mistakes.

Lots of them, and terrible mistakes.  For example, the OpenSSL
configuration language encourages selections like:

HIGH
TLSv1:SSLv3:-EDH:-ADH:-NULL:@STRENGTH
TLSv1:SSLv3:HIGH:-SSLv2:-MEDIUM:-LOW

all of which admit terrible choices.  I think this is because those look
like short, easily comprehensible commands---but aren't.

> Seems like a huge win to me. So what's the problem from an implementer
> perspective besides "it'd be hard"?

But that's not the wire format.  That's the best attempt of implementors
to provide a better configuration format than just listing everything
you want.  After a lot of trying for better, I am persuaded that the
right answer is to explicitly list exactly what you want, or to
reference first-order named sets of what you want---that set algebra on
cipher selections is more dangerous.  The best advice we can give now
could be expressed to OpenSSL as 'EECDH+AESGCM', but it's not much more
work to say
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256,
and at least that looks like something you should read carefully and
make sure you didn't swap a : and a -.

-Brian

-- 
Brian Sniffen