Re: [TLS] AD review of draft-ietf-tls-md5-sha1-deprecate-03

Sean Turner <sean@sn3rd.com> Mon, 05 October 2020 15:19 UTC

Return-Path: <sean@sn3rd.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EA023A0100 for <tls@ietfa.amsl.com>; Mon, 5 Oct 2020 08:19:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KXNFEXYtHwHo for <tls@ietfa.amsl.com>; Mon, 5 Oct 2020 08:19:18 -0700 (PDT)
Received: from mail-qt1-x82c.google.com (mail-qt1-x82c.google.com [IPv6:2607:f8b0:4864:20::82c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 98DFB3A07C4 for <tls@ietf.org>; Mon, 5 Oct 2020 08:19:18 -0700 (PDT)
Received: by mail-qt1-x82c.google.com with SMTP id q26so4640574qtb.5 for <tls@ietf.org>; Mon, 05 Oct 2020 08:19:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=R1UXLjzX2WSJUwXZ//zOxaKF5mFfX5SaXBCrtL3ksTE=; b=Xlv4mPK5+YmNJPA9EnbpDulxNY9QIflEXl9YQyNdflzbwEIU1fjSoXakCBTxCTrn6W sQoaBw185LFCpcATKU4Iy4vYAxqsg+Cy2Z90c3IJRTBXejdnfzoObyttyN1oeBEU2xPd yUebB5cL7GUQbNQCnjNrOscDqeW4Vx7BWYMDU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=R1UXLjzX2WSJUwXZ//zOxaKF5mFfX5SaXBCrtL3ksTE=; b=kqRw1cdu8/NspbYpObeGw2VSDhWoD7LrWbOp1l6Q8XGGWWRYB/sszOImdhWrmVypP8 XJ1vP93sBoxZbb9ISJwddVTZygM1YjLJUq1Vxo9zVtoXP5jMXrSYElSte+jVmB8TTkFd rUm2vrhN3LGQniDlJeLn4ip4hx0peAtxl7vKz67CGeN/I4zL3u/Mt63DnVL5ATxBzFgP bA5cqm71ljgTnT3tnPRIezg0dk0XFbJ4UYU73J4LGhMa0P1hP6WRxIABnI5cMUot0mRQ mYGuQk5tW8SH5+bq2qcqYeCIrQl9xwW+1OCK/aFSkFJru+btJtvtz9ywrsbpZ2Tn/YKL st5Q==
X-Gm-Message-State: AOAM530dI4KvcnsQY+UlppMIvsTMXBGn8SRqlycFmzjMht1f28w/MrmQ 1/WW6pF6TgJpVU0i89w0tKZ8RG+140plqw==
X-Google-Smtp-Source: ABdhPJyu79+LPCGSVUbW0PBKhHVeIqdkpiTdt+QtcP51M6BuTIqMS47NoGsIBMcbwLLrTMST/9I34g==
X-Received: by 2002:ac8:cc4:: with SMTP id o4mr325312qti.21.1601911157303; Mon, 05 Oct 2020 08:19:17 -0700 (PDT)
Received: from [192.168.1.152] (pool-108-31-39-252.washdc.fios.verizon.net. [108.31.39.252]) by smtp.gmail.com with ESMTPSA id c11sm272633qkb.58.2020.10.05.08.19.15 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 05 Oct 2020 08:19:15 -0700 (PDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
From: Sean Turner <sean@sn3rd.com>
In-Reply-To: <5fc530396594430f81e8f609a1f11ea6@cert.org>
Date: Mon, 5 Oct 2020 11:19:14 -0400
Cc: TLS List <tls@ietf.org>, draft-ietf-tls-md5-sha1-deprecate.all@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <4BD7AF63-C680-404A-A590-BF7402C886CE@sn3rd.com>
References: <5fc530396594430f81e8f609a1f11ea6@cert.org>
To: Roman Danyliw <rdd@cert.org>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/goSiyq4bLtnzSTXgpdl0_CnpWS8>
Subject: Re: [TLS] AD review of draft-ietf-tls-md5-sha1-deprecate-03
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Oct 2020 15:19:21 -0000

Roman,

Thanks for your review. Some comments inline.

spt

> On Oct 2, 2020, at 19:42, Roman Danyliw <rdd@cert.org> wrote:
> 
> Hi!
> 
> I've assumed the role of responsible AD on this document.  As such, I performed an AD review of draft-ietf-tls-md5-sha1-deprecate-03.  
> 
> Thanks for writing this document to address an important crypto maintenance tasks in TLS v1.2.  I have a few clarifying and pro forma editorial items of feedback.  
> 
> ** Please address the following IDNits:
> 
> -- The document seems to lack an IANA Considerations section.  (See Section
>     2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
>     when there are no actions for IANA.)

Addressed via:
https://github.com/tlswg/draft-ietf-tls-md5-sha1-deprecate/pull/7

Comments about one below, but the remaining are addressed via:
https://github.com/tlswg/draft-ietf-tls-md5-sha1-deprecate/pull/8

> -- The draft header indicates that this document updates RFC5246, but the
>     abstract doesn't seem to mention this, which it should.
> 
> -- The draft header indicates that this document updates RFC7525, but the
>     abstract doesn't seem to mention this, which it should.
> 
> ** Section 1.  Editorial. 
> -- s/RFC 5246 [RFC5246]/[RFC5246]/
> 
> -- s/RFC 6151 [RFC6151]/[RFC6151]/
> 
> -- s/RFC7525 [RFC7525]/[RFC7525]/
> 
> ** Section 1.  Editorial.  For symmetry with the rest of the text:
> 
> OLD
> RFC 6151 [RFC6151]
>   details the security considerations, including collision attacks for
>   MD5, published in 2011.  
> 
> NEW
> In 2011, [RFC6151]  detailed the security considerations, including collision attacks for MD5.  
> 
> ** Section 1.  Please provide a reference for "Wang, et al".  Is there a reference to provide for the "the potential for brute-force attack"

For the Wang attack we used the following reference when updating the SHA-0 and SHA-1 considerations. I put it where the collisions are first noted. I am unsure if it’s the latest and greatest:

Wang, X., Yin, Y., and H. Yu., "Finding Collisions in
                 the Full SHA-1", Crypto 2005.

<rant: I am not entirely sure I did the XML right for the reference.>

I am not sure there is a reference for the brute force potential attack, but somebody correct me if I am wrong. The way I see it if you know the collision space is much smaller well you might launch said attack.

In s1.1, I also updated the paragraph to use the new paragraph and fixed the references.

> ** Section 6.  Editorial Nit. s/RFC5246 [RFC5246]/[RFC5246]/
> 
> ** Section 6.  Move the text "In Section 7.4.1.4.1: the text should be revised from" out of the "OLD" block of text to be its own intro paragraph so that the OLD vs. NEW is  a clear cut-and-paste.
> 
> ** Section 7.  Editorial. s/ RFC7525 [RFC7525]/[RFC7525]/
> 
> ** Section 7.  SHA-1 is also not mentioned in RFC7525.  Recommend:
> 
> OLD
> The prior text did not explicitly include
>   MD5 and this text adds it to ensure it is understood as having been
>   deprecated.
> 
> NEW
> The prior text did not explicitly include MD5 or SHA-1; and this text adds guidance to ensure that these algorithms have been deprecated.
> 
> ** Section 7.  Editorial.  Grammar.
> 
> OLD
> In addition, the use of the SHA-256 hash algorithm is RECOMMENDED,
>   SHA-1 or MD5 MUST NOT be used
> 
> NEW
> In addition, the use of the SHA-256 hash algorithm is RECOMMENDED; and SHA-1 or MD5 MUST NOT be used
> 
> ** Section 10.2  Please make RFC5246 a normative reference.
> 
> Regards,
> Roman
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls