RE: [TLS] TLS 1.2 hash agility

<Pasi.Eronen@nokia.com> Wed, 26 September 2007 11:38 UTC

Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IaVDn-0005t0-Ii; Wed, 26 Sep 2007 07:38:27 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IaVDm-0005sv-Hr for tls@ietf.org; Wed, 26 Sep 2007 07:38:26 -0400
Received: from smtp.nokia.com ([131.228.20.173] helo=mgw-ext14.nokia.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IaVDf-0007iF-T5 for tls@ietf.org; Wed, 26 Sep 2007 07:38:26 -0400
Received: from esebh105.NOE.Nokia.com (esebh105.ntc.nokia.com [172.21.138.211]) by mgw-ext14.nokia.com (Switch-3.2.5/Switch-3.2.5) with ESMTP id l8QBc4qK015810; Wed, 26 Sep 2007 14:38:08 +0300
Received: from esebh104.NOE.Nokia.com ([172.21.143.34]) by esebh105.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 26 Sep 2007 14:37:52 +0300
Received: from esebe105.NOE.Nokia.com ([172.21.143.53]) by esebh104.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 26 Sep 2007 14:37:52 +0300
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [TLS] TLS 1.2 hash agility
Date: Wed, 26 Sep 2007 14:37:52 +0300
Message-ID: <B356D8F434D20B40A8CEDAEC305A1F2404A1EAA3@esebe105.NOE.Nokia.com>
In-Reply-To: <20070917185820.6E7CC33C3A@delta.rtfm.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [TLS] TLS 1.2 hash agility
Thread-Index: Acf5XmKHPIvZdq4/RSKPJPwoGBmeHAGzrBUQ
References: <46ABB82D.8090709@pobox.com> <46ACCCCB.8000201@pobox.com><B356D8F434D20B40A8CEDAEC305A1F24046B2496@esebe105.NOE.Nokia.com><20070914215611.0342933C21@delta.rtfm.com><46EB102E.2070900@pobox.com><20070914225606.9E9B433C21@delta.rtfm.com><46EC2AE7.9040903@pobox.com> <20070917185820.6E7CC33C3A@delta.rtfm.com>
From: Pasi.Eronen@nokia.com
To: ekr@networkresonance.com
X-OriginalArrivalTime: 26 Sep 2007 11:37:52.0860 (UTC) FILETIME=[AC9061C0:01C80031]
X-Nokia-AV: Clean
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 8b6657e60309a1317174c9db2ae5f227
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

Eric,

Looks very good!

There's one corner case that probably needs explicit clarification 
in the spec: certificate request containg any of the fixed-DH client
certificate types (rsa_fixed_dh, dss_fixed_dh, rsa_fixed_ecdh, and
ecdsa_fixed_ecdh).

One option would be to simply replace these with "fixed_dh" and
"fixed_ecdh" -- but that would require updating RFC 4492 as well,
and maybe we don't want to go there.

So perhaps the simplest solution would be just to add another
rule for certificate request processing:

- In case of "*_fixed_dh" client certificate types, the 
  client certificate must be signed by an algorithm specified 
  in certificate_types. This restriction applies only to the
  end-entity certificate, not other certificates possibly
  included in the certificate chain.

Or we could just remove this redundancy, and instead say:

- For historical reasons, the names of some client certificate 
  types include the algorithm used to sign the certificate.
  For example, in earlier versions of TLS, rsa_fixed_dh meant a 
  certificate signed with RSA and containing a static DH key.

  In TLS 1.2, this functionality has been obsoleted by the
  signature_types field, and the certificate type no longer 
  restricts the algorithm used to sign the certificate.
  For example, if the server sends dss_fixed_dh certificate type
  and {dss_sha1, rsa_sha1} signature types, the client is allowed
  to reply with a certificate containing a static DH key, signed
  with RSA-SHA1.

(The latter alternative would bring us more flexibility,
and would enable combinations not currently possible: e.g.
fixed_dh key signed with ecdsa).

Best regards,
Pasi

> -----Original Message-----
> From: ext Eric Rescorla [mailto:ekr@networkresonance.com] 
> Sent: 17 September, 2007 21:58
> To: Mike
> Cc: tls@ietf.org
> Subject: Re: [TLS] TLS 1.2 hash agility
> 
> At Sat, 15 Sep 2007 11:56:39 -0700,
> Mike wrote:
> > I have an idea.  Change the Cert Hash Types extension to 
> the Supported
> > Signature Algorithms extension, and allow the server to respond with
> > its supported algorithms (only if the client sends its 
> list, of course).
> > 
> >      struct {
> >          SignatureAlgorithm supported_algorithms<2..2^16-2>;
> >      } SupportedSignatureAlgorithms;
> >
> > If the client doesn't send the extension, the server would 
> assume the
> > client supports rsa_with_sha1, rsa_with_md5 (?), and dsa_with_sha1
> > (and the appropriate ecdsa algorithms if an ECDSA cipher suite is
> > negotiated).  Since the server can't send its list if the client
> > doesn't, the client must assume that the server only 
> supports the same
> > list of algorithms.
> 
> I don't see how this solves the major problem, which is that you
> are advertising your public key algorithm support in two places.
> 
> - In the case of the ServerKeyExchange, the client signals his
> support in this extension *and* in the cipher suite.
> 
> - In the case of the CertificateVerify, the server signals his
>   support in the CertificateRequest and in this extension.
> 
> Taking the ServerKeyExchange as the paradigmatic example, ISTM that
> we either need to rework the entire negotiation scheme, e.g.,
> to create new cipher suites which specify also the digest used
> for signature, or just live with this duplication. The former
> seems superior.
> 
> So, I propose we simply replace the HashTypes type with a signature
> algorithms type that specifies both hash algorithm and signature
> algorithm. As you suggest:
> 
>      struct {
>          SignatureAlgorithm supported_algorithms<2..2^16-2>;
>      } SupportedSignatureAlgorithms;
> 
> This would go wherever HashTypes goes now.
> 
> However, the interpretation rules need to be extremely clear,
> as below.
> 
> 
> CERTIFICATEREQUEST
> For signatures by the client (i.e., CertificateVerify and 
> Certificate),
> the following rules apply:
> 
>     struct {
>         ClientCertificateType certificate_types<1..2^8-1>;
>         SignatureAlgorithm signature_types<1..2^16-1>;
>         DistinguishedName certificate_authorities<0..2^16-1>;
>     } CertificateRequest;
>  
> - Any certificate offered by the client must be signed with an
>   algorithm described in signature_types.
> - The certificate must contain a public key with an
>   algorithm specified in certificate_types.
> - The CertificateVerify must be signed with a signature algorithm
>   in signature_types.
> 
> Consider the following examples:
> 
> (1) 
> certificate_types = rsa_sign
> signature_types   = rsa_sha1, rsa_sha256
> 
> In this case:
> 
> - The client's certificate must be signed with rsa_sha1 or rsa_sha256
> - The client must sign with either rsa_sha1 or rsa_sha256
> 
> 
> (2) 
> certificate_types = rsa_sign
> signature_types   = rsa_sha1, rsa_sha256, dsa_sha1
> 
> In this case:
> 
> - The client's certificate must be signed with rsa_sha1 or 
> rsa_sha256, or 
>   dsa_sha1
> - The client must sign with rsa_sha1 or rsa_sha256, but NOT DSA
> 
> 
> 
> (3) 
> certificate_types = rsa_sign, dsa_sign
> signature_types   = rsa_sha1, rsa_sha256
> 
> In this case:
> 
> - The client's certificate must be signed with rsa_sha1 or rsa_sha256
> - The client must sign with either rsa_sha1 or rsa_sha256
> 
> Note that even though the server advertised dsa, it didn't advertise
> any hashes so it's not actually usable.
> 
> 
> 
> SIGNATUREALGORITHMS
> As you suggest, the client would offer a SignatureAlgorithms
> extension. The rules would be similar:
> 
> - Any certificate offered by the server must be signed with an
>   algorithm described in signature_types.
> - The certificate key must contain a public key which has
>   an algorithm that matches the cipher suite, either for
>   signing (in the case of cipher suites which have it)
>   or encryption (in the case of cipher suites which don't).
> - The ServerKeyExchange must be signed with an algorithm that
>   matches signature_types.
> 
> Examples:
> (1) 
> cipher suite      = TLS_RSA_WITH_AES_128_CBC_SHA
> signature_types   = rsa_sha1, rsa_sha256
> 
> In this case:
> 
> - The server's certificate must be signed with rsa_sha1 or rsa_sha256
> - The server's certificate must contain an RSA key.
> 
> 
> (2) 
> cipher suite      = TLS_RSA_DHE_WITH_AES_128_CBC_SHA
> signature_types   = rsa_sha1, rsa_sha256
> 
> 
> - The server's certificate must be signed with rsa_sha1 or rsa_sha256
> - The server's certificate must contain an RSA key.
> - The ServerKeyExchange MUST be signed with rsa_sha1 or rsa_sha256
> 
> -Ekr
> 
> 
> _______________________________________________
> TLS mailing list
> TLS@lists.ietf.org
> https://www1.ietf.org/mailman/listinfo/tls
> 

_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls