Re: [TLS] Fresh results

Dave Garrett <davemgarrett@gmail.com> Tue, 01 December 2015 23:56 UTC

Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F9211B2AE4 for <tls@ietfa.amsl.com>; Tue, 1 Dec 2015 15:56:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p_-MzLyEX0TH for <tls@ietfa.amsl.com>; Tue, 1 Dec 2015 15:56:41 -0800 (PST)
Received: from mail-qg0-x22e.google.com (mail-qg0-x22e.google.com [IPv6:2607:f8b0:400d:c04::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7555F1B2AE0 for <tls@ietf.org>; Tue, 1 Dec 2015 15:56:41 -0800 (PST)
Received: by qgec40 with SMTP id c40so20137595qge.2 for <tls@ietf.org>; Tue, 01 Dec 2015 15:56:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=pMDHuBGb3yLuIdKly2s9R/Specuh4Itb41wBnzBpBwo=; b=P3EP4euF0FrUN3j3zZONhmfdqYXWn3UlvzRV+vouGIvhcBHNbU6Q9JIsGSsb4cZrK1 Tspe0lscKebnZpnl2UL46nf8VucKy3zZ5gVqfppQYCDfHRWTznBGNY3lsF2nuE77IY8C hUw6RW1Pg3sr8xglvdhZjeNoj3WhGpnm04ev3ypuBad2ui9tUu9Slrfu3ENKLIw0CRnK gH+TV4d8/NG4uY0KM+iLS7Lg3EUarVyKTvE8GNd1smAq6X+sTP0wDPCW/LgpClZ+Fwzb d0hb9cUq9o5H/SxwoAS3AzTDUEkxz0Ih9ZPL9IMtGuucoJ0SJKaixZOkfX1Hqr9WwCay 3tBA==
X-Received: by 10.140.29.33 with SMTP id a30mr294008qga.88.1449014200728; Tue, 01 Dec 2015 15:56:40 -0800 (PST)
Received: from dave-laptop.localnet (pool-72-94-152-197.phlapa.fios.verizon.net. [72.94.152.197]) by smtp.gmail.com with ESMTPSA id c48sm101622qge.49.2015.12.01.15.56.40 (version=TLS1 cipher=AES128-SHA bits=128/128); Tue, 01 Dec 2015 15:56:40 -0800 (PST)
From: Dave Garrett <davemgarrett@gmail.com>
To: tls@ietf.org
Date: Tue, 01 Dec 2015 18:56:36 -0500
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
References: <CACsn0cm41VD40tiwR-sO9piPu01rRkoWKPwHWCKcr5Z9id8kDg@mail.gmail.com>
In-Reply-To: <CACsn0cm41VD40tiwR-sO9piPu01rRkoWKPwHWCKcr5Z9id8kDg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <201512011856.36501.davemgarrett@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/fDiZI4nsWPzyeq725pELB-qtn38>
Subject: Re: [TLS] Fresh results
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Dec 2015 23:56:43 -0000

On Tuesday, December 01, 2015 02:28:49 pm Watson Ladd wrote:
> https://www.nds.rub.de/media/nds/veroeffentlichungen/2015/08/21/Tls13QuicAttacks.pdf

This analysis was done against TLS 1.3 draft 07 from July. It changed to RSA-PSS signatures for handshake messages in draft 09. (current is draft 11; draft 12 is pending) This doesn't seem to change anything, though. QUIC also uses PSS.

> This one looks very nasty to fix. Short of disallowing the use of RSA
> certificates for TLS 1.2 with the RSA handshake and in TLS 1.3, I
> don't see a good fix. I haven't read this paper in detail yet.

I think it's reasonable at this point to publish a diediedie RFC for plain RSA use in all TLS versions and mandate expectation of (EC)DHE with RSA (or any certificate) everywhere. This technically wouldn't apply to IE6 on XP, as that's generally using SSL3, which already got its diediedie (MS left TLS 1.0 off by default forever; anyone who can fix that can install something less than 15 years old). IE7+ on Vista+ & Java 6+ support FS RSA cipher suites.

> Cross-protocol attacks are the gift that keeps giving.

Or, yet another lesson that just deprecating old features with new protocols is not enough. Keeping known-weak features around forever for backwards compatibility always seems to hurt you eventually.


Dave