Re: [TLS] Working Group Last Call for draft-ietf-tls-sslv3-diediedie-00
Michael Clark <michael@metaparadigm.com> Wed, 28 January 2015 01:57 UTC
Return-Path: <michael@metaparadigm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E06F21ACC92 for <tls@ietfa.amsl.com>; Tue, 27 Jan 2015 17:57:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.632
X-Spam-Level:
X-Spam-Status: No, score=0.632 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, MANGLED_LIST=2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I6HeI8ce8IQu for <tls@ietfa.amsl.com>; Tue, 27 Jan 2015 17:57:05 -0800 (PST)
Received: from tlsx.org (tlsx.org [67.207.128.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2A0C1ACC83 for <tls@ietf.org>; Tue, 27 Jan 2015 17:57:03 -0800 (PST)
Received: from monty.local (unknown.maxonline.com.sg [58.182.168.20] (may be forged)) (authenticated bits=0) by tlsx.org (8.14.4/8.14.4/Debian-4) with ESMTP id t0S2J2Yn005157 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 28 Jan 2015 02:19:06 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=metaparadigm.com; s=klaatu; t=1422411548; bh=WiP8eZrbT+X4mNtccHl9xEXZHP8PEwhTvUiQf3u8SBQ=; h=Date:From:To:Subject:References:In-Reply-To:From; b=kQM6Exgl1rLolVW7YHpyCNBCye5hImROZyDI6Ve/FkCVG4o0PH02Jwj02Su2xs8iN D1PtT0PWa2EyQsH5rABqxS61l67qPSRKeuGwxB4fAr2rW9uvQJPYIuprvSUVxLVoBu s1gO19U+EYUSkR8Tahyhl+NVkeQsm3TQeq+v5zNw=
Message-ID: <54C841E3.5040208@metaparadigm.com>
Date: Wed, 28 Jan 2015 09:56:51 +0800
From: Michael Clark <michael@metaparadigm.com>
Organization: Metaparadigm
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Dave Garrett <davemgarrett@gmail.com>, tls@ietf.org
References: <CAOgPGoD806Mf=wa76ixU15nGDCK91tgG4r3Sb0Us2meX4Rqk5A@mail.gmail.com> <54C7F106.9070400@azet.org> <CABkgnnUdbLnG_7DJLuVeNrK0Q2rDhNm2kRKbwMDAE7bmCr=JqQ@mail.gmail.com> <201501271815.23083.davemgarrett@gmail.com>
In-Reply-To: <201501271815.23083.davemgarrett@gmail.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.98.4 at klaatu.tlsx.org
X-Virus-Status: Clean
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/hyVIS_gZvyYdU5UtQ0yVUfSq1jc>
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-sslv3-diediedie-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Jan 2015 01:57:07 -0000
On 28/1/15 7:15 am, Dave Garrett wrote: > On Tuesday, January 27, 2015 03:44:36 pm Martin Thomson wrote: >> On 27 January 2015 at 12:11, Aaron Zauner <azet@azet.org> wrote: >>> TLS 1.0 is only marginally different from SSLv3. I think a similar >>> document should exist for TLS 1.0. Yes I'm aware of the implications on >>> clients/servers. >> >> I think that TLS 1.0 is nearing that point too. But I'm not that >> enthusiastic about being the hitman there. Well, not yet. > > Is it at all practical to publish an TLS RFC stating intent to deprecate > TLS 1.0/1.1 within some fixed timeframe? I think everyone would rather > phase it out then have to "be the hitman" each time. > > A straw man proposal would be something like: > > 1) TLS 1.0 & 1.1 SHOULD NOT be supported by servers, effective immediately. > 2) TLS 1.0 & 1.1 MUST NOT be supported by servers after X months. > 3) TLS 1.0 & 1.1 SHOULD NOT be supported by clients after Y months. > > I know the UTA BCP I-D deals with this area too, but a specific RFC from the > TLS WG might have more impact at reducing numbers before the inevitable > catastrophic vulnerability that warrants a diediedie RFC. +1x ;-) Support draft-ietf-tls-sslv3-diediedie-00 I wholeheartedly agree with the text "(including {03,00}) as the record layer version number for ClientHello, but they MUST NOT negotiate SSLv3." Historically, TLS specifications were not clear on what the record layer version number (TLSPlaintext.version) could contain when sending ClientHello. Appendix E of [RFC5246] notes that TLSPlaintext.version could be selected to maximize interoperability, though no definitive value is identified as ideal. That guidance is still applicable; therefore, TLS servers MUST accept any value {03,XX} (including {03,00}) as the record layer version number for ClientHello, but they MUST NOT negotiate SSLv3. Still considering these two drafts neutrally (having arrived at essentially the same ideas independently before seeing these drafts) however I have some comments in light of changes in TLSv1.3: https://tools.ietf.org/html/draft-mavrogiannopoulos-tls-more-extensions-00 https://tools.ietf.org/html/draft-ietf-tls-encrypt-then-mac-03 1) "Supported Protocol Versions" "Supported Protocol Versions" could be unbundled from the draft and taken piecemeal and/or added to the TLSv1.3 draft as a well-considered SCSV alternative. Bundling with MACSecurityParameters makes it harder to swallow as one piece. It's useful now for TLSv1.2, but "MAC Security Parameter" is pork so to speak. After consideration I would support fixing { 3, 0 } at the "record layer" and support advertising versions via extension: "Supported Protocol Versions": [ { 3, 1 }, { 3, 2 }, { 3, 3 } ] Later there can be a config change to deprecate TLS 1.0, TLS 1.1 upon future advisories. Config changes are better than code changes: "Supported Protocol Versions": [ { 3, 3 }, { 3, 4 } ] With this reasoning that the record layer can essentially be fixed at the major wire version lower bound (which is not verified, so fixing it makes sense). It is a good solution as it achieves version range tamper resistance while allowing forwards and backwards compatibility. e.g. avoiding the downgrades in the case where a client decides it still wants to support TLS 1.0, when current practice differs from the spec. 2) "Supported MAC Security Parameter" somehow in light of TLSv1.3 "Supported MAC Security Parameter": [ 128, 192, 256, 384 ] This spec attempts to addresses verify_data_length issue and allows >= 128 bit tags and addresses this text (given recent cipher suites don't seem to override verify_data_length): In previous versions of TLS, the verify_data was always 12 octets long. In the current version of TLS, it depends on the cipher suite. Any cipher suite which does not explicitly specify verify_data_length has a verify_data_length equal to 12. This includes all existing cipher suites. Note that this representation has the same encoding as with previous versions. Future cipher suites MAY specify other lengths but such length MUST be at least 12 bytes. with Note: TLS 1.2 allows ciphersuites to specify individually the "verify_data_length". Implementations conforming to this document MUST ignore the ciphersuite "verify_data_length" if a "MACSecurityParameter" has been selected by the server. However see 4) where I note the undocumented implication of increasing verify_data_length which has to be done in consideration of the protection bits of the asymmetric encryption. Is this correct? 3) "Supported Encrypt-then-MAC" somehow in light of TLSv1.3 Changed in light of AEAD and in concert with "MAC Security Parameter" and in concert with MAC-then-Encrypt removal. This would require a modified version of Encrypt-then-MAC that rewords renegotiation and mention of MAC-then-Encrypt for TLSv1.3 compatibility and considers MAC Security Parameter. AEAD tag length + HMAC length = MACSecurityParameter ETM-AEAD[aead_cipher,hmac] This would give you a very firm tamper-resistant handshake supporting backwards compat to TLSv1.2 along with stronger messages authentication tags for AEAD ciphers. 4) "Support increasing verify_data_length" somehow The mechanism in https://tools.ietf.org/html/draft-mavrogiannopoulos-tls-more-extensions-00 needs to consider the constraint on the asymmetric cipher or PSK protection bits? It needs to tie the lower bound constraint of the MAC security parameter to a constraint on the asymmetric algorithm and key size and the security bits offered? * We need 3072-bit RSA keys to protect 128 bit verify_data * We need to use ECC to protect 192 or 256 bit verify_data (given a 15360-bit RSA key is required to protect 256 bits) * We don't want the MAC Security mechanism to leak asymmetric key bits We're going to need a tiny constraints solver. This is a SAT problem.
- [TLS] Working Group Last Call for draft-ietf-tls-… Joseph Salowey
- Re: [TLS] Working Group Last Call for draft-ietf-… Andrei Popov
- Re: [TLS] Working Group Last Call for draft-ietf-… Xiaoyin Liu
- Re: [TLS] Working Group Last Call for draft-ietf-… Martin Thomson
- Re: [TLS] Working Group Last Call for draft-ietf-… Geoffrey Keating
- Re: [TLS] Working Group Last Call for draft-ietf-… Dave Garrett
- Re: [TLS] Working Group Last Call for draft-ietf-… Martin Thomson
- Re: [TLS] Working Group Last Call for draft-ietf-… Stephen Checkoway
- Re: [TLS] Working Group Last Call for draft-ietf-… Aaron Zauner
- Re: [TLS] Working Group Last Call for draft-ietf-… Martin Thomson
- Re: [TLS] Working Group Last Call for draft-ietf-… Dave Garrett
- Re: [TLS] Working Group Last Call for draft-ietf-… Yuhong Bao
- Re: [TLS] Working Group Last Call for draft-ietf-… Hanno Böck
- Re: [TLS] Working Group Last Call for draft-ietf-… Aaron Zauner
- Re: [TLS] Working Group Last Call for draft-ietf-… Dave Garrett
- Re: [TLS] Working Group Last Call for draft-ietf-… Michael Clark
- Re: [TLS] Working Group Last Call for draft-ietf-… Peter Gutmann
- Re: [TLS] Working Group Last Call for draft-ietf-… Kurt Roeckx
- Re: [TLS] Working Group Last Call for draft-ietf-… Martin Rex
- Re: [TLS] Working Group Last Call for draft-ietf-… Joe Hall
- Re: [TLS] Working Group Last Call for draft-ietf-… Hubert Kario
- Re: [TLS] Working Group Last Call for draft-ietf-… Kurt Roeckx
- Re: [TLS] Working Group Last Call for draft-ietf-… Hubert Kario
- Re: [TLS] Working Group Last Call for draft-ietf-… Peter Gutmann
- Re: [TLS] Working Group Last Call for draft-ietf-… Bodo Moeller
- Re: [TLS] Working Group Last Call for draft-ietf-… Martin Thomson
- Re: [TLS] Working Group Last Call for draft-ietf-… Stephen Checkoway
- Re: [TLS] Working Group Last Call for draft-ietf-… Joseph Salowey
- Re: [TLS] Working Group Last Call for draft-ietf-… Erik Nygren
- Re: [TLS] Working Group Last Call for draft-ietf-… Martin Thomson
- Re: [TLS] Working Group Last Call for draft-ietf-… Joseph Salowey
- Re: [TLS] Working Group Last Call for draft-ietf-… Martin Thomson
- Re: [TLS] Working Group Last Call for draft-ietf-… Martin Rex
- Re: [TLS] Working Group Last Call for draft-ietf-… Watson Ladd