Re: [TLS] Registering SHA256 null encryption ciphersuites
"Lewis, Nick" <nick.lewis@usa.g4s.com> Thu, 07 June 2012 08:08 UTC
Return-Path: <nick.lewis@usa.g4s.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A032A21F8631 for <tls@ietfa.amsl.com>; Thu, 7 Jun 2012 01:08:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.451
X-Spam-Level:
X-Spam-Status: No, score=-4.451 tagged_above=-999 required=5 tests=[AWL=-0.453, BAYES_50=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ty2wJSYSmg4P for <tls@ietfa.amsl.com>; Thu, 7 Jun 2012 01:08:23 -0700 (PDT)
Received: from mail193.messagelabs.com (mail193.messagelabs.com [85.158.140.195]) by ietfa.amsl.com (Postfix) with ESMTP id EC89D21F84E6 for <tls@ietf.org>; Thu, 7 Jun 2012 01:08:21 -0700 (PDT)
X-Env-Sender: nick.lewis@usa.g4s.com
X-Msg-Ref: server-12.tower-193.messagelabs.com!1339056500!12309062!1
X-Originating-IP: [89.206.228.155]
X-StarScan-Version: 6.5.10; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 10977 invoked from network); 7 Jun 2012 08:08:20 -0000
Received: from unallocated.star.net.uk (HELO gbtwk10s037.Technology.local) (89.206.228.155) by server-12.tower-193.messagelabs.com with RC4-SHA encrypted SMTP; 7 Jun 2012 08:08:20 -0000
Received: from GBTWK10E001.Technology.local ([10.234.1.29]) by gbtwk10s037.Technology.local ([10.234.1.39]) with mapi; Thu, 7 Jun 2012 09:08:19 +0100
From: "Lewis, Nick" <nick.lewis@usa.g4s.com>
To: "'tls@ietf.org'" <tls@ietf.org>
Date: Thu, 07 Jun 2012 09:08:19 +0100
Thread-Topic: Re: [TLS] Registering SHA256 null encryption ciphersuites
Thread-Index: Ac1EhNWeF8EwauMySdqjQpnlHIqb9w==
Message-ID: <AAE0766F5AF36B46BAB7E0EFB92732060686EE4975@GBTWK10E001.Technology.local>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_AAE0766F5AF36B46BAB7E0EFB92732060686EE4975GBTWK10E001Te_"
MIME-Version: 1.0
Subject: Re: [TLS] Registering SHA256 null encryption ciphersuites
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Jun 2012 08:08:24 -0000
>I could easily be missing something, but what would the intended use of this ciphersuite (or >any "*_anon_WITH_NULL_*" ciphersuite) be? Since it has no encryption, it doesn't offer any >protection against passive eavesdroppers. But since it has no authentication, it doesn't offer >any protection against active attackers. What sort of attack is it meant to protect against? > >(There is currently one "*_anon_WITH_NULL_*" ciphersuite registered with IANA, >TLS_ECDH_anon_WITH_NULL_SHA, and my puzzlement extends to that ciphersuite, as well.) > >--Patrick I guess anon_with_null could be used when only data integrity is required or for long lived sessions in which the environment is known to be free from middlemen or impersonators at the time of the diffie-hellman exchange but tampering could occur thereafter. Would you suggest that TLS_ECDH_anon_WITH_NULL_SHA256 be omitted? What about SHA384 variants? In practice our requirements are limited to the authenticated SHA256 variants. Is it best to proceed exclusively with these? --Nick Nick Lewis nick.lewis@usa.g4s.com<mailto:nick.lewis@usa.g4s.com> +44 1684 277137<tel:+441684277137> www.g4stechnology.com<http://www.g4stechnology.com/> New Challenge House, International Drive, Tewkesbury, Gloucestershire, GL20 8UQ, UK P Please consider the environment before printing this email ________________________________ The details of this company are as follows: G4S Technology Limited, Registered Office: Challenge House, International Drive, Tewkesbury, Gloucestershire GL20 8UQ, Registered in England No. 2382338. This communication may contain information which is confidential, personal and/or privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any distribution, forwarding, copying or use of this communication or the information in it is strictly prohibited. Any personal views expressed in this e-mail are those of the individual sender and the company does not endorse or accept responsibility for them. Prior to taking any action based upon this e-mail message, you should seek appropriate confirmation of its authenticity. This e-mail has been scanned for all viruses by MessageLabs.
- [TLS] Registering SHA256 null encryption ciphersu… Lewis, Nick
- Re: [TLS] Registering SHA256 null encryption ciph… Patrick Pelletier
- Re: [TLS] Registering SHA256 null encryption ciph… Lewis, Nick