Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fast-Track" draft
"Kemp, David P." <DPKemp@missi.ncsc.mil> Wed, 24 February 2010 17:52 UTC
Return-Path: <DPKemp@missi.ncsc.mil>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A30F728C1EC for <tls@core3.amsl.com>; Wed, 24 Feb 2010 09:52:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.978
X-Spam-Level:
X-Spam-Status: No, score=-5.978 tagged_above=-999 required=5 tests=[AWL=-0.620, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, SARE_LWSHORTT=1.24]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9QIV9ES-Fprm for <tls@core3.amsl.com>; Wed, 24 Feb 2010 09:51:52 -0800 (PST)
Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by core3.amsl.com (Postfix) with ESMTP id 585D328C14B for <tls@ietf.org>; Wed, 24 Feb 2010 09:51:52 -0800 (PST)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01CAB57A.37F468FA"
Date: Wed, 24 Feb 2010 12:53:05 -0500
Message-ID: <201002241753.o1OHrxuK015491@stingray.missi.ncsc.mil>
In-Reply-To: <C7AB19CF.88B9%stefan@aaa-sec.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [TLS] draft-ietf-tls-cached-info-02 / New "Fast-Track" draft
Thread-Index: Acq1cujLRXODTj3ZEkS0IhmoriFNkAAAZpew
References: <4B8407D7.9040207@briansmith.org> <C7AB19CF.88B9%stefan@aaa-sec.com>
From: "Kemp, David P." <DPKemp@missi.ncsc.mil>
To: tls@ietf.org
X-OriginalArrivalTime: 24 Feb 2010 17:54:46.0312 (UTC) FILETIME=[7392D280:01CAB57A]
Subject: Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fast-Track" draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2010 17:52:00 -0000
I'd be happier with MUST. I don't buy the argument that all code that makes up an application must come from a certified crypto library; certainly XML parsers, GUI toolkits, and a million other things are available to developers, and I find it hard to believe that 20 years from now nobody will be able to find some C code somewhere to do SHA-1. If it is impossible to get consensus without a SHOULD, then so be it, but that is a cop-out. I agree with Martin and Brian that all hashes including SHA-1 should be truncated. To make it impossible for developers to miss (and to save a few bits of bandwidth) it should be truncated to less than 20 octets. I'd suggest 8 octets, but pick your favorite number (8, 12, 16) less than 20. struct { HashAlgorithm hash; opaque hash_value<8>; // was hash_value<1..255>; } CachedInformationHash; Dave From: Stefan Santesson [mailto:stefan@aaa-sec.com] Sent: Wednesday, February 24, 2010 12:01 PM To: Brian Smith; mrex@sap.com Cc: Simon Josefsson; Kemp, David P.; tls@ietf.org Subject: Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fast-Track" draft Would it help to make everyone happy if we said that implementers SHOULD support SHA-1? /Stefan On 10-02-23 5:52 PM, "Brian Smith" <brian@briansmith.org> wrote: Martin Rex wrote: Simon Josefsson wrote: I'd like to suggest another argument to support your reasoning: some FIPS approved crypto libraries no longer export MD5. I expect the same to be true for SHA-1 within a few years. This means that SHA-1 will no longer be as easily available, for these non-crypto purposes needed in tls-cached-info. I do not agree to this conclusion. IIRC, NIST never liked MD5 from the beginning, and it was always clear about that, which is why SHA-1 as an alternative became ubiquitous available everywhere where a secure hash algorithm was needed. In the short term, Martin is right. Even with the new recommendations, crypto modules will still be able to be FIPS-certified even if they contain a SHA-1 implementation, as long because SHA-1 still has approved uses (HMAC-SHA1 in particular). However, I'm not sure that will be the case 10 years from now. I think it would be better for this extension to be specified in a way that doesn't require it to be periodically updated in order to be implementable using only primitives provided by certified crypto modules. While it seems sensible to deprecate SHA-1 for use in digital signatures, it is still present in many certs and many signatures. Even last year, some PKIs have been newly set up with a hierarchy of CAs using SHA-1 for the signature on the intermediate CA and end entity certs--probably because the SHA-2 algorithm is not yet universally available in implementations. It depends on the application. In 2011, SHA-1 certificates will no longer be acceptable for many uses within the US government. And, that is already the case now in 2010 with the German government, AFAICT. If you look at the mandatory-to-implement algorithm for SSLv3 and TLS up to v1.2 (rfc5246): TLSv1.0 (rfc-2246, section 9) TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLSv1.1 (rfc-4346, section 9) TLS_RSA_WITH_3DES_EDE_CBC_SHA TLSv1.2 (rfc-5246, section 9) TLS_RSA_WITH_AES_128_CBC_SHA So getting rid of SHA-1 will require a significantly larger effort than getting rid of MD5 (-based signatures). The spec says that those algorithms are required unless the profile of TLS in use specifies otherwise. The NSA Suite B Profile for TLS (RFC 5430) defines a profile that doesn't use SHA-1 at all. (http://tools.ietf.org/html/rfc5430#section-3). Chosing SHA-256 will give us more time, but we'll likely run into the same issue eventually anyway. I believe this suggests that algorithm agility is useful whenever any crypto-related algorithm is _used_, even if it is used for non-crypto related purposes. TLS truncates the PRF output to 12 octets for the finished message. Maybe we should truncate the hash for the caching extension to 20 octets (which means that sha-1 hash values are sent in full)? That sounds reasonable to me, but I'd also require the SHA-1 hashes truncated too, because (a) SHA-1 is overkill too (as David Kemp pointed out), and (b) it would be impossible for an implementer to miss the truncation requirement, evein in a SHA-1-only implementation. Regards, Brian _____ _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Brian Smith
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Simon Josefsson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Adam Langley
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Brian Smith
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Nikos Mavrogiannopoulos
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Adam Langley
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Michael D'Errico
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Nikos Mavrogiannopoulos
- Re: [TLS] Android's cut-through mode & "RequestTi… Brian Smith
- [TLS] Stream multiplexing extension RE: SPDY / Ne… Brian Smith
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Brian Smith
- [TLS] TLS Performance (was Re: draft-ietf-tls-cac… Michael D'Errico
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Adam Langley
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Adam Langley
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Adam Langley
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Brian Smith
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Brian Smith
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Brian Smith
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Kemp, David P.
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Martin Rex
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Brian Smith
- [TLS] Cached-info substitution Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Kemp, David P.
- Re: [TLS] Cached-info substitution Brian Smith
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Martin Rex
- Re: [TLS] Cached-info substitution Adam Langley
- Re: [TLS] Cached-info substitution Brian Smith
- Re: [TLS] Cached-info substitution Adam Langley
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Brian Smith
- Re: [TLS] Cached-info substitution Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Martin Rex
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Brian Smith
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Martin Rex
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Kemp, David P.
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Martin Rex
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Martin Rex
- [TLS] RFC 5077 (was Re: draft-ietf-tls-cached-inf… Michael D'Errico
- Re: [TLS] Cached-info substitution Adam Langley
- Re: [TLS] Cached-info substitution Wan-Teh Chang
- Re: [TLS] Cached-info substitution Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Simon Josefsson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Martin Rex
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Brian Smith
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Brian Smith
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Kemp, David P.
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Marsh Ray
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-cach… Kemp, David P.
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Marsh Ray
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Yoav Nir
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Simon Josefsson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Brian Smith
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Brian Smith
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Martin Rex
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Simon Josefsson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Simon Josefsson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Joseph Salowey (jsalowey)
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Brian Smith
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Brian Smith
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Martin Rex
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Simon Josefsson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Donald Eastlake
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Joseph Salowey (jsalowey)
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Marsh Ray
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Simon Josefsson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Stefan Santesson
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Adam Langley
- Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fa… Michael D'Errico