IETF Logo Mail Archive

Re: [TLS] TLS1.2 vs TLS1.0

Geoffrey Keating <geoffk@geoffk.org> Wed, 22 May 2013 00:38 UTC

Return-Path: <geoffk@geoffk.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2A0211E80AD for <tls@ietfa.amsl.com>; Tue, 21 May 2013 17:38:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NK4sZLAdiXbf for <tls@ietfa.amsl.com>; Tue, 21 May 2013 17:38:23 -0700 (PDT)
Received: from dragaera.releasedominatrix.com (dragaera.releasedominatrix.com [216.129.118.138]) by ietfa.amsl.com (Postfix) with ESMTP id CA30421F9371 for <tls@ietf.org>; Tue, 21 May 2013 17:38:23 -0700 (PDT)
Received: by dragaera.releasedominatrix.com (Postfix, from userid 501) id AC97C33D095; Wed, 22 May 2013 00:38:19 +0000 (UTC)
Sender: geoffk@localhost.localdomain
To: Ulrich Herberg <ulrich@herberg.name>
References: <CAK=bVC8EZCCpG4+kzYUk+i5a_=Nh4AEGkuFJEC45cBSLLdnoTg@mail.gmail.com> <20130521102647.402e695e@melee> <CAK=bVC-koFU6cHzZDK_gcHVhfM3oCKT-UD4u68Phv12Lazx5eA@mail.gmail.com> <CAK=bVC8+e8hc9J0ne67Um49mSakRBeYsL=syp8sRoxRDd1yqNg@mail.gmail.com>
From: Geoffrey Keating <geoffk@geoffk.org>
Date: Tue, 21 May 2013 17:38:19 -0700
In-Reply-To: <CAK=bVC8+e8hc9J0ne67Um49mSakRBeYsL=syp8sRoxRDd1yqNg@mail.gmail.com>
Message-ID: <m2wqqrrgqs.fsf@localhost.localdomain>
Lines: 37
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.4
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: tls@ietf.org
Subject: Re: [TLS] TLS1.2 vs TLS1.0
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 May 2013 00:38:29 -0000

Ulrich Herberg <ulrich@herberg.name> writes:

> Is there any recommendation in which cases the use of CBC ciphersuites
> would actually cause any (practical) risk so that we can evaluate
> whether we should use alternatives to CBC like AEAD?

I believe you'd need to very carefully evaluate the entire system you
would plan to use the CBC ciphersuites for applicability of known
attacks such as:

- The issue fixed in TLS 1.1, use of a predictable IV
- The timing issue(s) discussed in the "Lucky Thirteen" paper
- Information disclosure due to use of compression

Each of these may or may not apply to a particular system or
implementation.  For example, timing issues can be a big problem if
you have small embedded devices---or no problem at all because
communication always happens at particular scheduled times and the
messages are prepared earlier.

> Is current support for AEAD cipher suites in common TLS1.2
> implementations as good as for CBC cipher suites?

No, alas.  But it's pretty good and getting better.

> Is there any drawback for using AEAD ciphers?

Not that I know of.

> Is there any sort of best practice or similar document where
> a user designing an application can make a choice which TLS version /
> cipher suites to use?

I think any situation that forces you to use earlier versions of TLS
or cipher suites that aren't AEAD is pushing you out of "best
practice" and into the jungle of "whatever needs to happen to make this
work".

v2.23.0 | Report a Bug | By Email