IETF Logo Mail Archive

Re: [TLS] SHA-2 in TLS 1.0 and 1.1 -- Was: Remarks on draft-popov-prohibiting-rc4-01

mrex@sap.com (Martin Rex) Mon, 13 January 2014 18:37 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DD461ADF99 for <tls@ietfa.amsl.com>; Mon, 13 Jan 2014 10:37:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.252
X-Spam-Level:
X-Spam-Status: No, score=-6.252 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fYSLtFeIvC-j for <tls@ietfa.amsl.com>; Mon, 13 Jan 2014 10:37:31 -0800 (PST)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id 4DFB91ADF93 for <tls@ietf.org>; Mon, 13 Jan 2014 10:37:31 -0800 (PST)
Received: from mail05.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id s0DIbIox000158 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 13 Jan 2014 19:37:19 +0100 (MET)
In-Reply-To: <52C213F2.5040809@polarssl.org>
To: Manuel Pégourié-Gonnard <mpg@polarssl.org>
Date: Mon, 13 Jan 2014 19:37:18 +0100
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="ISO-8859-1"
Message-Id: <20140113183718.D80471ABA0@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] SHA-2 in TLS 1.0 and 1.1 -- Was: Remarks on draft-popov-prohibiting-rc4-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jan 2014 18:37:34 -0000

Manuel Pégourié-Gonnard wrote:
>
> Watson Ladd wrote:
>>
>> Even if SHA-1 is utterly broken, this won't necessarily break HMAC
>> based on it.

More importantly, with the current TLS protocol, the MAC is encrypted,
so even if SHA-1 was "broken" and HMAC-SHA1 was broken too, the
MAC would still be encrypted and therefore still be more secure than
AES-GCM ciphersuites.  (The GHASH function that is used by AES-GCM
does not have cryptographic properties to begin with).


>> 
>> I also don't like the idea of backporting: if we are going to be
>> patching systems and forcing
>> upgrades, why not to TLS 1.2 which doesn't have these issues?
> 
> Well, that was more or less my question: is using SHA-2 for HMAC with
> TLS < 1.2 really backporting? I just checked RFC 2246 and 4346 and they
> both state:
> 
>     Additional hash algorithms can be defined by cipher suites and
>     used to protect record data, but MD5 and SHA-1 are hard coded into
>     the description of the handshaking for this version of the protocol.

In spite of this wording in the document, changing the PRF in TLSv1.0
and TLSv1.1 to use a different hash is no more difficult that doing
so in TLSv1.2, this has been in active use for several years,
e.g. http://tools.ietf.org/html/draft-chudov-cryptopro-cptls-04

and it is so simple and straightforward, that it can even be done
in Microsoft Windows XP's SChannel through third-party plugins,
a TLS implementation that is TLSv1.0-only, doesn't support
TLS extensions and not even AES-CBC cipher suites (rfc3268, jun 2002).


> 
> So, I'm really under the impression that there is nothing that prevents
> anyone from defining a SHA-2 ciphersuite and using it with TLS < 1.2,
> with the understanding that the PRF (hence the handshake authentication)
> remains based on MD5 + SHA1.

It would amount ot a complete waste of resources to use HMAC-SHA256
in current TLS cipher suites,  HMAC-SHA1 is perfectly sufficient,
at least when it is encrypted like it currently is.


> 
> However, a number of facts (akr's recent message, the restriction in RFC
> 5932, the fact that neither OpenSSL nor GnuTLS accepts to negotiate any
> SHA-2 suite with TLS < 1.2) seems to indicate otherwise, so I wanted to
> check if I missed some good reason not to use SHA-2 suites with TLS <
> 1.2.

I was also surprised to see implementations fail interop for the
_SHA256 ciphersuites from rfc5246 for TLSv1.1 and TLSv1.0 with no
apparent reason.

-Martin

v2.23.0 | Report a Bug | By Email