Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms

Tony Arcieri <bascule@gmail.com> Mon, 11 January 2016 23:14 UTC

Return-Path: <bascule@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EDED1AC411 for <tls@ietfa.amsl.com>; Mon, 11 Jan 2016 15:14:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ut9Xp9w8m2wI for <tls@ietfa.amsl.com>; Mon, 11 Jan 2016 15:13:58 -0800 (PST)
Received: from mail-wm0-x232.google.com (mail-wm0-x232.google.com [IPv6:2a00:1450:400c:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E22F1A8F4D for <tls@ietf.org>; Mon, 11 Jan 2016 15:13:58 -0800 (PST)
Received: by mail-wm0-x232.google.com with SMTP id f206so231223966wmf.0 for <tls@ietf.org>; Mon, 11 Jan 2016 15:13:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=twbP1NRIXqxFiDRH2dRVww5r/CkksKCrne2bEJwS9HE=; b=LDw+jV80VxFiduCNns39HOq0ou7G7b7fjyZUJwdWTxFY3SRKHZM+JgQZs8ZwhCzcBw hYA/FwsNLsLMvYGNhVKnGwd9muK0TAEB7q24DQPGdZHgPa3bbVHN/zKziOClPLAItMZM JbJC1zsA6dsOg2ucFPe3v229ZR+jX53vpvcGqFzXW0Flrc01Uss/VEoYHyxG97Q3O7pA +NOlYn81NXeO21mdQ1uQUr6ZJmRb8u0DTW3ulsB4wtimrth/ftwV66sjDN5y9iMp9r1e ofdmB6oUOZtlwlzaDwmRC20pOEdD/ruMBAQBHt7QUUQutZxfs5XN7M6xNGf+ix87jaPc rkhw==
X-Received: by 10.194.75.202 with SMTP id e10mr153789610wjw.160.1452554037082; Mon, 11 Jan 2016 15:13:57 -0800 (PST)
MIME-Version: 1.0
Received: by 10.194.47.73 with HTTP; Mon, 11 Jan 2016 15:13:37 -0800 (PST)
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C73F4BC5FC6@uxcn10-5.UoA.auckland.ac.nz>
References: <20160111183017.GA12243@roeckx.be> <9A043F3CF02CD34C8E74AC1594475C73F4BC5FC6@uxcn10-5.UoA.auckland.ac.nz>
From: Tony Arcieri <bascule@gmail.com>
Date: Mon, 11 Jan 2016 15:13:37 -0800
Message-ID: <CAHOTMVK7JQ-UR1j=H3Rio4V-FgSvxgLdU3PDTZhLuA5bOMr+wg@mail.gmail.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Content-Type: multipart/alternative; boundary=047d7bb049c065c4a705291717ae
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/qFJTOdmtjZuXkqbzjV-LInWN0k0>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jan 2016 23:14:00 -0000

On Mon, Jan 11, 2016 at 3:09 PM, Peter Gutmann <pgut001@cs.auckland.ac.nz>;
wrote:

> The vulnerabilities shown in the SLOTH paper were based on the fact that
> implementations still allow MD5 for authentication/integrity protection,
> even
> if (for example) it's explicitly disabled in the config.  So the problem
> wasn't a fault in the protocol, it's buggy implementations (as it was for
> ones
> that allowed 512-bit keys, non-prime primes, and so on).  Throwing out TLS
> 1.1
> based on this seems rather premature.
>

My understanding is TLS 1.2 specifically was amended to allow MD5
signatures even though this was not the case in previous TLS versions, or
at least that was the claim of the miTLS presenters on SLOTH at
RealWorldCrypto 2016.

If this is the case, this seems like a big regression in TLS 1.2.

--
Tony Arcieri