Re: [TLS] TLS 1.2
pgut001@cs.auckland.ac.nz (Peter Gutmann) Mon, 29 August 2005 09:47 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E9gEf-0002Rj-Kh; Mon, 29 Aug 2005 05:47:25 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E9gEa-0002RD-Lr for tls@megatron.ietf.org; Mon, 29 Aug 2005 05:47:20 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id FAA27128 for <tls@ietf.org>; Mon, 29 Aug 2005 05:47:16 -0400 (EDT)
Received: from groucho.itss.auckland.ac.nz ([130.216.190.11] helo=smtpa.itss.auckland.ac.nz) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1E9gFr-0001PB-JK for tls@ietf.org; Mon, 29 Aug 2005 05:48:40 -0400
Received: from localhost (smtpa.itss.auckland.ac.nz [127.0.0.1]) by smtpa.itss.auckland.ac.nz (Postfix) with ESMTP id 52AC1342CF; Mon, 29 Aug 2005 21:47:04 +1200 (NZST)
Received: from smtpa.itss.auckland.ac.nz ([127.0.0.1]) by localhost (smtpa.itss.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 31277-28; Mon, 29 Aug 2005 21:47:04 +1200 (NZST)
Received: from iris.cs.auckland.ac.nz (iris.cs.auckland.ac.nz [130.216.33.152]) by smtpa.itss.auckland.ac.nz (Postfix) with ESMTP id 95DB6342BC; Mon, 29 Aug 2005 21:47:03 +1200 (NZST)
Received: from medusa01.cs.auckland.ac.nz (medusa01.cs.auckland.ac.nz [130.216.34.33]) by iris.cs.auckland.ac.nz (Postfix) with ESMTP id DB6EF3774E; Mon, 29 Aug 2005 21:47:02 +1200 (NZST)
Received: from pgut001 by medusa01.cs.auckland.ac.nz with local (Exim 3.36 #1 (Debian)) id 1E9gEQ-0002RK-00; Mon, 29 Aug 2005 21:47:10 +1200
From: pgut001@cs.auckland.ac.nz
To: ekr@rtfm.com, tls@ietf.org
Subject: Re: [TLS] TLS 1.2
In-Reply-To: <20050827003010.19815285E3@sierra.rtfm.com>
Message-Id: <E1E9gEQ-0002RK-00@medusa01.cs.auckland.ac.nz>
Date: Mon, 29 Aug 2005 21:47:10 +1200
X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz
X-Spam-Score: 2.9 (++)
X-Scan-Signature: 7aafa0432175920a4b3e118e16c5cb64
Cc:
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Sender: tls-bounces@lists.ietf.org
Errors-To: tls-bounces@lists.ietf.org
Eric Rescorla <ekr@rtfm.com> writes: >I'd like to start a discussion on whether we should be thinking about a TLS >1.2 that was more oriented towards newer hash functions. Obviously, we're not >at a point where there's a crisis yet but it doesn't hurt to be prepared. I've actually had a proposal for fixing TLS' broken signatures sketched out probably since it was still SSL, so perhaps we can use this to fix several problems at once. Firstly, in terms of attacks on hash functions, the only thing that really needs to be addressed is the use of hash functions as, well, hash functions. Most of the use in TLS is as PRFs and in HMAC, none of which are even remotely endangered by any known attack. Signatures, however, need to be fixed for three main reasons: 1. Use of potentially at-risk hash functions, as already noted. 2. Use of a )*#&%*$( nonstandard signature format that a number of crypto devices (and libraries) either don't support at all, or have broken support for. Trying to determine by trial and error which (say) smart cards support the weird SSL signature mechanism alongside the default PKCS #1 one, and then detecting which firmware revisions have which bugs in handling the format (claim to support it but don't, support it but add an ASN.1 wrapper at the start, only use one of the two hashes, and some other oddities that I've forgotten) is an absolute nightmare. 3. Signing of hashes that don't correspond to anything that's calculated during part of the normal handshake. That is, the dual-MAC that's sent in the Finished message isn't what gets signed, so it's necessary to run a parallel hash of handshake messages that terminates before the Finished- message hashing does. Since client certs are almost never used, there's a lot of extra overhead involved in running an extra dual hash that (most of the time) never gets used. In practice all that's needed is to sign the client and server nonces to ensure signature freshness, So my proposal was to include a new extension signatureSuites, consisting of (currently) three values: SIG_RSA_PKCS1_WITH_SHA1 SIG_RSA_PKCS1_WITH_SHA256 SIG_DSA_WITH_SHA1 and if that gets acknowledged by the other side (as per RFC 3546) then using a standard signature of the given type over the value: { "certificate verify" || client_nonce || server_nonce } So if the signature suite chosen was SIG_RSA_PKCS1_WITH_SHA1 then the cert- verify would contain a completely standard PKCS #1 signature over the above data. (Once this was added to the standard, I'd take the old signature mechanism and stomp on it and dance around it and sing hallelujah on its grave). Peter. _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] TLS 1.2 Eric Rescorla
- Re: [TLS] TLS 1.2 Steven M. Bellovin
- Re: [TLS] TLS 1.2 Peter Gutmann
- Re: [TLS] TLS 1.2 Steven M. Bellovin
- Re: [TLS] TLS 1.2 Bodo Moeller
- [TLS] TLS 1.2 Mike
- [TLS] TLS 1.2 Mike
- [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 Mike
- [TLS] TLS 1.2 MAC calculation Mike
- Antwort: [TLS] TLS 1.2 MAC calculation Axel.Heider
- Re: Antwort: [TLS] TLS 1.2 MAC calculation Bodo Moeller
- Re: [TLS] TLS 1.2 interoperating Mike
- RE: [TLS] TLS 1.2 hash agility Pasi.Eronen
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- RE: [TLS] TLS 1.2 hash agility Pasi.Eronen
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Mike
- RE: [TLS] TLS 1.2 hash agility Pasi.Eronen
- RE: [TLS] TLS 1.2 hash agility Pasi.Eronen
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- RE: [TLS] TLS 1.2 hash agility Russ Housley
- RE: [TLS] TLS 1.2 hash agility Pasi.Eronen
- RE: [TLS] TLS 1.2 hash agility Pasi.Eronen