IETF Logo Mail Archive

Re: [TLS] TLS 1.3 draft-07 sneak peek

Dave Garrett <davemgarrett@gmail.com> Sat, 04 July 2015 00:39 UTC

Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C8721ACDD5 for <tls@ietfa.amsl.com>; Fri, 3 Jul 2015 17:39:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1
X-Spam-Level:
X-Spam-Status: No, score=-1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, GB_SUMOF=1, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RIhuhUVhBNkv for <tls@ietfa.amsl.com>; Fri, 3 Jul 2015 17:39:41 -0700 (PDT)
Received: from mail-yk0-x22f.google.com (mail-yk0-x22f.google.com [IPv6:2607:f8b0:4002:c07::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7318F1ACE6B for <tls@ietf.org>; Fri, 3 Jul 2015 17:38:41 -0700 (PDT)
Received: by ykfs198 with SMTP id s198so2182791ykf.2 for <tls@ietf.org>; Fri, 03 Jul 2015 17:38:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=3hKDJzldejcYyUQDWGdAxKT/atjrMbIUjfWrS/YiG9Y=; b=F9QfEdFMALqzGxC1ZfOPXfhAXg9fizyl4fjkdwFgSHmwERk5pBFPs8hrPcdpq2qUWb EXKxXDPraPGL56C6FmoO80hqJ/0/Su0z6YchsxBvRa5DvtJSL/gCgAmC4sQTjg2gWuKB 25b0XpuPrOiTlQHEI5CBBOj13waDlc0V0lYL5DMPgLvZcGTtr6YGwgwI9b3NC6iuOPlp bWO0PcHrEnLGQdIFynSb8vn9gc3Z34l5ZVwiDeqYi+/kOFDQz22ns7++LvOEu7fsfHhT XopOnZNEM6NzAkpD29HxrJABYgAo6ZyIoz5JYzBAePDXYzCAjVScsPyX+HmbSBEAmk+N jq9g==
X-Received: by 10.13.197.3 with SMTP id h3mr46793655ywd.139.1435970320833; Fri, 03 Jul 2015 17:38:40 -0700 (PDT)
Received: from dave-laptop.localnet (pool-96-245-254-195.phlapa.fios.verizon.net. [96.245.254.195]) by mx.google.com with ESMTPSA id b131sm10780755ywc.18.2015.07.03.17.38.40 (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 03 Jul 2015 17:38:40 -0700 (PDT)
From: Dave Garrett <davemgarrett@gmail.com>
To: tls@ietf.org
Date: Fri, 03 Jul 2015 20:38:38 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
References: <20150704001638.780371A1B3@ld9781.wdf.sap.corp>
In-Reply-To: <20150704001638.780371A1B3@ld9781.wdf.sap.corp>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <201507032038.39057.davemgarrett@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/U256gcL9tUKLYvoMjyadXyIXg3c>
Subject: Re: [TLS] TLS 1.3 draft-07 sneak peek
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Jul 2015 00:39:42 -0000

On Friday, July 03, 2015 08:16:38 pm Martin Rex wrote:
> All prior protocol versions, including SSLv3, are using RSA signatures
> with a 278-bit hash (a concatenation of sha1+md5), which is a reasonable
> and conservative design.  Given that this TLS-specific signature
> scheme had been used successfully for more than a decade when TLSv1.2
> was specified, it is difficult to understand why this was deliberately
> weakened in TLSv1.2, rather than using the straight forward safe
> solution to define a codepoint for { sha1+md5, rsa } to identify
> the SSLv3->TLSv1.1 RSA signature transform for use in TLSv1.2
> rather than newly adding and allowing the well-known weak signature
> schemes {md5,rsa} and {sha1,rsa} (and de-facto mandating support
> for the latter).

Yeah, that was a weird choice.

I'm curious; how much more secure can SHA1+MD5 be considered in comparison to SHA1? For that matter, how strong is it in comparison to SHA256? Its strength would theoretically be stronger than the sum of its parts, though I don't know by how much. I'm wondering if there's a study on this topic somewhere that someone might be able to point me to.


Dave

v2.23.0 | Report a Bug | By Email