Re: [TLS] Mail regarding draft-ietf-tls-tls13

Ilari Liusvaara <ilariliusvaara@welho.com> Wed, 20 June 2018 09:48 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05D0313106A for <tls@ietfa.amsl.com>; Wed, 20 Jun 2018 02:48:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MXfp8NbXp-XR for <tls@ietfa.amsl.com>; Wed, 20 Jun 2018 02:48:28 -0700 (PDT)
Received: from welho-filter1.welho.com (welho-filter1.welho.com [83.102.41.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02EC3131067 for <tls@ietf.org>; Wed, 20 Jun 2018 02:48:27 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id EF2C35496C; Wed, 20 Jun 2018 12:48:25 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id QzOI_ePgBtmp; Wed, 20 Jun 2018 12:48:25 +0300 (EEST)
Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id 3CA5772; Wed, 20 Jun 2018 12:48:23 +0300 (EEST)
Date: Wed, 20 Jun 2018 12:48:08 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Ben Personick <ben.personick@iongroup.com>
Cc: TLS WG <tls@ietf.org>
Message-ID: <20180620094808.GA23612@LK-Perkele-VII>
References: <BN7PR14MB23560D791932A8CB164C592D917F0@BN7PR14MB2356.namprd14.prod.outlook.com> <897AC345-0832-4252-9D96-5A030CBEAD25@dukhovni.org> <cc5fe1d8-b065-4f30-8b76-57714aea1949@iongroup.com> <7D370F20-3C5C-4347-9EA3-3F0F61458377@dukhovni.org> <5fdded19-da5c-4d23-a0e3-e4e9e905f7aa@iongroup.com> <085E5CF6-0879-48DE-A8C5-A3C8F5C48F86@akamai.com> <BN7PR14MB2356778AD43FDB1ED5F229D591700@BN7PR14MB2356.namprd14.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <BN7PR14MB2356778AD43FDB1ED5F229D591700@BN7PR14MB2356.namprd14.prod.outlook.com>
User-Agent: Mutt/1.10.0 (2018-05-17)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/bOYXZRtQX1CzjslOeRMGR6m9eeg>
Subject: Re: [TLS] Mail regarding draft-ietf-tls-tls13
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jun 2018 09:48:31 -0000

On Tue, Jun 19, 2018 at 03:17:26PM +0000, Ben Personick wrote:
> Hi Rich,
>   Yes, I meant ECDHE_ECDSA and ECDHE_RSA are both supported in TLS 1.3, I’d been lead to believe that all RSA based ciphers were not supported.
> 
>  Having seem some further responses, it appears it is only the NON ECDHE RSA Based ciphers which are having support dropped in TLS 1.3
> 
>   Ie all Non-Elliptic Curve Diffie Hellman ciphers ( eg AES-256 w/o DH, with DH or EDH/DHE, but not ECDHE_RSA)
> 
>   And yeah, it’s been my experience everywhere, but I was pretty pumped up to have a better reason to push to start implementing ECDHE_ECDSA Ciphers in addition to our existing Ciphers.

I made a list of all supported cryptographic algorithms in base
TLS 1.3:

- Algorithms marked with [W] are widely supported.
- If preshared keys are used, no signatures are used (ligtens load at
  cost of poor scalability).
- If preshared keys are used, those may be combined with asymmetric key
  exchange (or may be used alone, giving very light but poorly scalable
  key exchange).
- There are no-protocol level constraints on mixing and matching
  algorithms of different kinds (except symmetric cipher and handshake
  hash). The server might tweak relative preferences to try avoid wide
  mismatches in strength, but MUST enable full cartesian product.
- Most work in TLS 1.2 too, if supported:
  - The negotiation for classical Diffie-Hellman is broken in TLS 1.2,
    leading many clients to just disable classical Diffie-Hellman
    (1.3 fixes this issue).
  - Classical Diffie-Hellman can only be combined with RSA signatures
    (others can be combined with all signature types).

Asymmetric key exchanges:

- Elliptic-curve Diffie-Hellman using NIST P-256 curve[W]
- Elliptic-curve Diffie-Hellman ECDH using NIST P-384 curve[W]
- X25519 key exchange (a.k.a. Curve25519)[W]
- Elliptic-curve Diffie-Hellman ECDH using NIST P-521 curve
- X448 key exchange
- Diffie-Hellman with p=Pe(2048, 560316)
- Diffie-Hellman with p=Pe(3072, 2625351)
- Diffie-Hellman with p=Pe(4096, 5736041)
- Diffie-Hellman with p=Pe(6144, 15705020)
- Diffie-Hellman with p=Pe(8192, 10965728)

Where: Pe(n,x) = 2^n-2^(n-64)+{[2^(n-130)*e]+x}*2^64-1 (a n-bit
prime)

Signature algorithms:

- RSA-PSS using SHA-256 (using generic RSA or RSA-PSS keys)[W]
- RSA-PSS using SHA-384 (using generic RSA or RSA-PSS keys)[W]
- RSA-PSS using SHA-512 (using generic RSA or RSA-PSS keys)[W]
- ECDSA usign NIST P-256 curve and SHA-256[W]
- ECDSA usign NIST P-384 curve and SHA-384[W]
- ECDSA usign NIST P-521 curve and SHA-512[W]
- RSA PKCS#1v1.5 using SHA-256 (certificate signing only)[W]
- RSA PKCS#1v1.5 using SHA-384 (certificate signing only)[W]
- RSA PKCS#1v1.5 using SHA-512 (certificate signing only)[W]
- Ed25519
- Ed448

Symmetric algorithms:

- 128-bit AES in GCM mode with SHA-256 handshake hash.[W]
- 256-bit AES in GCM mode with SHA-384 handshake hash.[W]
- 256-bit Chacha20 and Poly1305 with SHA-256 handshake hash.[W]
- 128-bit AES in CCM mode with SHA-256 handshake hash.
- 128-bit AES in CCM(64-bit tag) mode with SHA-256 handshake hash.


-Ilari