Re: [TLS] DSS with other than SHA-1 algorithms
Juho Vähä-Herttua <juhovh@iki.fi> Fri, 29 April 2011 14:25 UTC
Return-Path: <juhovh@iki.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 969E6E0708 for <tls@ietfa.amsl.com>; Fri, 29 Apr 2011 07:25:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DNseWbKvoPIQ for <tls@ietfa.amsl.com>; Fri, 29 Apr 2011 07:25:50 -0700 (PDT)
Received: from jenni2.inet.fi (mta-out.inet.fi [195.156.147.13]) by ietfa.amsl.com (Postfix) with ESMTP id 14ED4E06BF for <tls@ietf.org>; Fri, 29 Apr 2011 07:25:48 -0700 (PDT)
Received: from mail.visino.fi (84.251.121.70) by jenni2.inet.fi (8.5.133) id 4D9AC72601173D54; Fri, 29 Apr 2011 17:25:41 +0300
Received: from [130.233.194.202] (tko-add-202.cs.hut.fi [130.233.194.202]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: juhovh) by mail.visino.fi (Postfix) with ESMTPSA id 0E475201C5; Fri, 29 Apr 2011 17:25:17 +0300 (EEST)
Message-ID: <4DBACA38.2020100@iki.fi>
Date: Fri, 29 Apr 2011 17:24:56 +0300
From: Juho Vähä-Herttua <juhovh@iki.fi>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; fi; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9
MIME-Version: 1.0
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
References: <E1QFmWo-0000Js-7O@login01.fos.auckland.ac.nz>
In-Reply-To: <E1QFmWo-0000Js-7O@login01.fos.auckland.ac.nz>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] DSS with other than SHA-1 algorithms
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Apr 2011 14:25:50 -0000
29.4.2011 15:10, Peter Gutmann kirjoitti: > Hmm, I'll try and explain this again... consider how the parts of the Client > Hello are processed. For standard suites the server iterates through a list > of suites and selects the most cromulent one. In my case I just have a list > of suite IDs and parameters sorted in order of preference and select the > lowest-ranked suite I find, I assume most implementations do something more or > less similar. Thank you for taking the time to explain it a bit more thoroughly. And sorry for asking so many questions, but I want to understand the motivation behind this well and on the mailing list it will at least be documented for future references. > For the Chinese-menu suites, the server finds a Chinese menu selector and then > has to skip the remaining suites and other parts of the hello and process the > extensions to see whether what's in there matches up with that the Chinese- > menu selector requested. For example if the Chinese menu said Everything clear so far. > TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 but the supported-curves says P256 > then you have to either hope the other side does the special-case X9.62 > handling for hash truncation and gets it right (and I've never been able to > find anything that does this to test mine against so who knows whether > anything does do it, and does get it right), or not take the gamble and go Actually, I tried to look through RFC 4492 (ECC), RFC 5246 (TLS 1.2) and RFC 5289, but I didn't find a requirement of using SHA-384 for signatures for that cipher suite. So in this case the server could choose SHA-256 (in case it can be found from signature_algorithms extension) and use that for signature hashing, but use SHA-384 for the PRF and therefore perform no hash truncation. It would be silly to use two different hashes, but that is how I would probably solve it to maintain compatibility. I think it's a general problem with both TLS 1.2 and ECC specifications, that they're both trying to be flexible and extensible up to the point that finding out the actual details becomes tedious work and it's more likely for many implementations to "get it wrong". I suppose that's exactly the thing you're trying to fix with the draft... > back to the cipher suites and look for another Chinese-menu option, and then > skip the rest of the hello and process the extension again to see if things > work out now, and if that doesn't work either then go back ... I think this what makes this worse is that existing TLS 1.0/1.1 implementations haven't necessarily prepared well for such complicated cipher suite selection ECC and TLS 1.2 introduce and that makes the transition a bit difficult. > In practice, with the servers I tried, it was hard enough just trying to > figure out which basic combinations they supported (the usual response was a > dropped connection or aborted handshake, so I had to use trial-and-error > probing, and with some servers I never did figure out how to do more than one > or two basic combinations), and I never got to the point of being able to > interop test any of the more exotic combinations like e.g. hash truncation. Dropping the connection or aborting the handshake is clearly wrong, but again as just noted, selecting a cipher suite used to be a simple thing and now it's suddenly quite hard. Abortion in that case is an understandable solution. > So the sole purpose of this RFC is to try and indentify the common > combinations of parameters that everyone seems to implement anyway and list > them as conventional cipher suites, with no further parameterisation required. > The intent is to try and document what everyone's doing already anyway. Should it be added to the draft that for example implementations using mentioned SHA-256 cipher suites must also send signature_algorithms extension with corresponding hash and ECDSA pair? Right now it only points out the used hash functions, but TLS 1.2 specification quite clearly says that one should default to the {sha1,ecdsa} combination if no extension is sent. I think this draft doesn't make it clear enough if it overrides that requirement or not. Also, the term "Chinese-menu" is a word I haven't seen in any existing TLS related RFC, even though it is very widely used in your draft and related discussion. I think it would make sense to at least define the meaning of the word a bit more clearly if it is going to be used, but it might be worth changing it to something completely different. I for one have lived in China for some years and have always managed to agree on the menu and the details, so I believe at least the Chinese people might find it puzzling. Not to mention someone might even consider it offending... Juho
- [TLS] DSS with other than SHA-1 algorithms Nikos Mavrogiannopoulos
- Re: [TLS] DSS with other than SHA-1 algorithms Martin Rex
- Re: [TLS] DSS with other than SHA-1 algorithms Nikos Mavrogiannopoulos
- Re: [TLS] DSS with other than SHA-1 algorithms Nikos Mavrogiannopoulos
- Re: [TLS] DSS with other than SHA-1 algorithms Dr Stephen Henson
- Re: [TLS] DSS with other than SHA-1 algorithms Nikos Mavrogiannopoulos
- Re: [TLS] DSS with other than SHA-1 algorithms Nikos Mavrogiannopoulos
- Re: [TLS] DSS with other than SHA-1 algorithms Martin Rex
- Re: [TLS] DSS with other than SHA-1 algorithms Juho Vähä-Herttua
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Hovav Shacham
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Simon Josefsson
- Re: [TLS] DSS with other than SHA-1 algorithms Martin Rex
- Re: [TLS] DSS with other than SHA-1 algorithms Geoffrey Keating
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Eric Rescorla
- Re: [TLS] DSS with other than SHA-1 algorithms Eric Rescorla
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Juho Vähä-Herttua
- Re: [TLS] DSS with other than SHA-1 algorithms Eric Rescorla
- Re: [TLS] DSS with other than SHA-1 algorithms Martin Rex
- Re: [TLS] DSS with other than SHA-1 algorithms Juho Vähä-Herttua
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Juho Vähä-Herttua
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Nikos Mavrogiannopoulos
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Juho Vähä-Herttua
- Re: [TLS] DSS with other than SHA-1 algorithms Juho Vähä-Herttua
- Re: [TLS] DSS with other than SHA-1 algorithms Nikos Mavrogiannopoulos
- Re: [TLS] DSS with other than SHA-1 algorithms Juho Vähä-Herttua
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Juho Vähä-Herttua
- Re: [TLS] DSS with other than SHA-1 algorithms Daniel Kahn Gillmor
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Jack Lloyd
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Nikos Mavrogiannopoulos
- Re: [TLS] DSS with other than SHA-1 algorithms Juho Vähä-Herttua
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Martin Rex
- Re: [TLS] DSS with other than SHA-1 algorithms Juho Vähä-Herttua
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Rob Stradling
- Re: [TLS] DSS with other than SHA-1 algorithms Paul Hoffman
- Re: [TLS] DSS with other than SHA-1 algorithms Martin Rex
- Re: [TLS] DSS with other than SHA-1 algorithms Rob Stradling
- Re: [TLS] DSS with other than SHA-1 algorithms Rob Stradling
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann