Re: [TLS] Some questions about TLS False Start and symmetric ciphers.
Bodo Moeller <bmoeller@acm.org> Thu, 09 January 2014 09:39 UTC
Return-Path: <SRS0=d0zJ=WP=acm.org=bmoeller@srs.kundenserver.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BED91ADF5A for <tls@ietfa.amsl.com>; Thu, 9 Jan 2014 01:39:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.467
X-Spam-Level:
X-Spam-Status: No, score=-1.467 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.538, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zweqMOWcNwN5 for <tls@ietfa.amsl.com>; Thu, 9 Jan 2014 01:39:44 -0800 (PST)
Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.17.10]) by ietfa.amsl.com (Postfix) with ESMTP id 0A79A1AE146 for <tls@ietf.org>; Thu, 9 Jan 2014 01:39:44 -0800 (PST)
Received: from mail-ob0-f179.google.com (mail-ob0-f179.google.com [209.85.214.179]) by mrelayeu.kundenserver.de (node=mrbap0) with ESMTP (Nemesis) id 0LpPm9-1VVisa1R0n-00ey0I; Thu, 09 Jan 2014 10:39:34 +0100
Received: by mail-ob0-f179.google.com with SMTP id wm4so2983206obc.24 for <tls@ietf.org>; Thu, 09 Jan 2014 01:39:32 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=4mmEgj+96FrEbSjpWhpPf6CV37mSQ3WdP4bFhSuM6PQ=; b=bSZ9JU4dTvRyAIqZV76RMFAQkaBqKDDrfcpCarVOduAkz9/Y5pmzUesLRPGT+5zl0f qAH3Ffk0RIFGn7dpYDQESEXkFWKlATOW5tIIHJW7xle7i87TWpncbIbZt/0yOU/B4/pn iJp0PC54+tdfujyNb6vykjpSvc5+smYr6AVAHWVp2FLl2t4qNYDn2wSDPQD1AjJU8gDv EIk+asAq1s1a68OGBJa4Tqu3h8FbuTPWhi17B9EJ8f3wOBbEU23k8dkToPm6w0OB6sd0 ZaVsQxLQ/tNIb5SWRp8Af8MZyj/CjQY+4LcNNCyq0GCYzhrzyrtT17a+xSwDVsVPszsa zN+Q==
MIME-Version: 1.0
X-Received: by 10.60.233.9 with SMTP id ts9mr563697oec.65.1389260372028; Thu, 09 Jan 2014 01:39:32 -0800 (PST)
Received: by 10.60.142.129 with HTTP; Thu, 9 Jan 2014 01:39:31 -0800 (PST)
In-Reply-To: <CANOyrg9m6iQ94Vk+eQ752DJkv6w97qDNADQmg+WmR+fOQ1WXLg@mail.gmail.com>
References: <CANOyrg9m6iQ94Vk+eQ752DJkv6w97qDNADQmg+WmR+fOQ1WXLg@mail.gmail.com>
Date: Thu, 09 Jan 2014 10:39:31 +0100
Message-ID: <CADMpkcLvOF9QFcDss1_Xx0SwV=dp_Ebi1_gXT=KEbVrinaAu9Q@mail.gmail.com>
From: Bodo Moeller <bmoeller@acm.org>
To: Fabrice Gautier <fabrice.gautier@gmail.com>
Content-Type: multipart/alternative; boundary="001a11369dc2f9bbf704ef86623b"
X-Provags-ID: V02:K0:j+91m6LQkD69qf0u/caqXRIltDLFVUmt6tvAd8SdtPY Z6KeDsgyElU5qspmOE0AIsnZeikIzwwdKvnWuf4Wd+/79hsFKg kbamRFRGsDcnTEz+blQR8vRJvwDEyGfFfTj7kUn1zjxud5CK59 NvHIkhEJuDblpJFVTqZjc6TY+VXOWZWlN/Ac8KZq8VAhoh5eGH iyxbC71jmSjRD2uUdnErRZ0lGZhdfeQZy+yDFe0IJS3H2Qq+xC RUe2ttd4l+I1QlD7pfckpB7tdyplLOpZObtjghFECuoSKqzED9 9Ae080tCNYDk4a2QU98adwwJfP6Q2G4hAeQYgjRLee94kACMOe DL80gQurNhnJp2Phkq0bnNblYVLxvvzwyIn8Ogd4ilvFGLkijb W9ZiErpk0ieXKSXKioQYSDqwBVYmSuiGrdfaOGtcsVC5FzrXuS h9TB/
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Some questions about TLS False Start and symmetric ciphers.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jan 2014 09:39:46 -0000
> > > 1) http://tools.ietf.org/html/draft-bmoeller-tls-falsestart-00 is a > few years old. Was there any intent to make this an actual RFC at some > point ? > Yes. There just hasn't been anything essentially new to say for the spec, and the philosophical problem that we ran into remains -- while False Start works without problems with the huge majority servers (even though they haven't been specifically written for it) and is also used a lot in practice, it appears that some server implementors insist that they wouldn't like to be bound by *having* to interoperate with that. While otherwise we could bootstrap False Start compatibility by, say, making it a formal requirement with certain new ciphersuites or new TLS extensions, this unfortunately makes it hard to proceed with meaningful standardization (other than by waiting for TLS 1.3). With a bit of express working group enthusiasm, I could be enticed to create a new I-D version to at least formally un-expire it for now, though. > > > 2) What was the rational for leaving some symmetric ciphers out of the > white list. > In particular, why was 3DES not part of the whitelist, and should RC4 > still be on the whitelist ? > > My understanding is that even the best attacks on 3DES and RC4 still > require an attacker to capture many messages, so that capturing a > single encrypted message due to false start does not give you much > advantage. > As Adam has pointed out, we really should be removing RC4 from the suggested whitelist now. (3DES has less than 128 bits of security, which was the reasonable even if somewhat arbitrary threshold we picked.) Note that thinking that it's only about a *single* message is, these days at least, at trap -- clients could easily try to send the same secret over many independent connections that they try to establish with the same server. If that cipher is merely a "fallback" cipher that the real server wouldn't have picked voluntarily (given the other options offered by the client), this could weaken security. > Or putting it another way: If a cipher is considered not good enough > for False Start, why would it be good enough for TLS without False > Start ? Because without False Start, you have authenticated confirmation from the server that the cipher is good enough for that server. Bodo
- [TLS] Some questions about TLS False Start and sy… Fabrice Gautier
- Re: [TLS] Some questions about TLS False Start an… Adam Langley
- Re: [TLS] Some questions about TLS False Start an… Nikos Mavrogiannopoulos
- Re: [TLS] Some questions about TLS False Start an… Bodo Moeller