IETF Logo Mail Archive

Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 with DSA client

Martin Rex <mrex@sap.com> Fri, 04 March 2011 23:40 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 196963A6A44 for <tls@core3.amsl.com>; Fri, 4 Mar 2011 15:40:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.436
X-Spam-Level:
X-Spam-Status: No, score=-9.436 tagged_above=-999 required=5 tests=[AWL=-0.787, BAYES_00=-2.599, GB_AFFORDABLE=1, HELO_EQ_DE=0.35, J_CHICKENPOX_47=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wJlExeX8gxls for <tls@core3.amsl.com>; Fri, 4 Mar 2011 15:40:27 -0800 (PST)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 705A73A69DA for <tls@ietf.org>; Fri, 4 Mar 2011 15:40:27 -0800 (PST)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id p24NfWw9016153 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sat, 5 Mar 2011 00:41:32 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <201103042341.p24NfVKj018910@fs4113.wdf.sap.corp>
To: geoffk@geoffk.org
Date: Sat, 05 Mar 2011 00:41:31 +0100
In-Reply-To: <m2r5amh76n.fsf@localhost.localdomain> from "Geoffrey Keating" at Mar 4, 11 02:06:24 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 with DSA client
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Mar 2011 23:40:29 -0000

Geoffrey Keating wrote:
> 
> Martin Rex <mrex@sap.com> writes:
> 
> > Michael D'Errico wrote:
> > > 
> > > Matt DeMoss wrote:
> > > > I'd encourage consideration of client certificates also. If the client
> > > > has certificate chains for SHA1 and SHA2 or for SHA2 and SHA3, it
> > > > needs a way to choose which chain to send during periods of transition
> > > > where some servers will reject SHA2 and others will reject SHA3.
> > > 
> > > Isn't this already in TLS 1.2?  When the server requests a client
> > > certificate, the CertificateRequest includes a list of acceptable
> > > signature algorithms.  The client can then check each of its
> > > certificate chains to find the best one the server can handle.
> > 
> > It is *MUCH* worse than that.
> > 
> > TLSv1.2 goes as far as _requiring_ that if the signature_algorithm
> > extension is sent, that the receiver MUST ensure that all certificates
> > in the chain are from the signature_algorithm set.
> 
> That's in the server's chain, though, not the client's.  For the
> client, the possible certificate algorithms and types are listed in the
> CertificateRequest, not in an extension, and the list is not optional.


  http://tools.ietf.org/html/rfc5246#section-7.4.4

  7.4.4.  Certificate Request

      struct {
          ClientCertificateType certificate_types<1..2^8-1>;
          SignatureAndHashAlgorithm
            supported_signature_algorithms<2^16-1>;
          DistinguishedName certificate_authorities<0..2^16-1>;
      } CertificateRequest;

   supported_signature_algorithms
      A list of the hash/signature algorithm pairs that the server is
      able to verify, listed in descending order of preference.

   -  Any certificates provided by the client MUST be signed using a
      hash/signature algorithm pair found in
      supported_signature_algorithms.


Adding support for sha256WithRsaEncryption in X.509 certs to the PKI
module of an existing implementation of SSLv3 or TLSv1.0 in your
installed base is an almost trivial software change.  About a magnitude(!)
less work&testing than implementing rfc-5746 (TLS extension RI).

It is so easy that even Microsoft did it for XP & Win2K3 (unfortunately
they only included it in XPsp3 -- for XPsp2 and XP 64-bit/Win2K3 it
is manual work to download and install hotfix KB968730.)


rfc5246 is a failed specification, because it adds several undue limitations
and interop problems to the protocol that did not exist in TLSv1.0 and v1.1,
that are technically inappropriate, completely unnecessary and in
massive conflict with rfc-2119 section 6.


The TLS spec should not mess around with PKI and X.509 issues.
Negotiation of the algorithm used for the "digitally signed" struct
ought to be _completely_ seperate from characteristics of certificates.

A TLS extension to convey hints about digital signature algorithms
ought to be a fairly black box to TLS, containing a list of
ASN.1 AlgIds, and with the semantic of a "hint to the PKI software
for selecting the most appropriate certificates", i.e. "MAY" not "MUST".


Having the prerequisite for a signature algorithm to be used with
TLSv1.2 that first official code points must be assigned by the IETF 
and then all TLS implementation must be updated to know how to
translate a particular AlgId() into a newly defined TLS SignatureAlgorithm
codepoint before a client certificate with a different crypto algorithm
can be used looks like a pretty deep rathole with lots of huge and
nasty rats at the bottom.


Even Microsoft managed to design their TLSv1.0 protocol stack in
Microsoft Windows XP in a fashion that it can be used with completely
different cryptoalgorithms (like entirely from the GOST suite)
with the installation of a CryptoCSP.


Changing TLS in a fashion that makes this _much_ harder to get working
is the wrong direction for the evolution of the TLS protocol.


Personally, I consider several aspects of TLSv1.2 _unimplementable_
(i.e. it would break functionality we use and have shippped).

But I believe it is possible to fix TLSv1.2, and in a fashion that
remains interoperable with implementations of rfc-5246 (i.e. without
breaking them).


I also think there is a necessity for smoothing the transition to
certificates with sha-2 based signatures for the installed base
of pre-TLSv1.2.   A transition that comes about 1/4 of the cost
of RFC-5746 in terms of implementation and testing effort.
Something that is so affordable that even Microsoft could
ship it for WindowsXP.


-Martin

v2.23.0 | Report a Bug | By Email