Re: [TLS] Updated TLS 1.2 I-D

Bodo Moeller <> Fri, 14 July 2006 10:04 UTC

Received: from [] ( by with esmtp (Exim 4.43) id 1G1KXJ-0005AG-Hl; Fri, 14 Jul 2006 06:04:41 -0400
Received: from [] ( by with esmtp (Exim 4.43) id 1G1KXI-0005AA-2e for; Fri, 14 Jul 2006 06:04:40 -0400
Received: from ([]) by with esmtp (Exim 4.43) id 1G1KXF-0002Eq-Ih for; Fri, 14 Jul 2006 06:04:39 -0400
Received: from [] (helo=tau.invalid) by (node=mrelayeu3) with ESMTP (Nemesis), id 0MKxQS-1G1KXC0AXr-0002iN; Fri, 14 Jul 2006 12:04:34 +0200
Received: by tau.invalid (Postfix, from userid 1000) id 63B5517D45; Fri, 14 Jul 2006 12:04:32 +0200 (CEST)
Date: Fri, 14 Jul 2006 12:04:32 +0200
From: Bodo Moeller <>
To: Gregory Chudov <>
Subject: Re: [TLS] Updated TLS 1.2 I-D
Message-ID: <>
References: <> <>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.9i
X-Provags-ID: login:2100a517a32aea841b51dac1f7c5a318
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 538aad3a3c4f01d8b6a6477ca4248793
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>

On Fri, Jul 14, 2006 at 10:19:38AM +0400, Gregory Chudov wrote:

> Concerning Certificate Verify message:

>>      If the SignatureAlgorithm
>>      is DSA, then the sha_hash value must be used. If it is RSA,
>>      the same function (denoted Hash) must be used as was used to
>>      create the signature for the client's certificate.

> This doesn't look reasonable.
> Aside from general "bad feeling" about this, i have at least three
> examples in which this causes trouble:

Also, sha_hash is a SHA-1 hash, but the FIPS 186-3 (Digital Signature
Standard) draft also provides for use of the longer SHAs from FIPS
180-2 for prime moduli over 1024 bits.  (The subgroup size determines
the recommended SHA variant, although it can be agreed to use stronger
hash functions with truncation.)

> My proposition is:
> 1) Change the structure of the CertificateVerify message to reflect
> the change to CertificateRequest:

My suggestion is different:

Don't change the definition of CertificateRequest in the first place,
i.e. don't introduce HashType in the first place.  Keep the
definitions of the rsa_sign and dss_sign client authentication methods
as in current TLS versions, but define new client authentication
methods where the hashing is done differently.

There could be something like dsa_sign_fips_186_3 where hashing is
done as recommended in FIPS 186-3 (here I'm hoping that this actually
gets standardized within a reasonable timeframe).

There are only aesthetical reasons to get rid of the current MD5/SHA-1
concatenation in RSA client authentication.  Authentication can only
broken if the attack succeeds in real time (and this requires a second
preimage, not just a collision!).  As long as we have the current
Finished message (which involves MD5 anyway, so no implementation can
do without it), not much speaks against leaving RSA signing as it is
now.  However, here too we could add a FIPS 186-3 variant, meaning
that depending on the modulus size a wider SHA can be used, adopting
the "security strength" for RSA moduli from NIST SP 800-57 to obtain
the appropriate SHA variant.  (I.e., SHA-1 up to 1024 bits, SHA-224 up
to 2048 bits, SHA-256 up to 3072 bits, SHA-384 up to 7680 bits,
SHA-512 up to 15360 bits.)

TLS mailing list