IETF Logo Mail Archive

Re: [TLS] Consistency for Signature Algorithms?

Ilari Liusvaara <ilariliusvaara@welho.com> Fri, 21 July 2017 15:01 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B257A131892 for <tls@ietfa.amsl.com>; Fri, 21 Jul 2017 08:01:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8ARoONzK5ktY for <tls@ietfa.amsl.com>; Fri, 21 Jul 2017 08:00:58 -0700 (PDT)
Received: from welho-filter1.welho.com (welho-filter1.welho.com [83.102.41.23]) by ietfa.amsl.com (Postfix) with ESMTP id 75C43131771 for <tls@ietf.org>; Fri, 21 Jul 2017 08:00:58 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id C7F6066637 for <tls@ietf.org>; Fri, 21 Jul 2017 18:00:56 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id W4w9J7KnKNzd for <tls@ietf.org>; Fri, 21 Jul 2017 18:00:56 +0300 (EEST)
Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id 6AE332318 for <tls@ietf.org>; Fri, 21 Jul 2017 18:00:55 +0300 (EEST)
Date: Fri, 21 Jul 2017 18:00:55 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: tls@ietf.org
Message-ID: <20170721150055.7gn2twhlz7ocu7tn@LK-Perkele-VII>
References: <3586282.tDsyLpRkWM@pintsize.usersys.redhat.com> <20a46494-8fd2-2cbf-556d-070b48056d4d@drh-consultancy.co.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <20a46494-8fd2-2cbf-556d-070b48056d4d@drh-consultancy.co.uk>
User-Agent: NeoMutt/20170609 (1.8.3)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/NscRhKl0MFTDMp-7yuypfowq0ug>
Subject: Re: [TLS] Consistency for Signature Algorithms?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Jul 2017 15:01:01 -0000

On Fri, Jul 21, 2017 at 02:41:50PM +0100, Dr Stephen Henson wrote:
> On 21/07/2017 14:23, Hubert Kario wrote:
> > Signature Algorithms for ECDSA now define both the curve and the hash 
> > algorithm:
> > 
> > ecdsa_secp256r1_sha256(0x0403), ecdsa_secp384r1_sha384(0x0503), 
> > ecdsa_secp521r1_sha512(0x0603),
> > 
> > This is in contrast to the TLS 1.2 protocol, where any hash can be used
> > with any curve.
> > 
> > There are good reasons for that change: - less combinations to test -
> > establishes the low water mart for security
> > 
> > I see few problems with that though: 1). there are not insignificant number
> > of clients that advertise support for all (at least P-256 and P-384)
> > curves, but don't advertise support for hashes stronger than SHA-256 with
> > ECDSA[1] 2). This is inconsistent with RSA-PSS behaviour, where key size is
> > completely detached from the used hash algorithm. 3). This is not how ECDSA
> > signatures in X.509 work, so it doesn't actually limit the signatures on
> > certificates (in other words, as an implementer you need to support all
> > hashes with all curves either way)
> > 
> 
> There is another and significant problem with the change. In TLS 1.2 support
> for a curve was indicated in the supported curves extension and it implied
> support for ECDH and ECDSA. This has changed in TLS 1.3: curves in the
> supported groups extension are for ECDH only. Support for a curve for ECDSA is
> indicated in the signature algorithms extension.

I suppose some new dual-version TLS 1.2/1.3 libraries might have the
same issue as mine: supported groups is just plain ignored for ECDSA,
and siganture algorithms have the TLS 1.3 meanings, even in TLS 1.2.

> I agree though that there is an anomaly here. For example AFAICS in
> certificates for TLS1.3 you're allowed (with some caveats) to use a
> P-256+SHA-1 signature (which has security concerns) but P-256 + SHA512 is not
> allowed at all. Is that likely to be a problem in practice? Are there many
> such certificates about in the wild?

Actually, P-256+SHA512 is allowed with a caveat, even if the
certificate is not self-signed. And with the same caveat, server can
send a certificate signed with P-256+SHA3-512, despite TLS
codepoint for it having never existed (not many clients can validate it
through).




-Ilari

v2.23.0 | Report a Bug | By Email