Re: [TLS] TLS 1.2 Long-term Support Profile draft posted

Hubert Kario <> Tue, 22 March 2016 10:48 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 66BDA12D6B1 for <>; Tue, 22 Mar 2016 03:48:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.923
X-Spam-Status: No, score=-6.923 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4aNK6YaR3fiS for <>; Tue, 22 Mar 2016 03:48:21 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6B83412D101 for <>; Tue, 22 Mar 2016 03:42:31 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTPS id A6D1D3DD; Tue, 22 Mar 2016 10:42:30 +0000 (UTC)
Received: from ( []) by (8.14.4/8.14.4) with ESMTP id u2MAgT4l018020 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 22 Mar 2016 06:42:30 -0400
From: Hubert Kario <>
To: Peter Gutmann <>
Date: Tue, 22 Mar 2016 11:42:23 +0100
Message-ID: <>
User-Agent: KMail/4.14.10 (Linux/4.4.5-200.fc22.x86_64; KDE/4.14.17; x86_64; ; )
In-Reply-To: <>
References: <> <> <>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart2494083.S12pyfxVKd"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.68 on
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] TLS 1.2 Long-term Support Profile draft posted
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 22 Mar 2016 10:48:22 -0000

On Tuesday 22 March 2016 09:48:51 Peter Gutmann wrote:
> Joachim Strömbergson <> writes:
> >When you say that "a Cortex M3 isn't going to be able to handle
> >RSA-2048", what do you mean specifically? Considering that it is
> >being done by for example SharkSSL [1], is supported by ARM mbed TLS
> >(nee PolarSSL) [2] I fail to see what hardware limits you are
> >seeing. Yes, the speed you get is not impressive (1-2 seconds to
> >decrypt), but it might be ok, depending on your application.
> It's not just RSA, it's DH as well (looking at the SharkSSL library
> link it looks like it doesn't do DH at all, only RSA key transport). 
> I've seen PLCs where DHE+RSA leads to handshake times of 10-15s (not
> an M3, I just use that as a convenient mental model for an embedded
> CPU, this was using an industrial Power SoC), which isn't a good
> thing when what you're trying to communicate is an emergency shutdown
> command.
> In these situations, crypto comes at about position 77 in the priority
> list, with most of the previous ones taken up by "reliability" and
> "availability". If you write a spec that in effect mandates a
> 15-second delay in communicating commands to a controller, guess what
> vendors are going to do?

attacks only get better

if the hardware can't do crypto securely now, it certainly won't be able 
to do it tomorrow (you know, in the "Long Term")

it's a waste of time to patch up attacks that are still largely 
theoretical if you leave a mile wide hole in the fence
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic