Re: [TLS] TLS1.2 vs TLS1.0
Geoffrey Keating <geoffk@geoffk.org> Wed, 22 May 2013 00:38 UTC
Return-Path: <geoffk@geoffk.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2A0211E80AD for <tls@ietfa.amsl.com>; Tue, 21 May 2013 17:38:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NK4sZLAdiXbf for <tls@ietfa.amsl.com>; Tue, 21 May 2013 17:38:23 -0700 (PDT)
Received: from dragaera.releasedominatrix.com (dragaera.releasedominatrix.com [216.129.118.138]) by ietfa.amsl.com (Postfix) with ESMTP id CA30421F9371 for <tls@ietf.org>; Tue, 21 May 2013 17:38:23 -0700 (PDT)
Received: by dragaera.releasedominatrix.com (Postfix, from userid 501) id AC97C33D095; Wed, 22 May 2013 00:38:19 +0000 (UTC)
Sender: geoffk@localhost.localdomain
To: Ulrich Herberg <ulrich@herberg.name>
References: <CAK=bVC8EZCCpG4+kzYUk+i5a_=Nh4AEGkuFJEC45cBSLLdnoTg@mail.gmail.com> <20130521102647.402e695e@melee> <CAK=bVC-koFU6cHzZDK_gcHVhfM3oCKT-UD4u68Phv12Lazx5eA@mail.gmail.com> <CAK=bVC8+e8hc9J0ne67Um49mSakRBeYsL=syp8sRoxRDd1yqNg@mail.gmail.com>
From: Geoffrey Keating <geoffk@geoffk.org>
Date: Tue, 21 May 2013 17:38:19 -0700
In-Reply-To: <CAK=bVC8+e8hc9J0ne67Um49mSakRBeYsL=syp8sRoxRDd1yqNg@mail.gmail.com>
Message-ID: <m2wqqrrgqs.fsf@localhost.localdomain>
Lines: 37
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.4
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: tls@ietf.org
Subject: Re: [TLS] TLS1.2 vs TLS1.0
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 May 2013 00:38:29 -0000
Ulrich Herberg <ulrich@herberg.name> writes: > Is there any recommendation in which cases the use of CBC ciphersuites > would actually cause any (practical) risk so that we can evaluate > whether we should use alternatives to CBC like AEAD? I believe you'd need to very carefully evaluate the entire system you would plan to use the CBC ciphersuites for applicability of known attacks such as: - The issue fixed in TLS 1.1, use of a predictable IV - The timing issue(s) discussed in the "Lucky Thirteen" paper - Information disclosure due to use of compression Each of these may or may not apply to a particular system or implementation. For example, timing issues can be a big problem if you have small embedded devices---or no problem at all because communication always happens at particular scheduled times and the messages are prepared earlier. > Is current support for AEAD cipher suites in common TLS1.2 > implementations as good as for CBC cipher suites? No, alas. But it's pretty good and getting better. > Is there any drawback for using AEAD ciphers? Not that I know of. > Is there any sort of best practice or similar document where > a user designing an application can make a choice which TLS version / > cipher suites to use? I think any situation that forces you to use earlier versions of TLS or cipher suites that aren't AEAD is pushing you out of "best practice" and into the jungle of "whatever needs to happen to make this work".
- Re: [TLS] TLS1.2 vs TLS1.0 Paul Duffy
- [TLS] TLS1.2 vs TLS1.0 Ulrich Herberg
- Re: [TLS] TLS1.2 vs TLS1.0 Robert Cragie
- Re: [TLS] TLS1.2 vs TLS1.0 Nikos Mavrogiannopoulos
- Re: [TLS] TLS1.2 vs TLS1.0 Hanno Böck
- Re: [TLS] TLS1.2 vs TLS1.0 David McGrew (mcgrew)
- Re: [TLS] TLS1.2 vs TLS1.0 Martin Rex
- Re: [TLS] TLS1.2 vs TLS1.0 Paterson, Kenny
- Re: [TLS] TLS1.2 vs TLS1.0 Martin Rex
- Re: [TLS] TLS1.2 vs TLS1.0 Ulrich Herberg
- Re: [TLS] TLS1.2 vs TLS1.0 Xiaoyong Wu
- Re: [TLS] TLS1.2 vs TLS1.0 Eric Rescorla
- Re: [TLS] TLS1.2 vs TLS1.0 Ulrich Herberg
- Re: [TLS] TLS1.2 vs TLS1.0 Ulrich Herberg
- Re: [TLS] TLS1.2 vs TLS1.0 Geoffrey Keating
- Re: [TLS] TLS1.2 vs TLS1.0 Martin Rex
- Re: [TLS] TLS1.2 vs TLS1.0 Martin Rex
- Re: [TLS] TLS1.2 vs TLS1.0 Martin Rex
- Re: [TLS] TLS1.2 vs TLS1.0 Eric Rescorla
- Re: [TLS] TLS1.2 vs TLS1.0 Kemp, David P.
- Re: [TLS] TLS1.2 vs TLS1.0 Peter Gutmann
- Re: [TLS] TLS1.2 vs TLS1.0 Simon Josefsson