[TLS] Symmetric cipher guidance in draft-bmoeller-tls-falsestart-01 (POODLE, BEAST)

Brian Smith <brian@briansmith.org> Tue, 23 December 2014 21:37 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A54DE1AC3BB for <tls@ietfa.amsl.com>; Tue, 23 Dec 2014 13:37:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Level:
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7FwW4mgdBpKr for <tls@ietfa.amsl.com>; Tue, 23 Dec 2014 13:37:36 -0800 (PST)
Received: from mail-oi0-f48.google.com (mail-oi0-f48.google.com [209.85.218.48]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 366411AC3BA for <tls@ietf.org>; Tue, 23 Dec 2014 13:37:36 -0800 (PST)
Received: by mail-oi0-f48.google.com with SMTP id u20so15348054oif.7 for <tls@ietf.org>; Tue, 23 Dec 2014 13:37:35 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=I0i53jytLCAmU9oQ4cN4JD0UMw1ERq3qL/2Esfdvojo=; b=EtPyboKNIHkiw7hvPNO8z9cqoOBMTpjTAL++AgWmLsZiGB951FuPG2HbeoINqcJI92 TQU/O6wQc9oE71reA2I5egJPNqot+KB/QRkY6d1GjE7uYyNzU/npZQ2iaBbUrJr4/8FL RfOLyXKhwEg2082cmrgktoNpdbsJlvJNJYrq1Gw19G90hyQ1D2Yw2swUcK3/kCZwdZ7d 5jnjQKKk7orgwvqMIrIMkQd3Ubk3As1wMBoM3XSNYrmJZzkCvO4BCAaue/T8ZPPwUtN5 jEp5Xk3znxsN3zLTpnyUNCmeFUbK5kF+XiHhDLswJcxOCFE+mfmFXWQ3Kw2T8WeNmVQj SsOQ==
X-Gm-Message-State: ALoCoQn8fB9kcczsdnuhCDcAPSdjJBHvhVPHlDrVL34lszLWpIrLUe3gUrnDWFaUKFeHr6OtqHov
MIME-Version: 1.0
X-Received: by 10.60.124.69 with SMTP id mg5mr17904822oeb.73.1419370655631; Tue, 23 Dec 2014 13:37:35 -0800 (PST)
Received: by 10.76.71.228 with HTTP; Tue, 23 Dec 2014 13:37:35 -0800 (PST)
Date: Tue, 23 Dec 2014 13:37:35 -0800
Message-ID: <CAFewVt6QhBieA_Fks=szGLLR9u4NhaRVBEebOknHLg1_u9M7_g@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/oC_OoLtn-tWuh_s9vjd9V-CVVYw
Subject: [TLS] Symmetric cipher guidance in draft-bmoeller-tls-falsestart-01 (POODLE, BEAST)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Dec 2014 21:37:37 -0000

draft-bmoeller-tls-falsestart-01 section-6.1 says:

   Also, various ciphers specified for use with TLS are known to have
   cryptographic weaknesses regardless of key length (none of the
   ciphers specified in [RFC4492] and [RFC5246] can be recommended for
   use with False Start).

I think it would be useful to think about, and note, why none of the
RFC4492/RFC5246 ciphers are acceptable for False Start. The case
against RC4 or weaker-than-AES CBC-mode ciphers is pretty clear, but
the case against >=128-bit CBC-mode ciphers is less clear.

For example, does POODLE or BEAST really matter for False Start? If an
attacker tampered with the handshake, then the client's Finished
message will be wrong, and the server (probably) won't process any
application data that follows. Thus, it seems unlikely that POODLE is
a problem for False Start. Similarly, how could False Start help an
attacker succeed using the BEAST attack?

Is there something I'm overlooking?

Thanks,
Brian