IETF Logo Mail Archive

[TLS] EllipticCurveList is not expressive enough

"Brian Smith" <brian@briansmith.org> Fri, 23 July 2010 17:14 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B804F3A695D for <tls@core3.amsl.com>; Fri, 23 Jul 2010 10:14:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.308
X-Spam-Level:
X-Spam-Status: No, score=-0.308 tagged_above=-999 required=5 tests=[AWL=-0.309, BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hZSOWtj53s-K for <tls@core3.amsl.com>; Fri, 23 Jul 2010 10:13:57 -0700 (PDT)
Received: from mxout-07.mxes.net (mxout-07.mxes.net [216.86.168.182]) by core3.amsl.com (Postfix) with ESMTP id 082BA3A67E6 for <tls@ietf.org>; Fri, 23 Jul 2010 10:13:56 -0700 (PDT)
Received: from T60 (unknown [98.200.191.117]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 1056222E257 for <tls@ietf.org>; Fri, 23 Jul 2010 13:14:08 -0400 (EDT)
From: Brian Smith <brian@briansmith.org>
To: tls@ietf.org
Date: Fri, 23 Jul 2010 12:14:05 -0500
Message-ID: <004401cb2a8a$78007360$68015a20$@briansmith.org>
X-Mailer: Microsoft Outlook 14.0
MIME-Version: 1.0
Thread-Index: AQKYLi5FjsjAe4Xl0ekdZGqryIMRjA==
Content-Language: en-us
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_003F_01CB2A60.8ACA4590"
Subject: [TLS] EllipticCurveList is not expressive enough
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Jul 2010 17:14:13 -0000

1. The NSA suite B profile contains the following requirements: "For cipher
suites at the 128-bit security level, secp256r1 MUST be used.  For cipher
suites at the 192-bit security level, secp384r1 MUST be used." and "For
certificates used at the 128-bit security level, the subject public key MUST
use the P-256 curve and be signed with either the P-384 curve or the P-256
curve.  For certificates used at the 192-bit security level, the subject
public key MUST use the P-384 curve and be signed with the P-384 curve."

2. Some crypto libraries, such as Microsoft's CNG, provide (sysadmin)
options for enabling/disabling ciphersuite/elliptic curve combinations [1],
instead of enabling/disabling cipher suites and elliptic curves
orthogonally. For example, for you can enable
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 with the P-256 curve and disable it
with secp384r1.

A TLS client can use the EllipticCurveList extension to tell the server that
it prefers secp384r1 over secp256r1 or secp256r1 or secp384r1, but it cannot
relay the above restrictions. As a result, the server can choose a curve and
a cipher suite that seem acceptable based on the information in the client
hello, but which the client would have to reject (e.g.
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 with the secp384r1 curve, which a
Suite B client would have to reject).

This makes implementing a robust client quite complicated, as it has to be
prepared to do attempt and abort handshakes several times, each with a
different CipherSuites/EllipticCurveLists combination. And, doing so results
either horrible performance (having to go through the full handshake before
aborting the connection, potentially several times) or susceptibility to
rollback attacks (if the handshake is aborted right after the ServerHello).

Consequently, I think it would be very useful to have a different extension
that allowed the client to spell out its exact requirements: For
ciphersuites <C>, I accept curves <K> for ECDH, curves <E> for the ECDSA
signature, and curves <I> for certificate signatures.

Also, does the Suite B profile really need to be that strict? As far as I
can tell, it should be acceptable (if wasteful) to use the secp384r1 curves
at the 128-bit security level, but the Suite B profile doesn't allow that.

[1] http://msdn.microsoft.com/en-us/library/aa374757(VS.85).aspx

Regards,
Brian

v2.23.0 | Report a Bug | By Email