IETF Logo Mail Archive

Re: [TLS] TLSv1.2 with DSA client cert and key size >1024 bits

Dr Stephen Henson <lists@drh-consultancy.demon.co.uk> Tue, 15 February 2011 14:18 UTC

Return-Path: <lists@drh-consultancy.demon.co.uk>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E8ED23A6D2C for <tls@core3.amsl.com>; Tue, 15 Feb 2011 06:18:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.953
X-Spam-Level:
X-Spam-Status: No, score=-1.953 tagged_above=-999 required=5 tests=[AWL=-0.646, BAYES_00=-2.599, MISSING_HEADERS=1.292]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ysWwTO4zAITl for <tls@core3.amsl.com>; Tue, 15 Feb 2011 06:18:49 -0800 (PST)
Received: from claranet-outbound-smtp05.uk.clara.net (claranet-outbound-smtp05.uk.clara.net [195.8.89.38]) by core3.amsl.com (Postfix) with ESMTP id 1C9183A6CD8 for <tls@ietf.org>; Tue, 15 Feb 2011 06:18:49 -0800 (PST)
Received: from drh-consultancy.demon.co.uk ([80.177.30.10]:49709 helo=[192.168.7.8]) by relay05.mail.eu.clara.net (relay.clara.net [213.253.3.45]:10587) with esmtpa (authdaemon_plain:drh) id 1PpLkG-0007y9-Ho for tls@ietf.org (return-path <lists@drh-consultancy.demon.co.uk>); Tue, 15 Feb 2011 14:19:12 +0000
Message-ID: <4D5A8B6B.2010104@drh-consultancy.demon.co.uk>
Date: Tue, 15 Feb 2011 14:19:23 +0000
From: Dr Stephen Henson <lists@drh-consultancy.demon.co.uk>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7
MIME-Version: 1.0
CC: tls@ietf.org
References: <201102141648.p1EGmInm003093@fs4113.wdf.sap.corp>
In-Reply-To: <201102141648.p1EGmInm003093@fs4113.wdf.sap.corp>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] TLSv1.2 with DSA client cert and key size >1024 bits
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Feb 2011 14:18:50 -0000

On 14/02/2011 16:48, Martin Rex wrote:
> Dear implementors of TLSv1.2,
> 
> The use of TLSv1.2 with DSA client certs using key lengths > 1024
> as defined by FIPS 186-3 appears slightly underspecified.
> I would like to find out what current implementations of TLSv1.2
> are doing -- and what they are doing when negotiating a protocol
> version less that {0x03,0x03}.
> 

OpenSSL uses SHA-1 for TLS v1.1 and below. OpenSSL doesn't currently support TLS
v1.2.

As I mentioned elsewhere FIPS 186-3 also includes comments about RSA (section
5). For example it limits keys sizes to 1024, 2048 and 3072 bits. 4096 bit RSA
keys are not that uncommon and oddball keylengths like 2047 bits crop up quite
often too.

There is a similar comment about SHA-1 though not an outright prohibition:

"A hash function that provides a lower security strength than the security
strength associated with the bit length of the modulus ordinarily should not be
used, since this would reduce the security strength of the digital signature
process to a level no greater than that provided by the hash function."

Using SHA-2 algorithms isn't possible in TLS 1.1 and earlier with RSA as they
hard code the SHA1+MD5 signature.

Steve.
-- 
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.co.uk/
Email: shenson@drh-consultancy.co.uk, PGP key: via homepage.

v2.23.0 | Report a Bug | By Email