[TLS] EllipticCurveList is not expressive enough
"Brian Smith" <brian@briansmith.org> Fri, 23 July 2010 17:14 UTC
Return-Path: <brian@briansmith.org>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B804F3A695D for <tls@core3.amsl.com>; Fri, 23 Jul 2010 10:14:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.308
X-Spam-Level:
X-Spam-Status: No, score=-0.308 tagged_above=-999 required=5 tests=[AWL=-0.309, BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hZSOWtj53s-K for <tls@core3.amsl.com>; Fri, 23 Jul 2010 10:13:57 -0700 (PDT)
Received: from mxout-07.mxes.net (mxout-07.mxes.net [216.86.168.182]) by core3.amsl.com (Postfix) with ESMTP id 082BA3A67E6 for <tls@ietf.org>; Fri, 23 Jul 2010 10:13:56 -0700 (PDT)
Received: from T60 (unknown [98.200.191.117]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 1056222E257 for <tls@ietf.org>; Fri, 23 Jul 2010 13:14:08 -0400 (EDT)
From: Brian Smith <brian@briansmith.org>
To: tls@ietf.org
Date: Fri, 23 Jul 2010 12:14:05 -0500
Message-ID: <004401cb2a8a$78007360$68015a20$@briansmith.org>
X-Mailer: Microsoft Outlook 14.0
MIME-Version: 1.0
Thread-Index: AQKYLi5FjsjAe4Xl0ekdZGqryIMRjA==
Content-Language: en-us
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_003F_01CB2A60.8ACA4590"
Subject: [TLS] EllipticCurveList is not expressive enough
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Jul 2010 17:14:13 -0000
1. The NSA suite B profile contains the following requirements: "For cipher suites at the 128-bit security level, secp256r1 MUST be used. For cipher suites at the 192-bit security level, secp384r1 MUST be used." and "For certificates used at the 128-bit security level, the subject public key MUST use the P-256 curve and be signed with either the P-384 curve or the P-256 curve. For certificates used at the 192-bit security level, the subject public key MUST use the P-384 curve and be signed with the P-384 curve." 2. Some crypto libraries, such as Microsoft's CNG, provide (sysadmin) options for enabling/disabling ciphersuite/elliptic curve combinations [1], instead of enabling/disabling cipher suites and elliptic curves orthogonally. For example, for you can enable TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 with the P-256 curve and disable it with secp384r1. A TLS client can use the EllipticCurveList extension to tell the server that it prefers secp384r1 over secp256r1 or secp256r1 or secp384r1, but it cannot relay the above restrictions. As a result, the server can choose a curve and a cipher suite that seem acceptable based on the information in the client hello, but which the client would have to reject (e.g. TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 with the secp384r1 curve, which a Suite B client would have to reject). This makes implementing a robust client quite complicated, as it has to be prepared to do attempt and abort handshakes several times, each with a different CipherSuites/EllipticCurveLists combination. And, doing so results either horrible performance (having to go through the full handshake before aborting the connection, potentially several times) or susceptibility to rollback attacks (if the handshake is aborted right after the ServerHello). Consequently, I think it would be very useful to have a different extension that allowed the client to spell out its exact requirements: For ciphersuites <C>, I accept curves <K> for ECDH, curves <E> for the ECDSA signature, and curves <I> for certificate signatures. Also, does the Suite B profile really need to be that strict? As far as I can tell, it should be acceptable (if wasteful) to use the secp384r1 curves at the 128-bit security level, but the Suite B profile doesn't allow that. [1] http://msdn.microsoft.com/en-us/library/aa374757(VS.85).aspx Regards, Brian
- [TLS] EllipticCurveList is not expressive enough Brian Smith
- Re: [TLS] EllipticCurveList is not expressive eno… Peter Gutmann
- Re: [TLS] EllipticCurveList is not expressive eno… Kyle Hamilton
- Re: [TLS] EllipticCurveList is not expressive eno… Dean Anderson
- Re: [TLS] EllipticCurveList is not expressive eno… Jeffrey A. Williams
- Re: [TLS] EllipticCurveList is not expressive eno… Kyle Hamilton