[TLS] TLS 1.2 and hash agility for signatures
<Pasi.Eronen@nokia.com> Tue, 06 March 2007 11:01 UTC
Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HOXQT-0004eh-Ii; Tue, 06 Mar 2007 06:01:49 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HOXQR-0004eR-7n for tls@ietf.org; Tue, 06 Mar 2007 06:01:47 -0500
Received: from smtp.nokia.com ([131.228.20.172] helo=mgw-ext13.nokia.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HOXQP-00018L-Ne for tls@ietf.org; Tue, 06 Mar 2007 06:01:47 -0500
Received: from esebh106.NOE.Nokia.com (esebh106.ntc.nokia.com [172.21.138.213]) by mgw-ext13.nokia.com (Switch-3.2.5/Switch-3.2.5) with ESMTP id l26B1g0G027982 for <tls@ietf.org>; Tue, 6 Mar 2007 13:01:43 +0200
Received: from esebh104.NOE.Nokia.com ([172.21.143.34]) by esebh106.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 6 Mar 2007 13:01:32 +0200
Received: from esebe105.NOE.Nokia.com ([172.21.143.53]) by esebh104.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 6 Mar 2007 13:01:32 +0200
x-mimeole: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 06 Mar 2007 13:01:42 +0200
Message-ID: <B356D8F434D20B40A8CEDAEC305A1F2403D821E1@esebe105.NOE.Nokia.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: TLS 1.2 and hash agility for signatures
Thread-Index: Acdf3tLGYRCEwfjbQX+4t6pG0icFRA==
From: Pasi.Eronen@nokia.com
To: tls@ietf.org
X-OriginalArrivalTime: 06 Mar 2007 11:01:32.0568 (UTC) FILETIME=[CCBD3980:01C75FDE]
X-eXpurgate-Category: 1/0
X-eXpurgate-ID: 149371::070306130143-63213BB0-3EAC7AC9/0-0/0-1
X-Nokia-AV: Clean
X-Spam-Score: 0.2 (/)
X-Scan-Signature: c3a18ef96977fc9bcc21a621cbf1174b
Cc:
Subject: [TLS] TLS 1.2 and hash agility for signatures
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
There's one area in TLS 1.2 that still doesn't give me a warm fuzzy feeling that "yes, this is the way it should be done", and that's the algorithm agility for signatures (in certificates and ClientKeyExchange/ServerKeyExchange messages). I'd like to get some more discussion about this, and fresh ideas on what's the best way to implement it in TLS 1.2. Some issues that don't yet seem right: 1) Asymmetry: The server sends its list of supported hashes in the CertificateRequest message, together with list of trusted CAs (DNs) and ClientCertificateTypes. The client sends the list of supported hashes in cert_hash_types extension, list of trusted CAs (DNs or hashes) in trusted_ca_keys extension, and there's no equivalent of ClientCertificateType. In addition, we have the "cert_type" extension for non-X.509 certs (draft-ietf-tls-openpgp-keys). To make things worse, ClientCertificateTypes field seems quite redundant, since at this point we already know the ciphersuite, and that limits our choice (it doesn't make sense to request dss_sign certificate if you've already negotiated RSA ciphersuite). Or if it's not redundant, then we need more text in the spec explaining why not. Perhaps we can't avoid this asymmetry completely, but is there any way to make this a bit nicer? Perhaps remove the ClientCertificateTypes field in TLS 1.2, and use cert_hash_types extension also from server to client? 2) Wrong concept: instead of telling what hash algorithms we support we'd really like to tell what kinds of signatures we can verify. E.g. for RSA, we have at least three different schemes (PKCS#1 v1.5, PSS and ANSI X9.32), all of which can be used with different hashes. And we also have DSS and ECDSA. For TLS level signatures (ServerKeyExchange/CertificateVerify), some part of this is already determined by the ciphersuite's key exchange algorithm (e.g. RSA here means PKCS#1 v1.5; if someone wants to use RSA PSS we'd define new ciphersuites). But for certificates, the situation is not the same; we could have certificate containing RSA public key signed with DSS, or something. Should we have signature_schemes extension instead of cert_hash_types? (with values like rsa_pkcs15_sha256, dss_sha1, ecdsa_sha512, etc.) Or separate lists for certificate signatures and signatures in TLS? 3) Tying algorithm in ServerKeyExchange/CertificateVerify and certificate. The current spec says that for RSA, signatures in TLS (ServerKeyExchange and CertificateVerify) use the same hash as was used by the CA in the certificate. The idea itself is not wrong: if you're worried about using SHA-1, then it's much more important to use something better in certificates (usually long-lived) than in ServerKeyExchange/CertificateVerify (which include fresh nonces, and are verified only once immediately following signature generation -- so offline attacks don't count). However... what if the cert isn't signed with RSA? Or it's signed with RSA PSS? And is it OK to require the peer to parse its own certificate (something not previously required)? Perhaps we should decouple these? 4) RSA-specific text. It looks like much of the text (and whole cert_hash_types) is really specific to RSA ciphersuites, since the spec fixes SHA-1 for DSS, and RFC4492 specifies that for ECDSA, the hash is always SHA-1 unless otherwise specified by yet-unspecified extension in the certificate. It may not be possible to avoid RSA-specific text, but then it should be easy to see what parts are specific to RSA and what are not. And we should probably plan for hash agility in DSS as well? Comments? I think we'd want something reasonably simple in the spec, but on the other hand, it should be technically coherent as well. I'm planning to sketch something before Prague, but any kinds of ideas (or alternative ways of looking at the problem) would be welcome... Best regards, Pasi _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] TLS 1.2 and hash agility for signatures Pasi.Eronen
- Re: [TLS] TLS 1.2 and hash agility for signatures Bodo Moeller
- Re: [TLS] TLS 1.2 and hash agility for signatures Mike
- RE: [TLS] TLS 1.2 and hash agility for signatures Pasi.Eronen
- Re: [TLS] TLS 1.2 and hash agility for signatures Martin Rex
- RE: [TLS] TLS 1.2 and hash agility for signatures Pasi.Eronen
- Re: [TLS] TLS 1.2 and hash agility for signatures Bodo Moeller
- RE: [TLS] TLS 1.2 and hash agility for signatures Pasi.Eronen
- Re: [TLS] TLS 1.2 and hash agility for signatures Bodo Moeller