IETF Logo Mail Archive

Re: [TLS] Last Call: <draft-kanno-tls-camellia-00.txt> (Additionx

Martin Rex <mrex@sap.com> Wed, 09 March 2011 14:05 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BC66C3A69DC for <tls@core3.amsl.com>; Wed, 9 Mar 2011 06:05:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.221
X-Spam-Level:
X-Spam-Status: No, score=-10.221 tagged_above=-999 required=5 tests=[AWL=0.028, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9bpsZ5c3-PlQ for <tls@core3.amsl.com>; Wed, 9 Mar 2011 06:05:07 -0800 (PST)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 4E3A63A69E4 for <tls@ietf.org>; Wed, 9 Mar 2011 06:05:07 -0800 (PST)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id p29E6BEa017326 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 9 Mar 2011 15:06:11 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <201103091406.p29E6ABc011887@fs4113.wdf.sap.corp>
To: ynir@checkpoint.com
Date: Wed, 09 Mar 2011 15:06:10 +0100
In-Reply-To: <197ECCE1-F179-4CF2-BBCE-8FE686A33497@checkpoint.com> from "Yoav Nir" at Mar 9, 11 03:27:31 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] Last Call: <draft-kanno-tls-camellia-00.txt> (Additionx
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Mar 2011 14:05:09 -0000

Yoav Nir wrote:
> 
> On Mar 9, 2011, at 2:06 PM, Martin Rex wrote:
> 
> > 
> > What I'm reading here is that a truncation of an HMAC or an HMAC-like
> > construct to 96 bits cuts the effective security down to 96-bit.
> > 
> > You call the use of SHA-384 for the HMAC in such a situation "overkill",
> > I call it cryptographic imbalance.
> 
> I've heard the balance argument before, and I don't really find it
> compelling. It implies that if I'm using 1024-bit RSA, then it is
> inherently wrong to use AES-128 or SHA-384. There are other
> considerations in design besides bit-strength. Bit strength should
> be used as a minimum value, depending on the estimated resources
> of your opponent.

There is a big difference whether a limitation is hardwired into a
protocol, or whether a limitation is a side-effect of configuration
and properties selected by the consumer of the technology.

For most TLS implementations that I'm aware of, the cipher suites
are user-configurable and the size of the keys in the server
certificates and the hash that is used in the signature of
the certificates are determined by the consumer.


The truncation of the finished message hashes to 96-bits is an undue
hard limit in TLSv1.2, and it becomes more aggravating if you're
using a hash with an even larger output size than SHA-256 and the
truncation of the finished messages is not changed to be no less
than half the output size of the hash algorithm.


I also prefer AES over 3DES-EDE cipher suites for our TLS implementation,
which is why I made them prefered by default (the server has the privilege
to chose the common cipher suite, though).

TLS implementations of SSLv3, TLSv1.0 and TLSv1.1 that prefer AES256
over AES128 by default are imbalanced, because they're wasting
resources.  


TLSv1.2 was supposed to provide a framework that can deliver TLS
with a strength >128=bits of security.  But it failed to deliver
this by (1) not adjusting the truncation of the finished messages
and (2) not documenting that the truncation of the finished messages
MUST be done along with the use of stronger ciphers, stronger hashes
and larger key lengths in order to actually obtain a balanced
security of the desired higher strength.


If anyone is wondering: No, I'm definitely _not_ looking for a
backwards incompatible change of TLSv1.2.  I didn't want to break
interop with the installed base of SSLv3 when we did TLS extension RI,
and neither do I want to break interop with the installed base of
rfc-5246 now.

Even when facing real non-compliance, like the botched client_version check
on the premaster secret in Windows 7 schannel, I'm more interested
in producing recommendations that avoid interop problems, because
in the IETF interoperability used to be more important than
academic purity in design.


-Martin

v2.23.0 | Report a Bug | By Email