Re: [TLS] DSS with other than SHA-1 algorithms
Peter Gutmann <pgut001@cs.auckland.ac.nz> Sat, 16 April 2011 08:10 UTC
Return-Path: <pgut001@login01.cs.auckland.ac.nz>
X-Original-To: tls@ietfc.amsl.com
Delivered-To: tls@ietfc.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfc.amsl.com (Postfix) with ESMTP id DD1E8E067D for <tls@ietfc.amsl.com>; Sat, 16 Apr 2011 01:10:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.52
X-Spam-Level:
X-Spam-Status: No, score=-3.52 tagged_above=-999 required=5 tests=[AWL=0.079, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([208.66.40.236]) by localhost (ietfc.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7bYs+FIxXoGJ for <tls@ietfc.amsl.com>; Sat, 16 Apr 2011 01:10:33 -0700 (PDT)
Received: from mx2-int.auckland.ac.nz (mx2-int.auckland.ac.nz [130.216.12.41]) by ietfc.amsl.com (Postfix) with ESMTP id 74304E0675 for <tls@ietf.org>; Sat, 16 Apr 2011 01:10:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1302941434; x=1334477434; h=from:to:subject:cc:in-reply-to:message-id:date; z=From:=20Peter=20Gutmann=20<pgut001@cs.auckland.ac.nz> |To:=20juhovh@gmail.com,=20pgut001@cs.auckland.ac.nz |Subject:=20Re:=20[TLS]=20DSS=20with=20other=20than=20SHA -1=20algorithms|Cc:=20ekr@rtfm.com,=20geoffk@geoffk.org, =20simon@josefsson.org,=20tls@ietf.org|In-Reply-To:=20<4d a5d06e.ce7c0e0a.71c9.1ce4@mx.google.com>|Message-Id:=20<E 1QB0aG-0005xJ-NJ@login01.fos.auckland.ac.nz>|Date:=20Sat, =2016=20Apr=202011=2020:10:24=20+1200; bh=jGsOww1e6vVnOOpujpAnEseJBlrWVBuHEv+V+TDqqNI=; b=iQnSWdeRO048okCDLALJXHh/1LOIhGOSEvOh9chk/uDJL7+rdTcOMZSs 9f73sh454JqEnCN7ErHwuFW7Gvp6DqxOjZPCVHD1Ns2RTGqd6CxfoLFvP tsiEoa1EEazzcpipDO+G7+1LhAR/pNa8uk5jsXV2LHr4KskEqGR/XVarr k=;
X-IronPort-AV: E=Sophos;i="4.64,223,1301832000"; d="scan'208";a="57016298"
X-Ironport-HAT: APP-SERVERS - $RELAYED
X-Ironport-Source: 130.216.33.150 - Outgoing - Outgoing
Received: from mf1.fos.auckland.ac.nz ([130.216.33.150]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 16 Apr 2011 20:10:25 +1200
Received: from login01.fos.auckland.ac.nz ([130.216.34.40]) by mf1.fos.auckland.ac.nz with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from <pgut001@login01.cs.auckland.ac.nz>) id 1QB0aG-0005UF-Ic; Sat, 16 Apr 2011 20:10:24 +1200
Received: from pgut001 by login01.fos.auckland.ac.nz with local (Exim 4.69) (envelope-from <pgut001@login01.cs.auckland.ac.nz>) id 1QB0aG-0005xJ-NJ; Sat, 16 Apr 2011 20:10:24 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: juhovh@gmail.com, pgut001@cs.auckland.ac.nz
In-Reply-To: <4da5d06e.ce7c0e0a.71c9.1ce4@mx.google.com>
Message-Id: <E1QB0aG-0005xJ-NJ@login01.fos.auckland.ac.nz>
Date: Sat, 16 Apr 2011 20:10:24 +1200
Cc: simon@josefsson.org, geoffk@geoffk.org, tls@ietf.org
Subject: Re: [TLS] DSS with other than SHA-1 algorithms
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Apr 2011 08:10:36 -0000
"=?iso-8859-1?Q?Juho_V=E4h=E4-Herttua?=" <juhovh@gmail.com> writes: >I don't see how this works, because in case of ECC the server is always >selecting the cipher suite and sending the ServerKeyExchange, and these both >happen between ServerHello and ServerHelloDone. What did I miss? Say you (i.e. the server) see, and select, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, as the best suite. Then later in the exchange the client says, via an extension, that it wants to do P256, which isn't really suited for use with SHA384 (unless you go through odd truncation calisthenics, but then why use a hash with a key size that's too short for it?), so you have to go back and reprocess the hello to see if there's something with SHA256 present to match that. Then you go back and reprocess the extensions to see whether that's OK. In the end you may end up falling back to a non-ECC suite, depending on your heuristics. Of course no implementation actually does this, they just fail the handshake unless they see the exact parameters they want. In practice it's even worse than that, you can use completely different curves for the key exchange, to sign the key exchange, and for client auth, and for hashes it's nearly as bad. What are you supposed to do if an implementation uses (say) P192 for the keyex signature but P521 for the keyex itself? What security level do you treat this as being? You can use the unnncessary flexibility to make a complete mess of things, and from the little testing I've done almost anything you do that's slightly unusual results in a handshake failure or dropped connection, and I don't even want to try and see what happens when you start using the really odd capabilities, non-named curves and point compression and other oddities. So at the moment we already have a kind of de facto profile, mostly it seems to be P256+SHA256 everywhere, with optional P384+SHA384 everywhere, and I think I got away with P521 once or twice. The single profile we have for ECC use with TLS, the Suite B one, already does this, it's 256-throughout (ECC keys and hashes) or 384-throughout (ECC keys and hashes). Peter.
- [TLS] DSS with other than SHA-1 algorithms Nikos Mavrogiannopoulos
- Re: [TLS] DSS with other than SHA-1 algorithms Martin Rex
- Re: [TLS] DSS with other than SHA-1 algorithms Nikos Mavrogiannopoulos
- Re: [TLS] DSS with other than SHA-1 algorithms Nikos Mavrogiannopoulos
- Re: [TLS] DSS with other than SHA-1 algorithms Dr Stephen Henson
- Re: [TLS] DSS with other than SHA-1 algorithms Nikos Mavrogiannopoulos
- Re: [TLS] DSS with other than SHA-1 algorithms Nikos Mavrogiannopoulos
- Re: [TLS] DSS with other than SHA-1 algorithms Martin Rex
- Re: [TLS] DSS with other than SHA-1 algorithms Juho Vähä-Herttua
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Hovav Shacham
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Simon Josefsson
- Re: [TLS] DSS with other than SHA-1 algorithms Martin Rex
- Re: [TLS] DSS with other than SHA-1 algorithms Geoffrey Keating
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Eric Rescorla
- Re: [TLS] DSS with other than SHA-1 algorithms Eric Rescorla
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Juho Vähä-Herttua
- Re: [TLS] DSS with other than SHA-1 algorithms Eric Rescorla
- Re: [TLS] DSS with other than SHA-1 algorithms Martin Rex
- Re: [TLS] DSS with other than SHA-1 algorithms Juho Vähä-Herttua
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Juho Vähä-Herttua
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Nikos Mavrogiannopoulos
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Juho Vähä-Herttua
- Re: [TLS] DSS with other than SHA-1 algorithms Juho Vähä-Herttua
- Re: [TLS] DSS with other than SHA-1 algorithms Nikos Mavrogiannopoulos
- Re: [TLS] DSS with other than SHA-1 algorithms Juho Vähä-Herttua
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Juho Vähä-Herttua
- Re: [TLS] DSS with other than SHA-1 algorithms Daniel Kahn Gillmor
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Jack Lloyd
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Nikos Mavrogiannopoulos
- Re: [TLS] DSS with other than SHA-1 algorithms Juho Vähä-Herttua
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Martin Rex
- Re: [TLS] DSS with other than SHA-1 algorithms Juho Vähä-Herttua
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Rob Stradling
- Re: [TLS] DSS with other than SHA-1 algorithms Paul Hoffman
- Re: [TLS] DSS with other than SHA-1 algorithms Martin Rex
- Re: [TLS] DSS with other than SHA-1 algorithms Rob Stradling
- Re: [TLS] DSS with other than SHA-1 algorithms Rob Stradling
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann