Re: [TLS] TLS 1.2 and sha256

Colm MacCárthaigh <colm@allcosts.net> Mon, 11 June 2018 22:36 UTC

Return-Path: <colm@allcosts.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6887B130EC3 for <tls@ietfa.amsl.com>; Mon, 11 Jun 2018 15:36:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.609
X-Spam-Level:
X-Spam-Status: No, score=-2.609 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=allcosts-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L0Oj9ns1bbTj for <tls@ietfa.amsl.com>; Mon, 11 Jun 2018 15:36:55 -0700 (PDT)
Received: from mail-yw0-x235.google.com (mail-yw0-x235.google.com [IPv6:2607:f8b0:4002:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C08B9128BAC for <tls@ietf.org>; Mon, 11 Jun 2018 15:36:55 -0700 (PDT)
Received: by mail-yw0-x235.google.com with SMTP id r19-v6so6864986ywc.10 for <tls@ietf.org>; Mon, 11 Jun 2018 15:36:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=allcosts-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=3xoU2YR1vwVK+J0sz7DAeXSg+ktumCmS8BsWpX25iL0=; b=06FBSpK9t1RmG2thSS5KNotBbrRj5N4u42Nqdr6sPkHdZE4D047NH3ZNiBjRMrYbBN +0bkQAc5Oy9IufzjUCjTMOE8d31kr0I3ICyGYEKHXBaB7QaYwyEbmwbY/lktdgGjfNG7 Il988utS349Yvde46WZj6u0tdiOzlZBknWVXa55yneg2SraPq1m4MFRIo1pygbreRg/y 7PSjv7fcrswwaiGLSwPsTm4FFOHUoSzywM2w02b5btD074fUVNMv7TG1IJJ5c7JnBXsn jsDvXSKElMOpihGP4aQfXe5VxSo61wNeUJiZQybxSXtpbaAiqntmy/PpxGJOXgcDrKHF UhTg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=3xoU2YR1vwVK+J0sz7DAeXSg+ktumCmS8BsWpX25iL0=; b=sk47Ka8HUY+YXl8nO8VsnEPWhXX1mqSMwGL7qOEfz5rQF1wrbh5LK6gju92ybN/ztT YnDyvAVAcMrg2+OcjFlNXsZx/vdl7DChoLou0uxoi/3cYIRQtk+fh+wg+dH5UWb7T9Uu b3oQ0ZXBdKxuRGJxGO/PeR/04tfzrjrVlqpJfF1uKz0/F704C/7rGT1z40s7OMInyI1u 7+pCSnKyRtwnzQ6AjZdEl+B+8OXfJmnM801WykCR6E+fblC9XSFJO7niDhamod3G8Cfb ecw/dgaXyoE+MXcnpt3cPkGpxVurEPeIJI3mdDmLWGGLhvufvvQOA0cyiE6fFD3k41a1 kMxA==
X-Gm-Message-State: APt69E1cFfz3+TwAcRKtKVZjDirj5YZ54XaL8xIPgTEu69B7fzDvTpca v1EPHg/lihr85Xq+TawgU5COqD//xhyqSHBxYzyEJg==
X-Google-Smtp-Source: ADUXVKIvHIV3ur0hZZmGNrJht18iq9Za+h6efx+gJXjqY6YUlsuzgIi/A2LmCEhmfuxhnp/C3uz+jswt621VBeDO/Pw=
X-Received: by 2002:a0d:f885:: with SMTP id i127-v6mr521707ywf.144.1528756614761; Mon, 11 Jun 2018 15:36:54 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a81:7bc4:0:0:0:0:0 with HTTP; Mon, 11 Jun 2018 15:36:53 -0700 (PDT)
In-Reply-To: <CAF8qwaCFEwz_D5PtSAYKifvisKbGK6yVJma=7uSDd=UOWkG=gw@mail.gmail.com>
References: <CADZyTknFe8Da948kOJRZcPkKkwnaVQUOseMfyZa_A4TckuY3gw@mail.gmail.com> <CAF8qwaCFEwz_D5PtSAYKifvisKbGK6yVJma=7uSDd=UOWkG=gw@mail.gmail.com>
From: =?UTF-8?Q?Colm_MacC=C3=A1rthaigh?= <colm@allcosts.net>
Date: Mon, 11 Jun 2018 15:36:53 -0700
Message-ID: <CAAF6GDcxtk-JGH+Akt9DKhfRRd=1Eg+spyibjXrQjG432jSK0Q@mail.gmail.com>
To: David Benjamin <davidben@chromium.org>
Cc: Daniel Migault <daniel.migault@ericsson.com>, LURK BoF <lurk@ietf.org>, tls <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f8a7da056e6562d9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/vdGZJ1KPzZDe2jNW-0NGgd5s7Xg>
Subject: Re: [TLS] TLS 1.2 and sha256
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jun 2018 22:37:00 -0000

Just to add to this excellent answer  ... there is the signature on the
certificates used, which is independent of the cipher suite that you
negotiate but also commonly uses SHA256. Truly moving from SHA256 would
require CAs, Browsers, etc to adopt something new there too.

On Mon, Jun 11, 2018 at 2:52 PM, David Benjamin <davidben@chromium.org>
wrote:

> In both TLS 1.2 and TLS 1.3, SHA-256 isn't hardcoded per se. It's a
> function of the cipher suite you negotiate (and also, separately, the
> signature algorithm you negotiate). That said, in practice, both are pretty
> solidly dependent on SHA-256. Most options involve it. AES-128-GCM and
> ChaCha20-Poly1305 are currently paired with SHA-256 while only AES-256-GCM
> is paired with SHA-384.
>
> We could certainly define new cipher suites for either of TLS 1.2 and TLS
> 1.3 as needed. But defining a new cipher suite for TLS 1.2 doesn't
> magically deploy it for all existing TLS 1.2 servers. Those servers must
> deploy new code, at which point updating your TLS library to include it
> would also pull in TLS 1.3 anyway (or whatever the latest TLS version is by
> then).
>
> So I think there will likely be no point in bothering with TLS 1.2
> allocations at that point. More options means more combinatorial complexity
> for implementations, which means more our rather limited collective
> resources in this space get even more thinly spread.
>
> David
>
> On Mon, Jun 11, 2018 at 5:25 PM Daniel Migault <
> daniel.migault@ericsson.com> wrote:
>
>> Hi,
>>
>> TLS 1.2 uses sha256 as the prf hash function. When sha256 will not be
>> considered secured, I am wondering if we can reasonably envision
>> deprecating sha256 for TLS 1.2 or if TLS 1.2 will at that time be
>> deprecated in favor of TLS 1.X X>= 3 ?
>>
>> In other words, I am wondering how much we can assume TLS 1.2 is
>> associated to sha256.
>>
>> Yours,
>> Daniel
>>
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>


-- 
Colm