Re: [TLS] No algorithm specified for server to pick cipher suite in TLS
Martin Rex <mrex@sap.com> Mon, 15 November 2010 14:20 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 649013A6C37 for <tls@core3.amsl.com>; Mon, 15 Nov 2010 06:20:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.757
X-Spam-Level:
X-Spam-Status: No, score=-9.757 tagged_above=-999 required=5 tests=[AWL=-0.108, BAYES_00=-2.599, HELO_EQ_DE=0.35, J_CHICKENPOX_33=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8kiGLH3nSiXR for <tls@core3.amsl.com>; Mon, 15 Nov 2010 06:20:27 -0800 (PST)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by core3.amsl.com (Postfix) with ESMTP id 045303A68D4 for <tls@ietf.org>; Mon, 15 Nov 2010 06:20:26 -0800 (PST)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id oAFEL7dF022131 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 15 Nov 2010 15:21:07 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <201011151421.oAFEL5bG022504@fs4113.wdf.sap.corp>
To: Tilman.Sommer@vector.com
Date: Mon, 15 Nov 2010 15:21:05 +0100
In-Reply-To: <2ABA8F1B102AFF40AC1374976440C8DC07801F33@vistrex1.vi.vector.int> from "Sommer, Tilman" at Nov 12, 10 03:01:58 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal08
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] No algorithm specified for server to pick cipher suite in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Nov 2010 14:20:28 -0000
Sommer, Tilman wrote: > > Neither in RFC5246 nor its predecessors, there seems to be > no algorithm specified how the server should pick the cipher suite > to be used in the "server hello" message. > > Indications I found in the internet said that the server would > pick the "strongest" cipher suite of the intersection, > which spawns the question about how the strength of a cipher > suite is ultimately determined. > > Key length of the encryption key is not a good indicator, > since the strength of algorithms may be judged differently over time > when vulnerabilities are detected, so I would think > the best option is to leave the order of precedence up to > the server's administrator. Yes, that is rougly it. The client has the privilege to propose a set of "acceptable" cipher suites, and the server has the privilege to select a common cipher suite from the intersection of what the client offers and what the server prefers. Although some SSL&TLS implementations (including OpenSSL) had originally used the client-offered list of cipher suites taking precendence over the server's list, most implementation today probably have the servers preference list taking precedence over the one sent by the client. Unless the server admin configures his preferred cipher suites, there is probably a default preference provided by whatever TLS implementation is used for the server, or a default preference requested by the application. Performance seems to be one of the concerns (as you can see from TLSv1.2 with the SHA256-based PRF not being enabled by default on newer Microsoft Platforms). Traditionally, the SSL_RSA_WITH_RC4_128_* have the best performance, and SSL_RSA_WITH_3DES_EDE_CBC_SHA is much slower. TLS_RSA_WITH_AES_128_CBC_SHA (rfc3268) is probably somewhere between the two (for pure software-based crypto). Some newer CPUs have crypto hardware-support for specific algorithms or algorithm primitives (ultrasparc T2, PowerPC, Intel Core i*), so depending on which of those features can be actually used by server TLS implementations the relative performance among TLS cipher varies. In contrast to SSLv2, the integrity protection traffic keys are not artificially limited in SSLv3/TLS, but depend primarily on the hash algorithm that is used and the keysize of the server credential and the keysize of the key pair that is used for the key exchange (key agreement). For vanilla RSA cipher suites, it is only the keysize of the server credential, as that is used for key exchange. -Martin
- [TLS] No algorithm specified for server to pick c… Sommer, Tilman
- Re: [TLS] No algorithm specified for server to pi… Michael D'Errico
- Re: [TLS] No algorithm specified for server to pi… Martin Rex