IETF Logo Mail Archive

Re: [TLS] New version of draft-ietf-tls-ecdhe-psk after the WGLC

"Mark Tillinghast" <Mark_Tillinghast@symantec.com> Thu, 02 October 2008 19:14 UTC

Return-Path: <tls-bounces@ietf.org>
X-Original-To: tls-archive@ietf.org
Delivered-To: ietfarch-tls-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 817B53A69CD; Thu, 2 Oct 2008 12:14:31 -0700 (PDT)
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8904028C0EE for <tls@core3.amsl.com>; Thu, 2 Oct 2008 12:14:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.148
X-Spam-Level:
X-Spam-Status: No, score=-6.148 tagged_above=-999 required=5 tests=[AWL=0.451, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6zQx75SDhreq for <tls@core3.amsl.com>; Thu, 2 Oct 2008 12:14:28 -0700 (PDT)
Received: from extu-mxob-2.symantec.com (extu-mxob-2.symantec.com [216.10.194.135]) by core3.amsl.com (Postfix) with ESMTP id B9FCD3A67B1 for <tls@ietf.org>; Thu, 2 Oct 2008 12:14:28 -0700 (PDT)
Received: from tus1opsmtapin01.ges.symantec.com (tus1opsmtapin01.ges.symantec.com [192.168.214.43]) by extu-mxob-2.symantec.com (8.14.1/8.14.1) with ESMTP id m92JE6vR027039 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <tls@ietf.org>; Thu, 2 Oct 2008 12:14:06 -0700
Received: from reserved-155-64-230-18.ges.symantec.com ([155.64.230.18] helo=TUS1XCHECNPIN01.enterprise.veritas.com) by tus1opsmtapin01.ges.symantec.com with esmtp (Exim 4.67) (envelope-from <Mark_Tillinghast@symantec.com>) id 1KlTck-0003bx-MG for tls@ietf.org; Thu, 02 Oct 2008 12:14:06 -0700
Received: from TUS1XCHEVSPIN04.enterprise.veritas.com ([155.64.230.53]) by TUS1XCHECNPIN01.enterprise.veritas.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 2 Oct 2008 12:14:06 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Thu, 02 Oct 2008 12:13:39 -0700
Message-ID: <5FD537098FD21B439D882EEDD9299A233B267B@TUS1XCHCLUPIN09.enterprise.veritas.com>
In-Reply-To: <mailman.91.1222974007.11013.tls@ietf.org>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: New version of draft-ietf-tls-ecdhe-psk after the WGLC
thread-index: AckkwZHNDKc+7dJBRKmkwXv1ZXZwfQAADNYA
References: <mailman.91.1222974007.11013.tls@ietf.org>
From: Mark Tillinghast <Mark_Tillinghast@symantec.com>
To: tls@ietf.org
X-OriginalArrivalTime: 02 Oct 2008 19:14:06.0734 (UTC) FILETIME=[0A5512E0:01C924C3]
Subject: Re: [TLS] New version of draft-ietf-tls-ecdhe-psk after the WGLC
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tls-bounces@ietf.org
Errors-To: tls-bounces@ietf.org

I would like to remove the SHA-1 stuff completely.
Compatibility with SHA-1 is anathema to me. 

Mark
-----Original Message-----
From: tls-bounces@ietf.org [mailto:tls-bounces@ietf.org] On Behalf Of
tls-request@ietf.org
Sent: Thursday, October 02, 2008 12:00
To: tls@ietf.org
Subject: TLS Digest, Vol 51, Issue 2

Send TLS mailing list submissions to
	tls@ietf.org

To subscribe or unsubscribe via the World Wide Web, visit
	https://www.ietf.org/mailman/listinfo/tls
or, via email, send a message with subject or body 'help' to
	tls-request@ietf.org

You can reach the person managing the list at
	tls-owner@ietf.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of TLS digest..."


Today's Topics:

   1. Re:  New version of draft-ietf-tls-ecdhe-psk after the WGLC
      (Pasi.Eronen@nokia.com)
   2. Re:  New version of draft-ietf-tls-ecdhe-psk after the WGLC
      (Mohamad Badra)
   3. Re:  Last Call: draft-rescorla-tls-suiteb (Suite B Cipher
      Suites for TLS) to Informational RFC (Brian Minard)
   4. Re:  Last Call: draft-rescorla-tls-suiteb (Suite B Cipher
      Suites for TLS) to Informational RFC (Russ Housley)


----------------------------------------------------------------------

Message: 1
Date: Thu, 2 Oct 2008 11:29:21 +0300
From: <Pasi.Eronen@nokia.com>
Subject: Re: [TLS] New version of draft-ietf-tls-ecdhe-psk after the
	WGLC
To: <badra@isima.fr>
Cc: tls@ietf.org
Message-ID:
	
<1696498986EFEC4D9153717DA325CB7201C760D1@vaebe104.NOE.Nokia.com>
Content-Type: text/plain;	charset="iso-8859-1"

Mohamad Badra wrote:
> 
> Dear Pasi,
> 
>> The contents of the draft have changed quite a bit since version
>> -02 (which was posted just before the Dublin meeting), and I have
>> some comments about the changes:
> 
> 
> In fact, we discussed adding SHA256 and SHA348 to the document to
> avoid publishing several seperated documents; and if I recall well,
> your recommendation was to do that in one single document. If the
> group doesn't agree with this change, I will post the old version.

I think having them all in a single document is better; it's 
the other changes in -03 I commented.

>  > It's a bit surprising that
>  > e.g. TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA, when negotiated in TLS
>  > 1.2, would use the TLS PRF with SHA-1 as the hash function. Note
>  > that e.g.  TLS_DHE_PSK_WITH_AES_128_CBC_SHA (from RFC 4279) would
>  > in this situation use the TLS PRF with SHA-256.
> 
> In this case, I would know where I can read that cipher suites
> described in RFC 4492, when negotiated in TLS 1.2, will use the TLS
> PRF with SHA-256. Do you refer to Section 5 of TLS 1.2?
> 
> The same for TLS_DHE_PSK_WITH_AES_128_CBC_SHA.

Yes, I'm referring to Section 5 of TLS 1.2.

>  > My suggestion would be to say that all these cipher suites can be
>  > negotiated with any TLS version; when used with TLS <1.2, they use
>  > the PRF from that version; when used with TLS >=1.2, they use the
>  > TLS PRF with SHA-256 or SHA-384. (In other words: they'd work the
>  > same way as the cipher suites in RFC 4492/4279/4785.)
>  >
>  > This change would probably allow us to remove the SHA-1 suites
>  > completely.
> 
> With regard to version 2 of the document, only SHA-1 suites are 
> described. So why we need to do this step?

I would ask it this way: if the document has SHA-256/384 based
suites, why does it need the SHA-1 suites?

(Cipher suites isn't one of those things where having more
is automatically better.)

>  > Also, while I can understand combining AES-128 with
>  > SHA-256, and AES-256 with SHA-384, I'm not sure why we need to
>  > combine NULL encryption with three different MACs...
> 
> In the case we are going to remove the SHA-1 suites with NULL
> encryption, only 2 combinations will be available (if we keep the
> logic of moving away from SHA-1 and towards stronger hash
> algorithms, as RFC 5288 and 5289 do).

Yes, but why do we need two combinations? What problem is solved
by having two, instead of just one?

Best regards,
Pasi


------------------------------

Message: 2
Date: Thu, 02 Oct 2008 11:57:48 +0200
From: Mohamad Badra <badra@isima.fr>
Subject: Re: [TLS] New version of draft-ietf-tls-ecdhe-psk after the
	WGLC
To: Pasi.Eronen@nokia.com
Cc: tls@ietf.org
Message-ID: <48E49B1C.4040603@isima.fr>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Hi Pasi,

Pasi.Eronen@nokia.com wrote:
> Mohamad Badra wrote:
>> Dear Pasi,
>>
>>> The contents of the draft have changed quite a bit since version
>>> -02 (which was posted just before the Dublin meeting), and I have
>>> some comments about the changes:
>>
>> In fact, we discussed adding SHA256 and SHA348 to the document to
>> avoid publishing several seperated documents; and if I recall well,
>> your recommendation was to do that in one single document. If the
>> group doesn't agree with this change, I will post the old version.
> 
> I think having them all in a single document is better; it's 
> the other changes in -03 I commented.

OK.

> 
>>  > It's a bit surprising that
>>  > e.g. TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA, when negotiated in TLS
>>  > 1.2, would use the TLS PRF with SHA-1 as the hash function. Note
>>  > that e.g.  TLS_DHE_PSK_WITH_AES_128_CBC_SHA (from RFC 4279) would
>>  > in this situation use the TLS PRF with SHA-256.
>>
>> In this case, I would know where I can read that cipher suites
>> described in RFC 4492, when negotiated in TLS 1.2, will use the TLS
>> PRF with SHA-256. Do you refer to Section 5 of TLS 1.2?
>>
>> The same for TLS_DHE_PSK_WITH_AES_128_CBC_SHA.
> 
> Yes, I'm referring to Section 5 of TLS 1.2.

OK.

> 
>>  > My suggestion would be to say that all these cipher suites can be
>>  > negotiated with any TLS version; when used with TLS <1.2, they use
>>  > the PRF from that version; when used with TLS >=1.2, they use the
>>  > TLS PRF with SHA-256 or SHA-384. (In other words: they'd work the
>>  > same way as the cipher suites in RFC 4492/4279/4785.)
>>  >
>>  > This change would probably allow us to remove the SHA-1 suites
>>  > completely.
>>
>> With regard to version 2 of the document, only SHA-1 suites are 
>> described. So why we need to do this step?
> 
> I would ask it this way: if the document has SHA-256/384 based
> suites, why does it need the SHA-1 suites?
> 
> (Cipher suites isn't one of those things where having more
> is automatically better.)


Unfortunately, these new arguments aren't presented in WGLC, which would

also have been applicable to the previous two versions.

I don't know, but don't we need a WG consensus on that change?

>>  > Also, while I can understand combining AES-128 with
>>  > SHA-256, and AES-256 with SHA-384, I'm not sure why we need to
>>  > combine NULL encryption with three different MACs...
>>
>> In the case we are going to remove the SHA-1 suites with NULL
>> encryption, only 2 combinations will be available (if we keep the
>> logic of moving away from SHA-1 and towards stronger hash
>> algorithms, as RFC 5288 and 5289 do).
> 
> Yes, but why do we need two combinations? What problem is solved
> by having two, instead of just one?

Which one do you suggest? and why only one of both?
(WRT RFC5288 and 5289 portfolio, I prefer keeping both of them,)

Best regards,
Badra



------------------------------

Message: 3
Date: Thu, 2 Oct 2008 08:00:45 -0400
From: Brian Minard <bminard@certicom.com>
Subject: Re: [TLS] Last Call: draft-rescorla-tls-suiteb (Suite B
	Cipher Suites for TLS) to Informational RFC
To: "tls@ietf.org" <tls@ietf.org>
Message-ID:
	<C49217E2D694874EB820EA90DCE67619011DDDB124@EX40.exchserver.com>
Content-Type: text/plain; charset="us-ascii"

Here are a couple of clarifications we'd like to see in the draft.


------------------------------

Message: 4
Date: Thu, 02 Oct 2008 11:22:49 -0400
From: Russ Housley <housley@vigilsec.com>
Subject: Re: [TLS] Last Call: draft-rescorla-tls-suiteb (Suite B
	Cipher Suites for TLS) to Informational RFC
To: Brian Minard <bminard@certicom.com>
Cc: tls@ietf.org
Message-ID: <20081002152313.998D528C1F8@core3.amsl.com>
Content-Type: text/plain; charset="us-ascii"; format=flowed

Brian:

I'll post an update in a few minutes that includes more information 
on certification paths.

I am confused by your last paragraph.  ECDH_ECDSA is not discussed in 
this draft.  Only, ECDHE_ECDSA is used in this draft.

Russ

At 08:00 AM 10/2/2008, Brian Minard wrote:
>Here are a couple of clarifications we'd like to see in the draft.
>
> From section 4:
>    Server and client certificates used to establish a Suite
B-compliant
>    connection MUST be signed with ECDSA.  For certificates used at the
>    128-bit security level, the subject public key MUST use the P-256
>    curve, and the digital signature MUST be calculated using the P-256
>    curve and the SHA-256 hash algorithm.  For certificates used at the
>    192-bit security level, the subject public key MUST use the P-384
>    curve, and the digital signature MUST be calculated using the P-384
>    curve and the SHA-384 hash algorithm.
>
>Does this only apply to the client/server certificates or every
>certificate in the client/server chain?
>
>Can some guidance be added on certificate key usages and TLS 1.2 for
>Suite B
>(http://www.nsa.gov/ia/industry/Suite_B_Certificate_and_CRL_Profile_200
>80528.pdf)?
>This document clearly requires two different certificates and
>references NIST SP 800-56A (section 5.6.4.2) as the reason for this.
>
>I am wondering if you can confirm that the comment requiring two server
>certificates is directed at servers supporting both ECDH_ECDSA and
>ECDHE_ECDSA key exchange methods (i.e., completely different cipher
>suites). For example, if I deploy a server supporting only one of these
>key exchange methods, that server would only need one certificate.
>
>-----Original Message-----
>From: ietf-announce-bounces@ietf.org [mailto:ietf-announce-
>bounces@ietf.org] On Behalf Of The IESG
>Sent: Thursday, September 25, 2008 11:30 AM
>To: IETF-Announce
>Subject: Last Call: draft-rescorla-tls-suiteb (Suite B Cipher Suites
>for TLS) to Informational RFC
> >
>The IESG has received a request from an individual submitter to
>consider
>the following document:
> >
>- 'Suite B Cipher Suites for TLS '
>    <draft-rescorla-tls-suiteb-06.txtas an Informational RFC
> >
>The IESG plans to make a decision in the next few weeks, and solicits
>final comments on this action.  Please send substantive comments to
>the
>ietf@ietf.org mailing lists by 2008-10-23. Exceptionally,
>comments may be sent to iesg@ietf.org instead. In either case, please
>retain the beginning of the Subject line to allow automated sorting.
> >
>The file can be obtained via
>http://www.ietf.org/internet-drafts/draft-rescorla-tls-suiteb-06.txt
> >
> >
>IESG discussion can be tracked via
> >
>https://datatracker.ietf.org/public/pidtracker.cgi?command=view_id&dTag
>=15530&rfc_flag=0
> >
>_______________________________________________
>IETF-Announce mailing list
>IETF-Announce@ietf.org
>https://www.ietf.org/mailman/listinfo/ietf-announce



------------------------------

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


End of TLS Digest, Vol 51, Issue 2
**********************************
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email