IETF Logo Mail Archive

Re: [TLS] security levels for TLS

Eric Rescorla <ekr@networkresonance.com> Sat, 13 October 2007 00:04 UTC

Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IgUUR-0004kQ-Be; Fri, 12 Oct 2007 20:04:23 -0400
Received: from tls by megatron.ietf.org with local (Exim 4.43) id 1IgUUP-0004fr-RD for tls-confirm+ok@megatron.ietf.org; Fri, 12 Oct 2007 20:04:22 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IgUUP-0004fj-Hl for tls@lists.ietf.org; Fri, 12 Oct 2007 20:04:21 -0400
Received: from [209.213.211.195] (helo=delta.rtfm.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IgUUO-0002e4-Ax for tls@lists.ietf.org; Fri, 12 Oct 2007 20:04:21 -0400
Received: from delta.rtfm.com (localhost.rtfm.com [127.0.0.1]) by delta.rtfm.com (Postfix) with ESMTP id F21A233C21; Fri, 12 Oct 2007 17:00:10 -0700 (PDT)
Date: Fri, 12 Oct 2007 17:00:10 -0700
From: Eric Rescorla <ekr@networkresonance.com>
To: Mike <mike-list@pobox.com>
Subject: Re: [TLS] security levels for TLS
In-Reply-To: <4710000A.7020006@pobox.com>
References: <c331d99a0710080621g7c0ec91et35c46553c23f4402@mail.gmail.com> <470FC52E.6080707@pobox.com> <p06240828c3357a914a76@[192.168.1.3]> <200710122237.30517.nmav@gnutls.org> <20071012200032.70EEA33C23@delta.rtfm.com> <4710000A.7020006@pobox.com>
User-Agent: Wanderlust/2.14.0 (Africa) Emacs/21.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20071013000010.F21A233C21@delta.rtfm.com>
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 0fa76816851382eb71b0a882ccdc29ac
Cc: tls@lists.ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

At Fri, 12 Oct 2007 16:15:22 -0700,
Mike wrote:
> 
> >>> Confusing and/or giving users false senses of security are definitely
> >>> negative.
> >> Actually I think the latter sentence describes the current situation!
> > 
> > How so? Nothing at all stops you from putting any indicator you
> > like in your code. Why does IETF have to standardize it?
> 
> I think there is some mis-communication going on.  I have never
> even mentioned the IETF standardizing an "indicator" of security
> level.  Someone else may have, but I reject that idea as well.

Well, two things seem to be being discussed simultaneously:

1. Standardizing simplified "levels" of security which correspond to 
   cipher suites and key sizes.

   E.g., STRONG would be symmetric algorithm X or Y with asymmetric
	 algorithm A and key size a or asymmetric algorithm B with
	 key size b.
     
	 MEDIUM is symmetric algorithm W with asymmetric algorithm
	 A with key size a' or asymmetric algorithm B with key size
	 b'.
 
    This is purely a documentation issue and doesn't require any
    on-the-wire changes to TLS. 


2. Modifying TLS to allow the client to indicate the size of the
   keys/group it would like for each asymmetric algorithm. This
   is an on-the-wire protocol change. 


As I understand your messages, you've been endorsing both of these.


I'm against both of these, for related, but distinct reasons.

I'm against the former because I think it's actually very hard to
produce any reasonable standardized account of which algorithms and
key sizes fit into which level. In any case, this is something that an
implementation can easily offer without any standard, it simply will
not necessarily have the same level->algorithm mapping as another
implementation.

I'm against the second because I believe it adds marginal benefit
at a significant cost to interoperability and complexity. An 
extension like this only makes sense if:

1. Servers have a number of different kinds of keying material
   of different strengths.
2. Clients are in a position to make intelligent choices about
   which asymmetric key strengths are appropriate.

In my experience, neither is true. Moreover, it's worth noting
that in the current environment any client which attempts to
request a key > 1024 bits will find that it can connect to
practically nobody. To a first order, this is just another
way to create interop problems. 

With regard to key lengths: as I indicated before, the dominant
security issue in systems of this kind is quality of implementation
and maintenance. If you don't trust the server to choose appropriate
key sizes, why on earth would you trust that it's not chock full
of remote vulnerabilities?

-Ekr





   



_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email