Re: [TLS] Remove signature algorithms from cipher suites in 1.3

Antoine Delignat-Lavaud <antoine@delignat-lavaud.fr> Tue, 23 December 2014 12:11 UTC

Return-Path: <antoine@delignat-lavaud.fr>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8DEE1ACDBF for <tls@ietfa.amsl.com>; Tue, 23 Dec 2014 04:11:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.702
X-Spam-Level:
X-Spam-Status: No, score=-2.702 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gnYBI-gCQI1j for <tls@ietfa.amsl.com>; Tue, 23 Dec 2014 04:11:29 -0800 (PST)
Received: from argon.maxg.info (argon.maxg.info [94.23.252.34]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7EBF51ACDB9 for <tls@ietf.org>; Tue, 23 Dec 2014 04:11:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=delignat-lavaud.fr; s=dkim; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References:Subject:To:MIME-Version:From:Date:Message-ID; bh=LXg72S7uiLiXAXu8IN4zwGyIH3GJKm97VBRpxmiDQsU=; b=U5mMzfWD2unPAnR5s63HxlUn1v5A4XXxoCsTlkzpizRFS02rhSgqrZlYSj5tw17B488AtU1JMTL4mLI9W0xCduGd6bL1vtupt+Q+WUFwduflg+hxr8037kjjPCDyLPqH;
Received: from localhost (authenticated.user.IP.removed [::1]) by argon.maxg.info with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (envelope-from <antoine@delignat-lavaud.fr>) id 1Y3OJC-0001OY-LS for tls@ietf.org; Tue, 23 Dec 2014 13:11:28 +0100
Message-ID: <54995BD6.8000504@delignat-lavaud.fr>
Date: Tue, 23 Dec 2014 13:11:02 +0100
From: Antoine Delignat-Lavaud <antoine@delignat-lavaud.fr>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: tls@ietf.org
References: <5498DBCE.1070909@delignat-lavaud.fr> <CAFewVt7RiMfQTv=mkWAgUJLiy9+VSKGVT21QHauR36f4PZFp7g@mail.gmail.com>
In-Reply-To: <CAFewVt7RiMfQTv=mkWAgUJLiy9+VSKGVT21QHauR36f4PZFp7g@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/b6-1VN32QE4DDNzGTenkgSFuXhs
Subject: Re: [TLS] Remove signature algorithms from cipher suites in 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Dec 2014 12:11:32 -0000

Le 12/23/2014 7:07 AM, Brian Smith a écrit :
> How would your proposal change if signature-less authentication
> mechanisms were added (later)? How would we indicate support for the
> signature-less authentication?

Such schemes would either require an extension or a custom cipher suite 
because of their different state machine.

>
>> In this design, keeping the legacy of including the signature algorithm to
>> be used in the ServerCertificateVerify message within the selected cipher
>> suite name can be a burden to the modularity and extensibility of the
>> protocol, since adding support for new signature algorithms comes at the
>> cost of an exponential increase in the length of the list of cipher suites
>> sent by the client, even though the security guarantees of the handshake are
>> now fully modular w.r.t authentication goals achieved by certificate and
>> signatures.
> In theory, that sounds like a problem. Is it really a problem in
> practice, if we're not concerned about the specific case of RSA-PSS? On the other hand, nobody has ever seemed to want TLS_DHE_ECDSA_* cipher suites, so it doesn't seem like it caused any problem.

Right now, it isn't a problem in practice, but it is not clear either 
that DSA (maybe in danger of being removed?), ECDSA and PKCS#1v1.5 are a 
good set of signature algorithms to commit to for the long run. Even in 
the short term, a MAC-based signature scheme may be useful for PSK and 
resumption.

>
>> - For compatibility with previous protocol versions, existing cipher suite
>> names are preserved; however, servers MUST NOT select any cipher suite that
>> includes a signature algorithm other than RSA in a 1.3 handshake;
> What is the practical advantage of having this restriction? I would be
> concerned that there might be an interoperability loss if servers
> choose TLS_ECDHE_RSA_* but use an ECDSA certificate. It would be good
> to see some measurement of the effects of doing that, but it is
> difficult to do such measurement. I think there should be a clear
> benefit to the restriction in order to justify the effort to measure
> if it would work.

An alternative would be to allow any pre-1.3 cipher suite to be used, 
while allowing the signature algorithm used to authenticate the server 
may be different from the one included in the cipher suite name (e.g. 
server picks TLS_DHE_RSA_* but signs CertificateVerify with PSS).

> Many (most?) clients already work this way, so I don't think this
> would be too controversial. But, it seems better for the server to
> choose the cipher suite that best identifies the signature algorithm
> that it actually uses (e.g. TLS_x_ECDSA_* for a ECDSA certificate),
> instead of always using the RSA one.

Indeed, even miTLS works like this in TLS 1.2 even though this behavior 
is not permitted by current specification. As I said, I am not 
particularly set on the specifics of how to make the transition from 
pre-1.3 cipher suite names, and I'm fine with what you suggest.

>
>> The main motivation for proposing these changes is to introduce support for
>> PSS signatures in TLS and in certificates.
> Why should anybody add any new RSA-based signature scheme now?
> Shouldn't we let the RSA algorithm die off with Windows XP and other
> ancient stuff? If we're not happy with ECDSA because of the
> requirement for a perfect PRNG for randomized signatures, why not just
> specify that ServerKeyExchange in TLS 1.3 MUST use deterministic ECDSA
> signatures when an ECDSA certificate is used, or something similar
> that has similar server-side efficiency as ECDSA? There's got to be
> better alternatives to spending time tweaking support for RSA.

It is currently impossible to get a non-RSA certificate signed by any 
public CA (I know because I tried hard to get one). Only Google can 
concretely deploy EC certs today. Hence, there's is currently NO 
alternative to RSA signatures for authentication.

By the way, it may be a good idea to recommend or mandate RFC6979-style 
deterministic ECDSA signatures in TLS to prevent entropy-exhaustion 
attacks against clients and servers. Off-topic though.

Best,

Antoine