IETF Logo Mail Archive

Re: [TLS] draft-mcgrew-tls-aes-ccm-ecc-00 (again)

Juho Vähä-Herttua <juhovh@iki.fi> Thu, 06 January 2011 15:46 UTC

Return-Path: <juhovh@iki.fi>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 13BA43A6E31 for <tls@core3.amsl.com>; Thu, 6 Jan 2011 07:46:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.12
X-Spam-Level:
X-Spam-Status: No, score=-1.12 tagged_above=-999 required=5 tests=[AWL=0.157, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, SARE_HELO_EQ_DSL_3=1.022]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7IJkDhye3fIj for <tls@core3.amsl.com>; Thu, 6 Jan 2011 07:46:55 -0800 (PST)
Received: from jenni1.inet.fi (mta-out.inet.fi [195.156.147.13]) by core3.amsl.com (Postfix) with ESMTP id 913263A6E1A for <tls@ietf.org>; Thu, 6 Jan 2011 07:46:54 -0800 (PST)
Received: from smtp.vaha-herttua.fi (88.192.241.223) by jenni1.inet.fi (8.5.133) id 4D060B9400C7A8AB; Thu, 6 Jan 2011 17:48:59 +0200
Received: from dsl-hkibrasgw3-ffffc000-19.dhcp.inet.fi (dsl-hkibrasgw3-ffffc000-19.dhcp.inet.fi [88.192.255.19]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.vaha-herttua.fi (Postfix) with ESMTPSA id 82E161FCFE; Thu, 6 Jan 2011 17:49:01 +0200 (EET)
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: multipart/signed; boundary="Apple-Mail-2-341640278"; protocol="application/pkcs7-signature"; micalg="sha1"
From: Juho Vähä-Herttua <juhovh@iki.fi>
In-Reply-To: <00aa01cbadb3$b7c95f50$275c1df0$@sturek@att.net>
Date: Thu, 06 Jan 2011 17:48:56 +0200
Message-Id: <E74184BA-06D8-4C2E-AE51-D3D9CCF633AB@iki.fi>
References: <008d01cbadaf$2de31550$89a93ff0$@sturek@att.net> <BBB467C5-5FF5-4B73-84CF-3831281D08A4@iki.fi> <00aa01cbadb3$b7c95f50$275c1df0$@sturek@att.net>
To: d.sturek@att.net
X-Mailer: Apple Mail (2.1082)
Cc: tls@ietf.org
Subject: Re: [TLS] draft-mcgrew-tls-aes-ccm-ecc-00 (again)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jan 2011 15:46:56 -0000

On 6.1.2011, at 17.09, Don Sturek wrote:
> Hi Juho,
> 
> On your very last sentence, could you elaborate on why you think the draft
> is not interoperable with other cipher suites?  I think topics like those
> discussed in this part of the thread
> (http://www.ietf.org/mail-archive/web/tls/current/msg06718.html) are all
> very easy to resolve.  

I think the issues are pretty easy to solve as well. The first thing that came into my mind about not being interoperable was the extension part:

      The client MUST NOT offer the elliptic_curves extension nor the
      ec_point_formats extension.  The server MUST NOT expect to receive
      those extensions.

The client offering AES-CCM cipher suites should be allowed to offer other cipher suites as well. Those other cipher suites may need to define elliptic_curves or ec_point_formats extensions, but AES-CCM draft forbids offering them. That's a clear conflict. Another smaller issue was the certificate part:

      The server's certificate MUST contain an ECDSA-capable public key,
      and it MUST be signed with ECDSA.  If a client certificate is
      used, the same conditions apply to it.

I don't see a reason why a cipher should restrict the type of certificates, although requiring the ECDSA-capable public key in ECDSA cipher suite is kind of obvious. This is not really conflicting, but it would be much nicer if the AES-CCM would be defined as a generic cipher that can be used with any kind of certificate and the additional IEEE 802.15.4 related restrictions would be in a separate document. It works for all the other ciphers and RSA, DHE_DSA or DHE_RSA or certificates signed with some other signing algorithm are not really less secure than ECDSA. I guess the reason for this is again to simplify the hardware implementation by only using ECDSA for everything.


Juho

v2.23.0 | Report a Bug | By Email