IETF Logo Mail Archive

Re: [TLS] TLSv1.2 with DSA client cert and key size >1024 bits

"Kemp, David P." <DPKemp@missi.ncsc.mil> Tue, 15 February 2011 17:59 UTC

Return-Path: <DPKemp@missi.ncsc.mil>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 74AE13A6D2D for <tls@core3.amsl.com>; Tue, 15 Feb 2011 09:59:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NJF8tkz1dNgv for <tls@core3.amsl.com>; Tue, 15 Feb 2011 09:59:20 -0800 (PST)
Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by core3.amsl.com (Postfix) with ESMTP id 6355C3A6CD5 for <tls@ietf.org>; Tue, 15 Feb 2011 09:59:20 -0800 (PST)
Received: from AUGUSTINE.missi.ncsc.mil (augustine.missi.ncsc.mil [144.51.60.33]) by stingray.missi.ncsc.mil with ESMTP id p1FHxis8053732; Tue, 15 Feb 2011 12:59:44 -0500 (EST)
Received: from DABECK.missi.ncsc.mil ([144.51.60.16]) by AUGUSTINE.missi.ncsc.mil with Microsoft SMTPSVC(6.0.3790.4675); Tue, 15 Feb 2011 12:59:03 -0500
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-MimeOLE: Produced By Microsoft Exchange V6.5
Date: Tue, 15 Feb 2011 12:54:11 -0500
Message-ID: <C1A47F1540DF3246A8D30C853C05D0DA03B8A56B@DABECK.missi.ncsc.mil>
In-Reply-To: <4D5AAD0C.5050900@drh-consultancy.demon.co.uk>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [TLS] TLSv1.2 with DSA client cert and key size >1024 bits
Thread-Index: AcvNLqQMua3oNsQwTH6zpCgK4gniiAABC/jw
References: <201102151618.p1FGIwQ8023299@fs4113.wdf.sap.corp> <4D5AAD0C.5050900@drh-consultancy.demon.co.uk>
From: "Kemp, David P." <DPKemp@missi.ncsc.mil>
To: Dr Stephen Henson <lists@drh-consultancy.demon.co.uk>, mrex@sap.com
X-OriginalArrivalTime: 15 Feb 2011 17:59:03.0578 (UTC) FILETIME=[07F97FA0:01CBCD3A]
Cc: tls@ietf.org
Subject: Re: [TLS] TLSv1.2 with DSA client cert and key size >1024 bits
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Feb 2011 17:59:22 -0000

The wording could probably use clarification - a "digital signature" key
pair is used by an entity to bind its identity to a piece of
information.  If the only external result of an ephemeral ciphersuite is
an authenticated shared key, then the RSA key is being used for the
purpose of key establishment even if a signature algorithm is used
internally by the key establishment process.

If a client purported to have data signed by a server as a result of
having performed a key exchange using a key establishment certificate,
it would be misrepresenting the results of the key exchange.  No relying
party would accept as valid data "signed" using a key establishment
certificate, protecting the server from unintended consequences.

Dave




-----Original Message-----
From: tls-bounces@ietf.org [mailto:tls-bounces@ietf.org] On Behalf Of Dr
Stephen Henson
Sent: Tuesday, February 15, 2011 11:43 AM
To: mrex@sap.com
Cc: tls@ietf.org
Subject: Re: [TLS] TLSv1.2 with DSA client cert and key size >1024 bits

On 15/02/2011 16:18, Martin Rex wrote:
> Dr Stephen Henson wrote:
>>
>>  [...] a similar comment about SHA-1 though not an outright
prohibition:
>>
>> "A hash function that provides a lower security strength than the
>> security strength associated with the bit length of the modulus
>> ordinarily should not be used, since this would reduce the security
>> strength of the digital signature process to a level no greater
>> than that provided by the hash function."
> 
> It's true that the wording in FIPS 186-3 section 4.2 (page 16 2nd
paragraph)
> uses "should not" (while the same description for ECDSA uses "shall
not").
> 

It also says:

"In addition, an RSA digital signature key pair shall not be used for
other
purposes (e.g., key establishment)."

I can't imagine many servers using two distinct certificates for
ephemeral and
static RSA ciphersuites, even is the server software supports it.

Steve.
-- 
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.co.uk/
Email: shenson@drh-consultancy.co.uk, PGP key: via homepage.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email