IETF Logo Mail Archive

Re: [TLS] TLSv1.2 with DSA client cert and key size >1024 bits

Martin Rex <mrex@sap.com> Tue, 15 February 2011 16:18 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 959693A6B3B for <tls@core3.amsl.com>; Tue, 15 Feb 2011 08:18:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.209
X-Spam-Level:
X-Spam-Status: No, score=-10.209 tagged_above=-999 required=5 tests=[AWL=0.040, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ECyTJ9ls3ji7 for <tls@core3.amsl.com>; Tue, 15 Feb 2011 08:18:34 -0800 (PST)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 816AE3A6A9E for <tls@ietf.org>; Tue, 15 Feb 2011 08:18:34 -0800 (PST)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id p1FGIx4C026944 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 15 Feb 2011 17:18:59 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <201102151618.p1FGIwQ8023299@fs4113.wdf.sap.corp>
To: lists@drh-consultancy.demon.co.uk
Date: Tue, 15 Feb 2011 17:18:58 +0100
In-Reply-To: <4D5A8B6B.2010104@drh-consultancy.demon.co.uk> from "Dr Stephen Henson" at Feb 15, 11 02:19:23 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] TLSv1.2 with DSA client cert and key size >1024 bits
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Feb 2011 16:18:35 -0000

Dr Stephen Henson wrote:
> 
>  [...] a similar comment about SHA-1 though not an outright prohibition:
> 
> "A hash function that provides a lower security strength than the
> security strength associated with the bit length of the modulus
> ordinarily should not be used, since this would reduce the security
> strength of the digital signature process to a level no greater
> than that provided by the hash function."

It's true that the wording in FIPS 186-3 section 4.2 (page 16 2nd paragraph)
uses "should not" (while the same description for ECDSA uses "shall not").

However, this looks to me like a transitional exception that might have ended
on 31.12.2010.  In the same section, last paragraph on page 15, it reads:

  Both the security strength of the hash function used and the
  security strength of the (L, N) pair shall meet or exceed the
  security strength required for the digital signature process.


> 
> Using SHA-2 algorithms isn't possible in TLS 1.1 and earlier with RSA
> as they hard code the SHA1+MD5 signature.

I agree.  The hash algorithm(s) in the digital signature of the
KeyExchange and CertificateVerify handshake messages prior
to TLSv1.2 is implied and fixed.

Support for longer DSA keys with hashes from the SHA-2 family will
require code changes to the installed base, where some may wonder
why not implementing TLSv1.2.  One of the problem appears to be
the default reluctance to offer/use TLSv1.2 even by those implementations
that already contain the code and the resulting TLS handshake failures
with non-marginal parts of the installed base of servers for clients
proposing TLSv1.2 through ClientHello.client_version.

-Martin

v2.23.0 | Report a Bug | By Email