IETF Logo Mail Archive

Re: [TLS] DSS with other than SHA-1 algorithms

Juho Vähä-Herttua <juhovh@iki.fi> Wed, 27 April 2011 10:15 UTC

Return-Path: <juhovh@iki.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62A47E068F for <tls@ietfa.amsl.com>; Wed, 27 Apr 2011 03:15:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 12svTOH0cT9m for <tls@ietfa.amsl.com>; Wed, 27 Apr 2011 03:15:00 -0700 (PDT)
Received: from jenni2.inet.fi (mta-out.inet.fi [195.156.147.13]) by ietfa.amsl.com (Postfix) with ESMTP id 86C6CE067C for <tls@ietf.org>; Wed, 27 Apr 2011 03:15:00 -0700 (PDT)
Received: from mail.visino.fi (84.251.121.70) by jenni2.inet.fi (8.5.133) id 4D9AC72600F64E80; Wed, 27 Apr 2011 13:14:52 +0300
Received: from [130.233.194.202] (tko-add-202.cs.hut.fi [130.233.194.202]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: juhovh) by mail.visino.fi (Postfix) with ESMTPSA id 2F8C320395; Wed, 27 Apr 2011 13:13:44 +0300 (EEST)
Message-ID: <4DB7EBE7.8020705@iki.fi>
Date: Wed, 27 Apr 2011 13:11:51 +0300
From: Juho Vähä-Herttua <juhovh@iki.fi>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; fi; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9
MIME-Version: 1.0
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
References: <E1QDrnw-0003gv-A4@login01.fos.auckland.ac.nz>
In-Reply-To: <E1QDrnw-0003gv-A4@login01.fos.auckland.ac.nz>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: simon@josefsson.org, geoffk@geoffk.org, tls@ietf.org
Subject: Re: [TLS] DSS with other than SHA-1 algorithms
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Apr 2011 10:15:01 -0000

24.4.2011 8:24, Peter Gutmann kirjoitti:
>> 1. Client sends a ClientHello with elliptic_curves extension specifying its
>> supported extensions
> But the elliptic_curves extension isn't part of the ClientHello.  This is the
> problem, the ClientHello contains a notification-of-intent and then later bits
> and pieces contain the actual suite details.  If any of the later bits and
> pieces don't as expected you have to go back to the ClientHello and try
> another Chinese-menu option, then go back to the later extensions and see
> if... and so on, although in practice everything I've seen so far just aborts
> the handshake if they don't see exactly what they expect.

I don't quite understand this part, I know it is not indicated as MUST 
in the current RFC, but the text quite clearly says:

    The extensions SHOULD be sent along with any ClientHello message that
    proposes ECC cipher suites.

...

    A client that proposes ECC cipher suites in its ClientHello message
    appends these extensions (along with any others), enumerating the
    curves it supports and the point formats it can parse.  Clients
    SHOULD send both the Supported Elliptic Curves Extension and the
    Supported Point Formats Extension.


So every client sending a ClientHello SHOULD append the Supported 
Elliptic Curves extension in ClientHello itself and therefore the 
selected curve should be clear immediately after receiving the complete 
ServerHello including ServerKeyExchange. I'm not saying the suggested 
draft is not a good idea, I think it looks pretty good, I'm just saying 
the situation doesn't seem quite as bad as suggested.

I think the reference to Microsoft's SChannel cipher suites was a very 
good one. I wasn't aware they have already chosen to take this approach 
and it's one more argument for defining it officially. However, I'm also 
wondering why ECDHE_RSA is dropped from the draft? Even Microsoft has 
included ECDHE_RSA cipher suites in their list and since almost all 
certificates in use are RSA certificates, it is quite likely that 
ECDHE_RSA cipher suites are the only cipher suites existing TLS servers 
can start to use immediately without applying for a new certificate. 
(one can argue that they could just use RSA key exchange, but that 
doesn't have forward secrecy like ECDHE does)

Also mandating the same curve in ECDSA signature as in ECDH keys could 
be debated, but I think it's quite well justified here. It's also worth 
to note that this draft doesn't require the whole certificate chain is 
signed with ECDSA and certain curve, so for example a certificate 
containing P-256 keys signed with something else would still be valid. I 
think this is good for flexibility, in case the server administrator is 
unable to obtain a ECDSA certificate signed with ECDSA. It's up to the 
client to find out if it's able to determine its validity then.


Juho

v2.23.0 | Report a Bug | By Email