Re: [TLS] SHA-2 in TLS 1.0 and 1.1 -- Was: Remarks on draft-popov-prohibiting-rc4-01
mrex@sap.com (Martin Rex) Mon, 13 January 2014 18:37 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DD461ADF99 for <tls@ietfa.amsl.com>; Mon, 13 Jan 2014 10:37:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.252
X-Spam-Level:
X-Spam-Status: No, score=-6.252 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fYSLtFeIvC-j for <tls@ietfa.amsl.com>; Mon, 13 Jan 2014 10:37:31 -0800 (PST)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id 4DFB91ADF93 for <tls@ietf.org>; Mon, 13 Jan 2014 10:37:31 -0800 (PST)
Received: from mail05.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id s0DIbIox000158 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 13 Jan 2014 19:37:19 +0100 (MET)
In-Reply-To: <52C213F2.5040809@polarssl.org>
To: Manuel Pégourié-Gonnard <mpg@polarssl.org>
Date: Mon, 13 Jan 2014 19:37:18 +0100
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="ISO-8859-1"
Message-Id: <20140113183718.D80471ABA0@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] SHA-2 in TLS 1.0 and 1.1 -- Was: Remarks on draft-popov-prohibiting-rc4-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jan 2014 18:37:34 -0000
Manuel Pégourié-Gonnard wrote: > > Watson Ladd wrote: >> >> Even if SHA-1 is utterly broken, this won't necessarily break HMAC >> based on it. More importantly, with the current TLS protocol, the MAC is encrypted, so even if SHA-1 was "broken" and HMAC-SHA1 was broken too, the MAC would still be encrypted and therefore still be more secure than AES-GCM ciphersuites. (The GHASH function that is used by AES-GCM does not have cryptographic properties to begin with). >> >> I also don't like the idea of backporting: if we are going to be >> patching systems and forcing >> upgrades, why not to TLS 1.2 which doesn't have these issues? > > Well, that was more or less my question: is using SHA-2 for HMAC with > TLS < 1.2 really backporting? I just checked RFC 2246 and 4346 and they > both state: > > Additional hash algorithms can be defined by cipher suites and > used to protect record data, but MD5 and SHA-1 are hard coded into > the description of the handshaking for this version of the protocol. In spite of this wording in the document, changing the PRF in TLSv1.0 and TLSv1.1 to use a different hash is no more difficult that doing so in TLSv1.2, this has been in active use for several years, e.g. http://tools.ietf.org/html/draft-chudov-cryptopro-cptls-04 and it is so simple and straightforward, that it can even be done in Microsoft Windows XP's SChannel through third-party plugins, a TLS implementation that is TLSv1.0-only, doesn't support TLS extensions and not even AES-CBC cipher suites (rfc3268, jun 2002). > > So, I'm really under the impression that there is nothing that prevents > anyone from defining a SHA-2 ciphersuite and using it with TLS < 1.2, > with the understanding that the PRF (hence the handshake authentication) > remains based on MD5 + SHA1. It would amount ot a complete waste of resources to use HMAC-SHA256 in current TLS cipher suites, HMAC-SHA1 is perfectly sufficient, at least when it is encrypted like it currently is. > > However, a number of facts (akr's recent message, the restriction in RFC > 5932, the fact that neither OpenSSL nor GnuTLS accepts to negotiate any > SHA-2 suite with TLS < 1.2) seems to indicate otherwise, so I wanted to > check if I missed some good reason not to use SHA-2 suites with TLS < > 1.2. I was also surprised to see implementations fail interop for the _SHA256 ciphersuites from rfc5246 for TLSv1.1 and TLSv1.0 with no apparent reason. -Martin
- [TLS] Remarks on draft-popov-prohibiting-rc4-01 Watson Ladd
- Re: [TLS] Remarks on draft-popov-prohibiting-rc4-… Yoav Nir
- Re: [TLS] Remarks on draft-popov-prohibiting-rc4-… Alyssa Rowan
- Re: [TLS] Remarks on draft-popov-prohibiting-rc4-… Watson Ladd
- Re: [TLS] Remarks on draft-popov-prohibiting-rc4-… Eric Rescorla
- Re: [TLS] Remarks on draft-popov-prohibiting-rc4-… Watson Ladd
- Re: [TLS] Remarks on draft-popov-prohibiting-rc4-… Yoav Nir
- Re: [TLS] Remarks on draft-popov-prohibiting-rc4-… Eric Rescorla
- Re: [TLS] Remarks on draft-popov-prohibiting-rc4-… Eric Rescorla
- Re: [TLS] Remarks on draft-popov-prohibiting-rc4-… Alyssa Rowan
- Re: [TLS] Remarks on draft-popov-prohibiting-rc4-… Manuel Pégourié-Gonnard
- [TLS] SHA-2 in TLS 1.0 and 1.1 -- Was: Remarks on… Manuel Pégourié-Gonnard
- Re: [TLS] SHA-2 in TLS 1.0 and 1.1 -- Was: Remark… Alyssa Rowan
- Re: [TLS] Remarks on draft-popov-prohibiting-rc4-… Watson Ladd
- Re: [TLS] SHA-2 in TLS 1.0 and 1.1 -- Was: Remark… Watson Ladd
- Re: [TLS] SHA-2 in TLS 1.0 and 1.1 -- Was: Remark… Manuel Pégourié-Gonnard
- Re: [TLS] SHA-2 in TLS 1.0 and 1.1 -- Was: Remark… Eric Rescorla
- Re: [TLS] SHA-2 in TLS 1.0 and 1.1 -- Was: Remark… Santosh Chokhani
- Re: [TLS] SHA-2 in TLS 1.0 and 1.1 -- Was: Remark… Michael StJohns
- Re: [TLS] SHA-2 in TLS 1.0 and 1.1 -- Was: Remark… Eric Rescorla
- Re: [TLS] Remarks on draft-popov-prohibiting-rc4-… Yaron Sheffer
- Re: [TLS] Remarks on draft-popov-prohibiting-rc4-… Andrei Popov
- Re: [TLS] SHA-2 in TLS 1.0 and 1.1 -- Was: Remark… Martin Rex
- Re: [TLS] SHA-2 in TLS 1.0 and 1.1 -- Was: Remark… Martin Rex