Re: [TLS] Ala Carte Cipher suites - was: DSA should die

Viktor Dukhovni <ietf-dane@dukhovni.org> Wed, 08 April 2015 02:54 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB48D1A1B27 for <tls@ietfa.amsl.com>; Tue, 7 Apr 2015 19:54:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.1
X-Spam-Level:
X-Spam-Status: No, score=-0.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_24=0.6, J_CHICKENPOX_25=0.6, J_CHICKENPOX_34=0.6] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jg6x99SYAmz5 for <tls@ietfa.amsl.com>; Tue, 7 Apr 2015 19:54:40 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB9851A1A1E for <tls@ietf.org>; Tue, 7 Apr 2015 19:54:40 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 0A100283031; Wed, 8 Apr 2015 02:54:39 +0000 (UTC)
Date: Wed, 8 Apr 2015 02:54:39 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20150408025438.GH17637@mournblade.imrryr.org>
References: <20150401201221.163745c2@pc1.fritz.box> <CAK9dnSyKf7AY11h1i1h+SudRc-NmTZE5wC682YKhNsxnfV5ShQ@mail.gmail.com> <CAK3OfOgPbADQ1CvOs=8T7ee6f_T+bi3F6GCdBtxufQpznzYbQA@mail.gmail.com> <201504021257.09955.davemgarrett@gmail.com> <CAOgPGoDJTcLn4j90wNu=mhCZJnb2WUuAvM5TN6KOO7RdC==qHQ@mail.gmail.com> <551DE914.4010804@nthpermutation.com> <CAFewVt6jKaQh9Z-ySQJr_9PWsBvn41RNk6PNXMdouLwywn8-wA@mail.gmail.com> <54c69c7ac7074ba8a2e71734843bf106@ustx2ex-dag1mb2.msg.corp.akamai.com> <CAHOTMV+j2VECFme_iizE_9UnPfebSGETnfx0Cwv7BZQ-Oc902w@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAHOTMV+j2VECFme_iizE_9UnPfebSGETnfx0Cwv7BZQ-Oc902w@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/oo9XHR2V7uaxQkZXkXd-oBOVQM0>
Subject: Re: [TLS] Ala Carte Cipher suites - was: DSA should die
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tls@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Apr 2015 02:54:42 -0000

On Mon, Apr 06, 2015 at 08:25:02PM -0700, Tony Arcieri wrote:

> Looks like the opinion of TLS implementers is this far unanimously against
> this proposal. I would like to give the counterpoint from a TLS user
> perspective.

I see no unanimity.  I think that long-term the cross product
simplifies maintenance (simpler internal tables with less duplication),
and makes it easier to sensibly sort the cipher-suites by independent
preferences for each feature.

Yes, there'll need to be new APIs for specifying separate preferences
for the key agreement suites vs. bulk crypto suites.  Some may find
this an opportunity to drop legacy interfaces.

In OpenSSL many of the building blocks are already there, thus
we can build up a cipher-suite from its parts:

    $ openssl ciphers -v kECDHE+aECDSA+AES128+AESGCM
    ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD

All that's missing is separate ordered cipherstring settings for
the components.  These would be UI improvements I think.  Yes, not
easy retrofits into existing applications, but ultimately worth it
IMHO.  Assuming of course TLS is still the swiss-army knife of
security protocols and needs to support a range of choices for each
element of the cipher-suite.

Were any radical simplification to just 1 or 2 (composite) ciphersuites
actually realistic, then breaking those down would be silly.  As
it stands I don't see a likely choice of just 2 ciphersuites that
serve all TLS users, and thus ala carte makes sense to me.

-- 
	Viktor.