IETF Logo Mail Archive

Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 with DSA client cert and

Martin Rex <mrex@sap.com> Wed, 16 February 2011 23:34 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5B3393A6CE4 for <tls@core3.amsl.com>; Wed, 16 Feb 2011 15:34:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.224
X-Spam-Level:
X-Spam-Status: No, score=-10.224 tagged_above=-999 required=5 tests=[AWL=0.025, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fgYdq1vdv+3B for <tls@core3.amsl.com>; Wed, 16 Feb 2011 15:34:34 -0800 (PST)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id CB93E3A6AB9 for <tls@ietf.org>; Wed, 16 Feb 2011 15:34:33 -0800 (PST)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id p1GNZ1Ug019194 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 17 Feb 2011 00:35:01 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <201102162335.p1GNZ0Yd009478@fs4113.wdf.sap.corp>
To: mike-list@pobox.com
Date: Thu, 17 Feb 2011 00:35:00 +0100
In-Reply-To: <4D59B8FE.6010908@pobox.com> from "Michael D'Errico" at Feb 14, 11 03:21:34 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 with DSA client cert and
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Feb 2011 23:34:36 -0000

Michael D'Errico wrote:
> 
> > It is extremely rare for TLS clients and servers to actually negotiate
> > TLSv1.2, and I currently do not expect this to change significantly
> > during the next couple of years.
> > 
> > There seem to be two reasons for this:
> > 
> >   - at least one vendor sees a performance problem with enabling
> >     TLSv1.2 for the server by default
> 
> This is not a problem with TLS 1.2 itself, but of that vendor's
> implementation of it.  My server shows virtually no difference in
> throughput for any SSL/TLS version, though SSL3 is a tiny bit
> slower than the rest.  This could be explained by the slightly
> more complicated MAC computation in SSLv3 vs HMAC in TLS.

The more I think about it, the more I believe it is, in fact, a
design flaw in TLSv1.2 responsible for a handshake performance issue
(at least when a client certificate is requested).


While the PRF was changed from SSLv3->TLSv1.0, there was no change to
the CertificateVerify handshake message.  So for creating and
verifying a CertificateVerify handshake message, two hashes must
be maintained over all handshake messages:  MD5 + SHA1.

With TLSv1.2, if a server does not want to artificially limit the
signature algorithms on acceptable client certificates, it must
send a long list of acceptable combinations

(sha1,rsa), (sha1,dsa), (sha256,rsa), (sha384,rsa), (sha512,rsa),
(sha224,dsa), (sha256,dsa), ...

So unless both, server and client must either hold on to all handshake
messages up to CertificateVerify or carry along hash contexts for all
of the possible algorithms.

Compare:
   SSLv3, TLSv1.0/1.1  md5 + sha1
   TLSv1.2             md5 + sha1 + sha224 + sha256 + sha384 + sha512

If you look at this list, look at how TLS uses hashes for digital
signatures and think about the algorithmic relationships between
sha224&sha256 and between sha384&sha52, then sha224 and sha384
are utterly useless fifth and sixth wheel on the TLS cart.
For TLS itself, sha256 -- or maybe even sha256 alone would have
been PERFECTLY sufficent, and a LOT less work.


What I also don't understand is the idea behind "default signature
algorithms".  For implementing TLSv1.2, SHA-256 _must_ be supported,
but unless explicitly negotiated with the TLS SignatureAlgorithm
extension, SHA-256 appears not allowed to be used for CertificateVerify.

That would mean, when TLSv1.2 is negotiated, but no SignatureAlgorithms
extension exchanged, the resulting signature with an RSA client cert
in CertificateVerify no longer uses MD5+SHA-1 as in TLS up to v1.1,
but _only_ SHA-1 (which slightly weakens that signature compared to
prior protocol versions...).  The use of SHA-256 is prohibited!??!

Weird, really.

-Martin

v2.23.0 | Report a Bug | By Email