[TLS] Simplifying signature algorithm negotiation
David Benjamin <davidben@chromium.org> Fri, 15 January 2016 20:45 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 641C91B3224 for <tls@ietfa.amsl.com>; Fri, 15 Jan 2016 12:45:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level:
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vlejhplHNVRq for <tls@ietfa.amsl.com>; Fri, 15 Jan 2016 12:45:45 -0800 (PST)
Received: from mail-io0-x22f.google.com (mail-io0-x22f.google.com [IPv6:2607:f8b0:4001:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 843C91A8A4A for <tls@ietf.org>; Fri, 15 Jan 2016 12:45:45 -0800 (PST)
Received: by mail-io0-x22f.google.com with SMTP id 1so451664669ion.1 for <tls@ietf.org>; Fri, 15 Jan 2016 12:45:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:from:date:message-id:subject:to:content-type; bh=zeI0FsuWW4qAyCklAnh2Y8q2Lx+bCv0wdMFv9O8zGKk=; b=a2Xra4/WKVm/UvCzX6JPwWPuRcjv4iIxgjJvgegZHwTpQHwPbTaTvDPE5LKUzwt3WM ND7+orX/Ng+0gXPo+gQ1Npgm166ZTB4i4uWUgMhYvjagSNoUMb9mwcadqa5oj99Q8tMw Jrc4pV77ki0kYBKvtjdl+tbmvjde6I3RWg9vU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-type; bh=zeI0FsuWW4qAyCklAnh2Y8q2Lx+bCv0wdMFv9O8zGKk=; b=nCq0pA4A+bj4+0H5C7NXr177yIQHGbQORwR5sYPtQ+pKZzpZq9cZXn5VKQUCl1Aje1 M3NQF0hxobaq4pi1Ep5QbbQEjNkFjyRSYhXcKEQDSARfykRF+1VocmDfC903cYtw7QLM pONYmJN12S+9zYBblj4CNqav0qvhuiqzqtYEvb06wvRBLY1001WPQUJd095kuIQ4nJlr pMJYHqn7/eUNX3KUioL+eW82bulbKAh1BR/18z5Cishtqni6jLYImknEUCHksdf98EPK Cxbv/hOHa5QMXBzkWS9a2pTdKfG/EdVe5OYhBvQDaiBSqU7DduEZTQs0/x+5tIFgWnNa MZmQ==
X-Gm-Message-State: ALoCoQn2RCI5Rvfn7RXGnw7dF3eswR+Y528VGopDUYMYJl2GumAYHOzfInToYC1EJuvc0XwoMCrzNp0aTTvFGUiS6cMBeKMibZXgVjaUa3v5EljF6+iZUkc=
X-Received: by 10.107.10.65 with SMTP id u62mr11981977ioi.120.1452890744756; Fri, 15 Jan 2016 12:45:44 -0800 (PST)
MIME-Version: 1.0
From: David Benjamin <davidben@chromium.org>
Date: Fri, 15 Jan 2016 20:45:34 +0000
Message-ID: <CAF8qwaCpYqs7ELDcRzXveLLjpL+d-CmBczkxPweh6_RVE1aDeA@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a113ecd44bd74f10529657c4f"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/L62Jq28jU8XxvK1809BNeom1WH8>
Subject: [TLS] Simplifying signature algorithm negotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jan 2016 20:45:47 -0000
Hi folks, This is a proposal for revising SignatureAlgorithm/HashAlgorithm. In TLS 1.2, signature algorithms are spread across the handshake. We have SignatureAlgorithm, NamedGroup/Curve (for ECDSA), and HashAlgorithm, all in independent registries. NamedGroup is sent in one list, also used for (EC)DH, while the other two are sent as a pair of (HashAlgorithm, SignatureAlgorithm) tuples but live in separate registries. This is a lot of moving parts. Signature negotiation in TLS 1.2 tends to be messy to implement. Client certificate keys may be in smartcards via OS-specific APIs, so a lot of time is spent transiting new preference shapes across API boundaries in order to discover smartcard bugs. Sometimes I think people deploy client certs because they hate me and want to cause me pain… :-) Anyway, the new CFRG curves also bind signature curve and hash together. The current draft represents this as eddsa_ed25519 and eddsa_ed448 NamedGroups and eddsa SignatureAlgorithm. But this doesn’t capture that EdDSA + Ed25519 + SHA-256 is illegal. (Or ECDSA + FF3072.) I propose we fold the negotiable parameters under one name. Think of how we’ve all settled on AEADs being a good named primitive with a common type signature[1]. Specifically: 1. Drop eddsa_ed25519(31) and eddsa_ed448(32) from NamedGroup. From now on, NamedGroup is only used for (EC)DH. 2. Remove HashAlgorithm, SignatureAlgorithm, SignatureAndHashAlgorithm as they are. Introduce a new SignatureAlgorithm u16 type and negotiate that instead. (Or maybe a different name to not collide.) u8 is a little tight to allocate eddsa_ed25519 and eddsa_ed448 separately, but u16 is plenty. 3. Allocate values for SignatureAlgorithm wire-compatibly with TLS 1.2 by (ab)using the old (HashAlgorithm, SignatureAlgorithm) tuples. 0x0401 becomes rsa_pkcs1_sha256, etc. Reserve ranges consistently with HashAlgorithm from TLS 1.2. Note this does not introduce new premultiplications on the wire. Just in the spec and registry. 4. Deprecate ecdsa_sha256, etc., in favor of new ecdsa_{p256,p384,p521}_{sha256,sha384,sha512} allocations. The old ecdsa_* values are for TLS 1.2 compatibility but ignored in TLS 1.3. Although this introduces new premultiplications, it’s only 9 values with the pruned TLS 1.3 lists. I think this is worth 9 values to keep NamedGroups separate. 5. Add new allocations for eddsa_ed25519, eddsa_ed448, and rsapss_{sha256,sha384,sha512}. These come with the signature algorithm and curve pre-specified. (See [2] at the bottom for full list of allocations.) Thoughts? David [1] We’re stuck with RSA-PSS's generality, so that'll need some mapping to a subset of X.509's RSA-PSS. We'll just not bother with RSA-PSS with hashAlgorithm SHA-256, maskGenAlgorithm MGF-7-v3.0-SHA-334-saltLengthQuotient-5/7, saltLength 87, trailerField 14. And RSA key generation still has size parameter. Hopefully future things can look more like Ed25519. [2] 0x0000-0x06ff - Reserved range for TLS 1.2 compatibility values. Note this is wire-compatible with TLS 1.2. - 0x0101 - rsa_pkcs1_md5 - 0x0201 - rsa_pkcs1_sha1 - 0x0301 - rsa_pkcs1_sha224 - 0x0401 - rsa_pkcs1_sha256 - 0x0501 - rsa_pkcs1_sha334 - 0x0601 - rsa_pkcs1_sha512 - 0x{01-06}02 - dsa_md5, etc. Ignored in TLS 1.3. - 0x{01-06}03 - ecdsa_md5, etc. Advertised for TLS 1.2 compatibility but ignored in TLS 1.3. 0x0700-0xfdff - Allocate new values here. Optionally avoid 0x??0[0-3] to avoid colliding with existing signature algorithms, but I don’t think that’s necessary[3]. - rsapss_sha256 - rsapss_sha384 - rsapss_sha512 - ecdsa_p256_sha256 - ecdsa_p256_sha384 - ecdsa_p256_sha512 - ecdsa_p384_sha256 - ecdsa_p384_sha384 - ecdsa_p384_sha512 - ecdsa_p521_sha256 - ecdsa_p521_sha384 - ecdsa_p521_sha512 - eddsa_ed25519 - eddsa_ed448 0xfe00-0xffff - reserved for private use, compatible with existing HashAlgorithm reservation. [3] If a TLS 1.2 implementation sees 0x0701 and interprets it as {hash(7), RSA}, they should ignore it since hash 7 doesn't exist.
- [TLS] Simplifying signature algorithm negotiation David Benjamin
- Re: [TLS] Simplifying signature algorithm negotia… Brian Smith
- Re: [TLS] Simplifying signature algorithm negotia… Dave Garrett
- Re: [TLS] Simplifying signature algorithm negotia… David Benjamin
- Re: [TLS] Simplifying signature algorithm negotia… David Benjamin
- Re: [TLS] Simplifying signature algorithm negotia… Hanno Böck
- Re: [TLS] Simplifying signature algorithm negotia… Eric Rescorla
- Re: [TLS] Simplifying signature algorithm negotia… David Benjamin
- Re: [TLS] Simplifying signature algorithm negotia… Brian Smith
- Re: [TLS] Simplifying signature algorithm negotia… Ilari Liusvaara
- Re: [TLS] Simplifying signature algorithm negotia… Ilari Liusvaara
- Re: [TLS] Simplifying signature algorithm negotia… Nikos Mavrogiannopoulos
- Re: [TLS] Simplifying signature algorithm negotia… Hubert Kario
- Re: [TLS] Simplifying signature algorithm negotia… Hubert Kario
- Re: [TLS] Simplifying signature algorithm negotia… David Benjamin
- Re: [TLS] Simplifying signature algorithm negotia… Hubert Kario
- Re: [TLS] Simplifying signature algorithm negotia… David Benjamin
- Re: [TLS] Simplifying signature algorithm negotia… Ilari Liusvaara
- Re: [TLS] Simplifying signature algorithm negotia… David Benjamin
- Re: [TLS] Simplifying signature algorithm negotia… David Benjamin
- Re: [TLS] Simplifying signature algorithm negotia… Kurt Roeckx
- Re: [TLS] Simplifying signature algorithm negotia… David Benjamin
- Re: [TLS] Simplifying signature algorithm negotia… David Benjamin
- Re: [TLS] Simplifying signature algorithm negotia… David Benjamin
- Re: [TLS] Simplifying signature algorithm negotia… Ilari Liusvaara
- Re: [TLS] Simplifying signature algorithm negotia… Eric Rescorla
- Re: [TLS] Simplifying signature algorithm negotia… David Benjamin
- Re: [TLS] Simplifying signature algorithm negotia… Eric Rescorla
- Re: [TLS] Simplifying signature algorithm negotia… David Benjamin
- Re: [TLS] Simplifying signature algorithm negotia… Eric Rescorla
- Re: [TLS] Simplifying signature algorithm negotia… Ilari Liusvaara
- Re: [TLS] Simplifying signature algorithm negotia… Eric Rescorla
- Re: [TLS] Simplifying signature algorithm negotia… Joseph Salowey
- Re: [TLS] Simplifying signature algorithm negotia… Eric Rescorla