IETF Logo Mail Archive

[TLS] Standard security levels (was Re: Better weak hash language (was Re: AD Review of draft-ietf-tls-tls13))

Nico Williams <nico@cryptonector.com> Tue, 23 May 2017 18:07 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87469129C5D for <tls@ietfa.amsl.com>; Tue, 23 May 2017 11:07:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8, RCVD_IN_SORBS_SPAM=0.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QuDFn0onBceq for <tls@ietfa.amsl.com>; Tue, 23 May 2017 11:07:14 -0700 (PDT)
Received: from homiemail-a107.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26FCB129C56 for <tls@ietf.org>; Tue, 23 May 2017 11:07:14 -0700 (PDT)
Received: from homiemail-a107.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a107.g.dreamhost.com (Postfix) with ESMTP id A3D7C20051C25; Tue, 23 May 2017 11:07:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=elFBisDrwNt9kq V76SbMQhsa/20=; b=keF/j76LPN8+5kgeL6yQRAClM/QOfXrn+7wybUEoUaTW+t l5+9yVyIZtBNYKXGke2bzrGRFcH8fPwLdrRBEJ9D5clBJdveIb+mS0+TeanXZhAl upUMcYdmCdWN9cyn9Wgt0YOSPUSWvJZQ+HboB/04AVw/RjaVE0UEVppbHz+wo=
Received: from localhost (cpe-70-123-158-140.austin.res.rr.com [70.123.158.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a107.g.dreamhost.com (Postfix) with ESMTPSA id 58FBA20051C24; Tue, 23 May 2017 11:07:13 -0700 (PDT)
Date: Tue, 23 May 2017 13:07:11 -0500
From: Nico Williams <nico@cryptonector.com>
To: Dave Garrett <davemgarrett@gmail.com>
Cc: tls@ietf.org
Message-ID: <20170523180710.GU10188@localhost>
References: <f262447d-5bd1-68c8-dac6-ad2224733235@akamai.com> <201705222019.46521.davemgarrett@gmail.com> <F589FF5F-3F77-4125-B8F0-B9701925B9EF@dukhovni.org> <201705222057.30588.davemgarrett@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <201705222057.30588.davemgarrett@gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/rSXjoR0778w2OylqtQkYmty9tIw>
Subject: [TLS] Standard security levels (was Re: Better weak hash language (was Re: AD Review of draft-ietf-tls-tls13))
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 May 2017 18:07:15 -0000

On Mon, May 22, 2017 at 08:57:30PM -0400, Dave Garrett wrote:
> On Monday, May 22, 2017 08:29:13 pm Viktor Dukhovni wrote:
> > Setting a collision-resistance floor rather than naming some list
> > of algorithms makes more sense to me, but if the WG really feels
> > that naming some "verbotten" algorithms is better, so be it.
> 
> My preference would be to do both. Call out the ones we have
> codepoints for by name (MD5/SHA1/SHA224), then have a general
> collision-resistance floor value for everything else.

Sure.

In general I prefer setting floors, as Viktor says.  That's because
listing all forbidden algorithms is easy to flub up, and because it's
much easier from an API point of view to specify security levels than to
go listing things that are allowed/forbidden.

I think we should have standard algorithm security profile names that
can be used in multiple protocols.  E.g.,

 - weak         (obsolete weak algorithms allowed)
 - interim      (certain obsolete weak algorithms allowed during migrations)
 - default      (default security floors, no obsolete weak algorithms allowed)
 - stronger     (like standard but with higher security floors)

 - <URN?>       (local/custom security level, perhaps specified
                 additively from standard security levels)

The meaning of each of these would be updated over time by updating the
RFCs for the relevant protocols.  Thus configurations would not have to
change.

Specifying such a security level to TLS would have it apply that level
to its ciphersuite, PRF, key agreement, PSK, and signature algorithms,
and pass it to PKIX when using PKIX.

Specifying such a security level to PKIX would have it apply that level
to certificate public key and certificate signature algorithms, as well
as to path construction and validation.

Specifying such a security level to Kerberos, SSHv2, ... would ...
And so on.

This would make security level configuration much easier in the common
case.  And would avoid periodically having to update configurations to
adjust for recent cryptanalysis advances: just update the meanings of
these standard security levels and update software.

Nico
--

v2.23.0 | Report a Bug | By Email