IETF Logo Mail Archive

Re: [TLS] DSS with other than SHA-1 algorithms

Peter Gutmann <pgut001@cs.auckland.ac.nz> Sat, 16 April 2011 08:10 UTC

Return-Path: <pgut001@login01.cs.auckland.ac.nz>
X-Original-To: tls@ietfc.amsl.com
Delivered-To: tls@ietfc.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfc.amsl.com (Postfix) with ESMTP id DD1E8E067D for <tls@ietfc.amsl.com>; Sat, 16 Apr 2011 01:10:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.52
X-Spam-Level:
X-Spam-Status: No, score=-3.52 tagged_above=-999 required=5 tests=[AWL=0.079, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([208.66.40.236]) by localhost (ietfc.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7bYs+FIxXoGJ for <tls@ietfc.amsl.com>; Sat, 16 Apr 2011 01:10:33 -0700 (PDT)
Received: from mx2-int.auckland.ac.nz (mx2-int.auckland.ac.nz [130.216.12.41]) by ietfc.amsl.com (Postfix) with ESMTP id 74304E0675 for <tls@ietf.org>; Sat, 16 Apr 2011 01:10:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1302941434; x=1334477434; h=from:to:subject:cc:in-reply-to:message-id:date; z=From:=20Peter=20Gutmann=20<pgut001@cs.auckland.ac.nz> |To:=20juhovh@gmail.com,=20pgut001@cs.auckland.ac.nz |Subject:=20Re:=20[TLS]=20DSS=20with=20other=20than=20SHA -1=20algorithms|Cc:=20ekr@rtfm.com,=20geoffk@geoffk.org, =20simon@josefsson.org,=20tls@ietf.org|In-Reply-To:=20<4d a5d06e.ce7c0e0a.71c9.1ce4@mx.google.com>|Message-Id:=20<E 1QB0aG-0005xJ-NJ@login01.fos.auckland.ac.nz>|Date:=20Sat, =2016=20Apr=202011=2020:10:24=20+1200; bh=jGsOww1e6vVnOOpujpAnEseJBlrWVBuHEv+V+TDqqNI=; b=iQnSWdeRO048okCDLALJXHh/1LOIhGOSEvOh9chk/uDJL7+rdTcOMZSs 9f73sh454JqEnCN7ErHwuFW7Gvp6DqxOjZPCVHD1Ns2RTGqd6CxfoLFvP tsiEoa1EEazzcpipDO+G7+1LhAR/pNa8uk5jsXV2LHr4KskEqGR/XVarr k=;
X-IronPort-AV: E=Sophos;i="4.64,223,1301832000"; d="scan'208";a="57016298"
X-Ironport-HAT: APP-SERVERS - $RELAYED
X-Ironport-Source: 130.216.33.150 - Outgoing - Outgoing
Received: from mf1.fos.auckland.ac.nz ([130.216.33.150]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 16 Apr 2011 20:10:25 +1200
Received: from login01.fos.auckland.ac.nz ([130.216.34.40]) by mf1.fos.auckland.ac.nz with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from <pgut001@login01.cs.auckland.ac.nz>) id 1QB0aG-0005UF-Ic; Sat, 16 Apr 2011 20:10:24 +1200
Received: from pgut001 by login01.fos.auckland.ac.nz with local (Exim 4.69) (envelope-from <pgut001@login01.cs.auckland.ac.nz>) id 1QB0aG-0005xJ-NJ; Sat, 16 Apr 2011 20:10:24 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: juhovh@gmail.com, pgut001@cs.auckland.ac.nz
In-Reply-To: <4da5d06e.ce7c0e0a.71c9.1ce4@mx.google.com>
Message-Id: <E1QB0aG-0005xJ-NJ@login01.fos.auckland.ac.nz>
Date: Sat, 16 Apr 2011 20:10:24 +1200
Cc: simon@josefsson.org, geoffk@geoffk.org, tls@ietf.org
Subject: Re: [TLS] DSS with other than SHA-1 algorithms
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Apr 2011 08:10:36 -0000

"=?iso-8859-1?Q?Juho_V=E4h=E4-Herttua?=" <juhovh@gmail.com> writes:

>I don't see how this works, because in case of ECC the server is always
>selecting the cipher suite and sending the ServerKeyExchange, and these both
>happen between ServerHello and ServerHelloDone. What did I miss?

Say you (i.e. the server) see, and select,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, as the best suite.  Then later in the
exchange the client says, via an extension, that it wants to do P256, which
isn't really suited for use with SHA384 (unless you go through odd truncation
calisthenics, but then why use a hash with a key size that's too short for
it?), so you have to go back and reprocess the hello to see if there's
something with SHA256 present to match that.  Then you go back and reprocess
the extensions to see whether that's OK.  In the end you may end up falling
back to a non-ECC suite, depending on your heuristics.  Of course no
implementation actually does this, they just fail the handshake unless they
see the exact parameters they want.

In practice it's even worse than that, you can use completely different curves
for the key exchange, to sign the key exchange, and for client auth, and for
hashes it's nearly as bad.  What are you supposed to do if an implementation
uses (say) P192 for the keyex signature but P521 for the keyex itself?  What
security level do you treat this as being?  You can use the unnncessary
flexibility to make a complete mess of things, and from the little testing
I've done almost anything you do that's slightly unusual results in a
handshake failure or dropped connection, and I don't even want to try and see
what happens when you start using the really odd capabilities, non-named
curves and point compression and other oddities.

So at the moment we already have a kind of de facto profile, mostly it seems
to be P256+SHA256 everywhere, with optional P384+SHA384 everywhere, and I
think I got away with P521 once or twice.  The single profile we have for ECC
use with TLS, the Suite B one, already does this, it's 256-throughout (ECC
keys and hashes) or 384-throughout (ECC keys and hashes).

Peter.

v2.23.0 | Report a Bug | By Email