IETF Logo Mail Archive

Re: [TLS] security levels for TLS

Nicolas Williams <Nicolas.Williams@sun.com> Thu, 11 October 2007 16:23 UTC

Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Ig0oi-0000Ys-Un; Thu, 11 Oct 2007 12:23:20 -0400
Received: from tls by megatron.ietf.org with local (Exim 4.43) id 1Ig0oh-0000Yi-Lr for tls-confirm+ok@megatron.ietf.org; Thu, 11 Oct 2007 12:23:19 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Ig0oh-0000YZ-CK for tls@lists.ietf.org; Thu, 11 Oct 2007 12:23:19 -0400
Received: from sca-ea-mail-4.sun.com ([192.18.43.22]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Ig0nd-0000s1-0b for tls@lists.ietf.org; Thu, 11 Oct 2007 12:23:19 -0400
Received: from centralmail4brm.Central.Sun.COM ([129.147.62.198]) by sca-ea-mail-4.sun.com (8.13.6+Sun/8.12.9) with ESMTP id l9BGLt4i017697 for <tls@lists.ietf.org>; Thu, 11 Oct 2007 16:21:55 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by centralmail4brm.Central.Sun.COM (8.13.6+Sun/8.13.6/ENSMAIL, v2.2) with ESMTP id l9BGLs2u029507 for <tls@lists.ietf.org>; Thu, 11 Oct 2007 10:21:54 -0600 (MDT)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1) with ESMTP id l9BGLsoW027048; Thu, 11 Oct 2007 11:21:54 -0500 (CDT)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1/Submit) id l9BGLrPn027047; Thu, 11 Oct 2007 11:21:53 -0500 (CDT)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f
Date: Thu, 11 Oct 2007 11:21:53 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Eric Rescorla <ekr@networkresonance.com>
Subject: Re: [TLS] security levels for TLS
Message-ID: <20071011162153.GO24532@Sun.COM>
References: <c331d99a0710080621g7c0ec91et35c46553c23f4402@mail.gmail.com> <p0624082fc331b0ed0ecc@[192.168.1.100]> <FA998122A677CF4390C1E291BFCF59890849871E@EXCH.missi.ncsc.mil> <470D0243.3050009@pobox.com> <20071010180324.7ABC533C21@delta.rtfm.com> <470E4399.3010008@pobox.com> <20071011155829.965C733C28@delta.rtfm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20071011155829.965C733C28@delta.rtfm.com>
User-Agent: Mutt/1.5.7i
X-Spam-Score: -1.0 (-)
X-Scan-Signature: 7aafa0432175920a4b3e118e16c5cb64
Cc: tls@lists.ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

On Thu, Oct 11, 2007 at 08:58:27AM -0700, Eric Rescorla wrote:
> At Thu, 11 Oct 2007 08:39:05 -0700,
> Mike wrote:
> > 
> > I think there is good reason to try to solve this problem
> > in the TLS layer.  The alternative is to force every TLS-
> > enabled application to solve it (and likely they won't
> > solve it and be less secure).  Wouldn't it be ideal if an
> > application could just say:
> > 
> >      TLS::SetSecurityLevel (3);
> 
> No, it would not, because, I've now said several times, security is
> not expressible via a single metric, making this a complete rathole.

Agreed.  SASL used to have a notion of "security strength factor" (SSF),
and that was a disaster.

You cannot calculate an _absolute_ and _objective_ measure of security
for anything, least of all cryptographic algorithms subject to future
cryptanalytic advances (i.e., all of them).  (Don't even mention future
quantum computers.)

Basically, the best you could do is have an application choose a
cryptographic profile by descriptive names like "strong" and "fast," but
where the content of such profiles is subject to change over time, and
perhaps even a local matter.  Today "strong" might mean AES-128 is OK,
and tomorrow it might mean only AES-256 is OK, and the next day it might
mean something else, and so on.

> > Currently an application has to do the following:
> > 
> 
> Again, do you have any evidence this is a problem in practice.
> I appreciate it's a potential problem *in theory* but that's
> not the same thing.

The easy answer is to give the application fewer choices, namely a
choice of locally-configured profiles (see above).

In fact, I strongly urge TLS API developers to provide such a facility.

> And again, this is an API/local isssue. IETF doesn't do
> those.

There you go again.  The IETF most certainly deals in APIs.  Though in
this case I think the IETF need not have any specifications requiring or
recommending a facility like I describe above.  If it helps ward off
requests for silly things like "security strength factors" and those are
common enough, then perhaps we should indeed have an information RFC
explaining why we can't and what developers can do instead.

Nico
-- 


_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email