IETF Logo Mail Archive

Re: [TLS] Enforcing stronger server side signature/hash combinations in TLS 1.2

"Fries, Steffen" <steffen.fries@siemens.com> Thu, 23 March 2017 15:28 UTC

Return-Path: <steffen.fries@siemens.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5CE6E12948A for <tls@ietfa.amsl.com>; Thu, 23 Mar 2017 08:28:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.919
X-Spam-Level:
X-Spam-Status: No, score=-6.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xp2E-4v3WJt6 for <tls@ietfa.amsl.com>; Thu, 23 Mar 2017 08:28:21 -0700 (PDT)
Received: from gecko.sbs.de (gecko.sbs.de [194.138.37.40]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2EF96120727 for <tls@ietf.org>; Thu, 23 Mar 2017 08:28:21 -0700 (PDT)
Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35]) by gecko.sbs.de (8.15.2/8.15.2) with ESMTPS id v2NFSJ6W001603 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <tls@ietf.org>; Thu, 23 Mar 2017 16:28:19 +0100
Received: from DEFTHW99ERKMSX.ww902.siemens.net (defthw99erkmsx.ww902.siemens.net [139.22.70.147]) by mail1.sbs.de (8.15.2/8.15.2) with ESMTPS id v2NFSJKO010174 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <tls@ietf.org>; Thu, 23 Mar 2017 16:28:19 +0100
Received: from DEFTHW99ERFMSX.ww902.siemens.net (139.22.70.67) by DEFTHW99ERKMSX.ww902.siemens.net (139.22.70.147) with Microsoft SMTP Server (TLS) id 14.3.339.0; Thu, 23 Mar 2017 16:28:18 +0100
Received: from DENBGAT9EH2MSX.ww902.siemens.net ([169.254.6.129]) by DEFTHW99ERFMSX.ww902.siemens.net ([139.22.70.67]) with mapi id 14.03.0339.000; Thu, 23 Mar 2017 16:28:18 +0100
From: "Fries, Steffen" <steffen.fries@siemens.com>
To: TLS WG <tls@ietf.org>
Thread-Topic: [TLS] Enforcing stronger server side signature/hash combinations in TLS 1.2
Thread-Index: AQHSo+oY1JOkT6DAvEmwIlzllF5qgA==
Date: Thu, 23 Mar 2017 15:28:17 +0000
Message-ID: <E6C9F0E527F94F4692731382340B337846DDEE@DENBGAT9EH2MSX.ww902.siemens.net>
References: <E6C9F0E527F94F4692731382340B337846DD1B@DENBGAT9EH2MSX.ww902.siemens.net> <4DD1F233-D659-4F79-9ADA-BC31A49DA653@dukhovni.org>
In-Reply-To: <4DD1F233-D659-4F79-9ADA-BC31A49DA653@dukhovni.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [139.22.70.49]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/_7CgfMRd0c1qlX4Hm2MkQOoO2Ag>
Subject: Re: [TLS] Enforcing stronger server side signature/hash combinations in TLS 1.2
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Mar 2017 15:28:23 -0000

Hi Viktor,

thanks for the response, I replied inline.
> According to  TLS 1.2 section 7.4.1.4.1. a client may use the 
> signature_algorithm extension to signal any combinations the client 
> supports, listed in the order of preferences.

The signature algorithm is primarily about signatures made as part of the TLS handshake, and not so much signatures in certificates.
[[stf]] In general I agree, but section 7.4.2 directly relates to certificates used by the server:
     If the client provided a "signature_algorithms" extension, then all  certificates provided by the server MUST be signed by a 
     hash/signature algorithm pair that appears in that extension.
Based on that I concluded the same restriction (fallback to SHA1) regarding the absence of the signature_algorithm extension applies for the certificates.  


> If the client does not use this extension, the server must use the 
> signature algorithm in combination with SHA1.

For signing the TLS key exchange, however, it should still present whatever certificate chain it has, even if that chain employs SHA256.
It is exceedingly unlikely these days that a client will not support
SHA256 signatures in the certificate chain.
[[stf]] This is true, specifically, if the client offered SHA256 cipher suites

> This may lead to an error on the client side when validating the 
> certificate.

You really should not even deploy SHA1 certificates these days, though some sites are still using their legacy SHA1 certificates that have not yet expired.
[[stf]] Completely agree. I was curious if there is an option to signal to the client that the server is not willing to support outdated algorithms explicitly, rather than using a SHA256 based cert, which may lead to an error in a legacy client, it it does not support SHA256.

> Unfortunately the server is not allowed to use this extension, 
> otherwise he could tell the client his preferences according to his security policy.

The protocol (as it should) lacks the additional round-trips necessary for the server to initiate signature algorithm negotiation.
[[stf]] Yes, realized that. It gets better in TLS1.3

> Is there a standard compliant way to utilize SHA256 based certificates 
> on the server side even when a client does not signal additional 
> signature algorithms?

Yes, just use them regardless of the client's signature algorithm extension.  See the TLS 1.3 draft for improved language about the interaction of signature algorithms and certificates.
[[stf]] That is the point I stumbled about. The text in 7.4.2 describes what a server must do, when a client uses the signature algorithm extension, but does not describe the supported behavior if the client does not use this extension. It somehow implies that the server shall behave like described for the cipher suite case (section 7.4.1.4.1). From a security perspective I completely agree, one should not use outdated crypto. 

Best regards
Steffen

-- 
	Viktor.

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email