IETF Logo Mail Archive

Re: [TLS] integrity only ciphersuites

"Fries, Steffen" <steffen.fries@siemens.com> Tue, 21 August 2018 16:54 UTC

Return-Path: <steffen.fries@siemens.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D267B130E40 for <tls@ietfa.amsl.com>; Tue, 21 Aug 2018 09:54:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c4i3BTf8OWyZ for <tls@ietfa.amsl.com>; Tue, 21 Aug 2018 09:54:03 -0700 (PDT)
Received: from goliath.siemens.de (goliath.siemens.de [192.35.17.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 07D3E130DBE for <tls@ietf.org>; Tue, 21 Aug 2018 09:54:02 -0700 (PDT)
Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35]) by goliath.siemens.de (8.15.2/8.15.2) with ESMTPS id w7LGrjbx005231 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 21 Aug 2018 18:53:46 +0200
Received: from DEFTHW99ERNMSX.ww902.siemens.net (defthw99ernmsx.ww902.siemens.net [139.22.70.141]) by mail1.sbs.de (8.15.2/8.15.2) with ESMTPS id w7LGrjlr005886 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 21 Aug 2018 18:53:45 +0200
Received: from DEFTHW99ERPMSX.ww902.siemens.net (139.22.70.202) by DEFTHW99ERNMSX.ww902.siemens.net (139.22.70.141) with Microsoft SMTP Server (TLS) id 14.3.408.0; Tue, 21 Aug 2018 18:53:45 +0200
Received: from DENBGAT9EH2MSX.ww902.siemens.net ([169.254.6.212]) by DEFTHW99ERPMSX.ww902.siemens.net ([139.22.70.202]) with mapi id 14.03.0408.000; Tue, 21 Aug 2018 18:53:44 +0200
From: "Fries, Steffen" <steffen.fries@siemens.com>
To: "Salz, Rich" <rsalz@akamai.com>
CC: Andreas Walz <andreas.walz@hs-offenburg.de>, "tls@ietf.org" <tls@ietf.org>, "ncamwing=40cisco.com@dmarc.ietf.org" <ncamwing=40cisco.com@dmarc.ietf.org>
Thread-Topic: [TLS] integrity only ciphersuites
Thread-Index: AQHUOVRDfNtxeeJAEUKLQicbsYfTf6TKVKsw///lHQCAACHjcP//4/iAgAAsvvs=
Date: Tue, 21 Aug 2018 16:53:43 +0000
Message-ID: <8A2746A8-6B41-45C3-9D77-6AF3536C6E2D@siemens.com>
References: <E29465D4-E4C5-466F-9E3F-240E258DC7C2@cisco.com> <64d23891-2f32-9bb8-1ec8-f4fad13cdfb9@cs.tcd.ie> <982363FD-A839-4175-BA53-7CA242F9ADA6@ll.mit.edu> <2D7F2926-6376-4B2C-BDE9-7A6F1C0FA748@gmail.com> <5B7C1571020000AC0015C330@gwia2.rz.hs-offenburg.de> <E6C9F0E527F94F4692731382340B337804AEFA24@DENBGAT9EH2MSX.ww902.siemens.net> <A51CF46A-8C5F-4013-A4CE-EB90A9EE94CA@akamai.com> <E6C9F0E527F94F4692731382340B337804AEFB10@DENBGAT9EH2MSX.ww902.siemens.net>, <D5FF0E0E-F9C3-4843-AB77-19F45E3C00D5@akamai.com>
In-Reply-To: <D5FF0E0E-F9C3-4843-AB77-19F45E3C00D5@akamai.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: multipart/alternative; boundary="_000_8A2746A86B4145C39D776AF3536C6E2Dsiemenscom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/kOTgZMNinRkSKoUqcCP3MrPZaFs>
Subject: Re: [TLS] integrity only ciphersuites
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Aug 2018 16:54:05 -0000


On 21. Aug 2018, at 18:13, Salz, Rich <rsalz@akamai.com<mailto:rsalz@akamai.com>> wrote:

Ø  If there would be support for integrity ciphers in TLS 1.3 it would enable the straight forward switch from TLS 1.2 also in these environments by keeping existing monitoring options.

Why do you want to move to TLS 1.3?  Why isn’t your existing solution good enough?


  *   [stf] Currently it is sufficient to use TLS 1.2- For certain use cases the utilized components have a rather long lifetime. One assumption is that TLS 1.3 will exist longer that TLS 1.2 and that certain software tools (also browsers) may not support TLS 1.2 in the future  …

Most browsers already do not support NULL encryption, and it is highly unlikely that any will add it for 1.3.  Have you any indication otherwise?  If you’re not going to use the algorithms in general use on the public Internet, then you should expect that standard clients such as browsers, will not work.  PeterG can attest to this. :)

True. I was more referring to an embedded device, which currently supports TLS 1.2 (for using integrity only) for machine to machine communication  If this device is accessed by a service technician, it will also use today cipher suites with encryption. If a browser provider decides to deprecate TLS 1.2 in the future, access by standard software would be hindered. This would end up in a device supporting TLS 1.3 for service technicians access and 1.2 for machine to machine communication to (still) have integrity only.

v2.23.0 | Report a Bug | By Email