Re: [TLS] TLS 1.2 hash agility
Mike <mike-list@pobox.com> Wed, 26 September 2007 15:02 UTC
Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IaYPd-0007hh-Bk; Wed, 26 Sep 2007 11:02:53 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IaYPb-0007Zo-Bo for tls@ietf.org; Wed, 26 Sep 2007 11:02:51 -0400
Received: from rune.pobox.com ([208.210.124.79]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IaYPV-0004KK-6r for tls@ietf.org; Wed, 26 Sep 2007 11:02:51 -0400
Received: from rune (localhost [127.0.0.1]) by rune.pobox.com (Postfix) with ESMTP id 7A5B513C681 for <tls@ietf.org>; Wed, 26 Sep 2007 11:02:45 -0400 (EDT)
Received: from [192.168.1.8] (wsip-24-234-114-35.lv.lv.cox.net [24.234.114.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by rune.sasl.smtp.pobox.com (Postfix) with ESMTP id 31A4213C66C for <tls@ietf.org>; Wed, 26 Sep 2007 11:02:45 -0400 (EDT)
Message-ID: <46FA745A.3070305@pobox.com>
Date: Wed, 26 Sep 2007 08:01:46 -0700
From: Mike <mike-list@pobox.com>
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: tls@ietf.org
Subject: Re: [TLS] TLS 1.2 hash agility
References: <46ABB82D.8090709@pobox.com> <46ACCCCB.8000201@pobox.com> <B356D8F434D20B40A8CEDAEC305A1F24046B2496@esebe105.NOE.Nokia.com> <20070914215611.0342933C21@delta.rtfm.com> <46EB102E.2070900@pobox.com> <20070914225606.9E9B433C21@delta.rtfm.com> <46EC2AE7.9040903@pobox.com> <20070917185820.6E7CC33C3A@delta.rtfm.com>
In-Reply-To: <20070917185820.6E7CC33C3A@delta.rtfm.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 7da5a831c477fb6ef97f379a05fb683c
Cc:
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
Sorry for taking so long to respond to this.... >> I have an idea. Change the Cert Hash Types extension to the Supported >> Signature Algorithms extension, and allow the server to respond with >> its supported algorithms (only if the client sends its list, of course). > > I don't see how this solves the major problem, which is that you > are advertising your public key algorithm support in two places. I look at the Supported Signature Algorithms extension as a hybrid of the sender's list of capabilities (which algorithms his encryption library supports), and the sender's list of algorithms he deems acceptable from a security standpoint. If you exchange this information in the (proposed) extension, then you don't need to send it again in other places. > - In the case of the ServerKeyExchange, the client signals his > support in this extension *and* in the cipher suite. The cipher suite doesn't have all the information about which signature algorithm to use. TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA The above cipher suites specify that the public key in the certificate must be an RSA key, but they don't say anything about what algorithm is used to sign the certificate. TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA These specify that the DH parameters are signed with DSS, but they don't say which hash to use. Right now you can only use SHA-1, so it implicitly limits you to that, but isn't this going to change soon? TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA Similarly, these say to use RSA to sign the DH parameters, but don't specify the hash algorithm, so you still need to specify that some- where. > - In the case of the CertificateVerify, the server signals his > support in the CertificateRequest and in this extension. I would argue that all you need to do is remove the redundant list from the CertificateRequest message. Since the extension has already indicated to the client which algorithms the server will accept, there is no need to send the list again. > Taking the ServerKeyExchange as the paradigmatic example, ISTM that > we either need to rework the entire negotiation scheme, e.g., > to create new cipher suites which specify also the digest used > for signature, or just live with this duplication. The former > seems superior. It's my opinion that the current cipher suites will continue to work fine. As I said above, the current cipher suites are under- specified, so adding the extension fills in the missing blanks. > So, I propose we simply replace the HashTypes type with a signature > algorithms type that specifies both hash algorithm and signature > algorithm. As you suggest: > > struct { > SignatureAlgorithm supported_algorithms<2..2^16-2>; > } SupportedSignatureAlgorithms; > > This would go wherever HashTypes goes now. My point is that if you specify this information in ClientHello and ServerHello, you never have to exchange it again, so you can eliminate HashTypes altogether. This will also benefit any future addition to TLS that requires a signature, since there won't be the need to exchange the list of supported signature algorithms yet again. > However, the interpretation rules need to be extremely clear, > as below. > > CERTIFICATEREQUEST > For signatures by the client (i.e., CertificateVerify and Certificate), > the following rules apply: > > struct { > ClientCertificateType certificate_types<1..2^8-1>; > SignatureAlgorithm signature_types<1..2^16-1>; > DistinguishedName certificate_authorities<0..2^16-1>; > } CertificateRequest; > > - Any certificate offered by the client must be signed with an > algorithm described in signature_types. The certificate would be signed with an algorithm listed in the server's Supported Signature Algorithms extension. > - The certificate must contain a public key with an > algorithm specified in certificate_types. Yes, we still need certificate_types. > - The CertificateVerify must be signed with a signature algorithm > in signature_types. Again, the CertificateVerify would be signed with an algorithm from the server's extension. > SIGNATUREALGORITHMS > As you suggest, the client would offer a SignatureAlgorithms > extension. The rules would be similar: > > - Any certificate offered by the server must be signed with an > algorithm described in signature_types. > - The certificate key must contain a public key which has > an algorithm that matches the cipher suite, either for > signing (in the case of cipher suites which have it) > or encryption (in the case of cipher suites which don't). > - The ServerKeyExchange must be signed with an algorithm that > matches signature_types. I agree with all of that. At the risk of being redundant, I assert that making this extension symmetric and allowing the server to respond with its own list of supported algorithms, is better than having the server send its list every place where it is needed (now and in the future). Send it once in ServerHello, and use it where it's needed. Mike _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] TLS 1.2 Eric Rescorla
- Re: [TLS] TLS 1.2 Steven M. Bellovin
- Re: [TLS] TLS 1.2 Peter Gutmann
- Re: [TLS] TLS 1.2 Steven M. Bellovin
- Re: [TLS] TLS 1.2 Bodo Moeller
- [TLS] TLS 1.2 Mike
- [TLS] TLS 1.2 Mike
- [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 Mike
- [TLS] TLS 1.2 MAC calculation Mike
- Antwort: [TLS] TLS 1.2 MAC calculation Axel.Heider
- Re: Antwort: [TLS] TLS 1.2 MAC calculation Bodo Moeller
- Re: [TLS] TLS 1.2 interoperating Mike
- RE: [TLS] TLS 1.2 hash agility Pasi.Eronen
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- RE: [TLS] TLS 1.2 hash agility Pasi.Eronen
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Mike
- RE: [TLS] TLS 1.2 hash agility Pasi.Eronen
- RE: [TLS] TLS 1.2 hash agility Pasi.Eronen
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Mike
- Re: [TLS] TLS 1.2 hash agility Eric Rescorla
- RE: [TLS] TLS 1.2 hash agility Russ Housley
- RE: [TLS] TLS 1.2 hash agility Pasi.Eronen
- RE: [TLS] TLS 1.2 hash agility Pasi.Eronen