Re: [TLS] TLS 1.2

pgut001@cs.auckland.ac.nz (Peter Gutmann) Mon, 29 August 2005 09:47 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E9gEf-0002Rj-Kh; Mon, 29 Aug 2005 05:47:25 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E9gEa-0002RD-Lr for tls@megatron.ietf.org; Mon, 29 Aug 2005 05:47:20 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id FAA27128 for <tls@ietf.org>; Mon, 29 Aug 2005 05:47:16 -0400 (EDT)
Received: from groucho.itss.auckland.ac.nz ([130.216.190.11] helo=smtpa.itss.auckland.ac.nz) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1E9gFr-0001PB-JK for tls@ietf.org; Mon, 29 Aug 2005 05:48:40 -0400
Received: from localhost (smtpa.itss.auckland.ac.nz [127.0.0.1]) by smtpa.itss.auckland.ac.nz (Postfix) with ESMTP id 52AC1342CF; Mon, 29 Aug 2005 21:47:04 +1200 (NZST)
Received: from smtpa.itss.auckland.ac.nz ([127.0.0.1]) by localhost (smtpa.itss.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 31277-28; Mon, 29 Aug 2005 21:47:04 +1200 (NZST)
Received: from iris.cs.auckland.ac.nz (iris.cs.auckland.ac.nz [130.216.33.152]) by smtpa.itss.auckland.ac.nz (Postfix) with ESMTP id 95DB6342BC; Mon, 29 Aug 2005 21:47:03 +1200 (NZST)
Received: from medusa01.cs.auckland.ac.nz (medusa01.cs.auckland.ac.nz [130.216.34.33]) by iris.cs.auckland.ac.nz (Postfix) with ESMTP id DB6EF3774E; Mon, 29 Aug 2005 21:47:02 +1200 (NZST)
Received: from pgut001 by medusa01.cs.auckland.ac.nz with local (Exim 3.36 #1 (Debian)) id 1E9gEQ-0002RK-00; Mon, 29 Aug 2005 21:47:10 +1200
From: pgut001@cs.auckland.ac.nz
To: ekr@rtfm.com, tls@ietf.org
Subject: Re: [TLS] TLS 1.2
In-Reply-To: <20050827003010.19815285E3@sierra.rtfm.com>
Message-Id: <E1E9gEQ-0002RK-00@medusa01.cs.auckland.ac.nz>
Date: Mon, 29 Aug 2005 21:47:10 +1200
X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz
X-Spam-Score: 2.9 (++)
X-Scan-Signature: 7aafa0432175920a4b3e118e16c5cb64
Cc:
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Sender: tls-bounces@lists.ietf.org
Errors-To: tls-bounces@lists.ietf.org

Eric Rescorla <ekr@rtfm.com> writes:

>I'd like to start a discussion on whether we should be thinking about a TLS
>1.2 that was more oriented towards newer hash functions. Obviously, we're not
>at a point where there's a crisis yet but it doesn't hurt to be prepared.

I've actually had a proposal for fixing TLS' broken signatures sketched out
probably since it was still SSL, so perhaps we can use this to fix several
problems at once.  Firstly, in terms of attacks on hash functions, the only
thing that really needs to be addressed is the use of hash functions as, well,
hash functions.  Most of the use in TLS is as PRFs and in HMAC, none of which
are even remotely endangered by any known attack.  Signatures, however, need
to be fixed for three main reasons:

1. Use of potentially at-risk hash functions, as already noted.

2. Use of a )*#&%*$( nonstandard signature format that a number of crypto
   devices (and libraries) either don't support at all, or have broken support
   for.  Trying to determine by trial and error which (say) smart cards
   support the weird SSL signature mechanism alongside the default PKCS #1
   one, and then detecting which firmware revisions have which bugs in
   handling the format (claim to support it but don't, support it but add an
   ASN.1 wrapper at the start, only use one of the two hashes, and some other
   oddities that I've forgotten) is an absolute nightmare.

3. Signing of hashes that don't correspond to anything that's calculated
   during part of the normal handshake.  That is, the dual-MAC that's sent in
   the Finished message isn't what gets signed, so it's necessary to run a
   parallel hash of handshake messages that terminates before the Finished-
   message hashing does.  Since client certs are almost never used, there's a
   lot of extra overhead involved in running an extra dual hash that (most of
   the time) never gets used.  In practice all that's needed is to sign the
   client and server nonces to ensure signature freshness,

So my proposal was to include a new extension signatureSuites, consisting of
(currently) three values:

  SIG_RSA_PKCS1_WITH_SHA1
  SIG_RSA_PKCS1_WITH_SHA256
  SIG_DSA_WITH_SHA1

and if that gets acknowledged by the other side (as per RFC 3546) then using a
standard signature of the given type over the value:

  { "certificate verify" || client_nonce || server_nonce }

So if the signature suite chosen was SIG_RSA_PKCS1_WITH_SHA1 then the cert-
verify would contain a completely standard PKCS #1 signature over the above
data.

(Once this was added to the standard, I'd take the old signature mechanism and
 stomp on it and dance around it and sing hallelujah on its grave).

Peter.

_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls