IETF Logo Mail Archive

Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 with DSA client

Martin Rex <mrex@sap.com> Fri, 18 February 2011 19:28 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6EB7F3A6E27 for <tls@core3.amsl.com>; Fri, 18 Feb 2011 11:28:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.225
X-Spam-Level:
X-Spam-Status: No, score=-10.225 tagged_above=-999 required=5 tests=[AWL=0.024, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YTvO43X3JWXC for <tls@core3.amsl.com>; Fri, 18 Feb 2011 11:28:10 -0800 (PST)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 2DE1F3A6D4A for <tls@ietf.org>; Fri, 18 Feb 2011 11:28:09 -0800 (PST)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id p1IJSUbc020807 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 18 Feb 2011 20:28:30 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <201102181928.p1IJSThD006475@fs4113.wdf.sap.corp>
To: ekr@rtfm.com
Date: Fri, 18 Feb 2011 20:28:29 +0100
In-Reply-To: <AANLkTikNYQ2h=fLnwscf-d=CfQoFoH0bZ9_MAnLNX86J@mail.gmail.com> from "Eric Rescorla" at Feb 17, 11 12:54:35 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 with DSA client
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Feb 2011 19:28:11 -0000

Eric Rescorla wrote:
> 
> Nikos Mavrogiannopoulos <nmav@gnutls.org> wrote:
> > If the server requests a client certificate then it has to store
> > all messages up to (but not including) the CertificateVerify message.
> > That is because he cannot possibly know which signature algorithm
> > hash the client will use.
> 
> Agreed. I can't recall if we discussed this when this feature was being
> designed for 5246 but ISTM that the only way to have this work that
> didn't have this property would be for the client to offer all his
> certificates up-front and the server to select one, since it's
> possible that each cert comes with a specific hash algorithm tied to it.

I am quite confused by a few issues in TLSv1.2 / rfc-5246 about hash
and signature algorithms.

In particular, that TLSv1.2 forces TLS-proprietary digital signatures
from the TLS handshake messages ServerKeyExchange and CertificateVerify
into the same single algorithm negotiation with digital signatures
on certificates appears to create significant new problems.


rfc-5246, 7.4.2  Server Certificate  last paragraph on page 49
   http://tools.ietf.org/html/rfc5246#page-49

   If the client provided a "signature_algorithms" extension, then all
   certificates provided by the server MUST be signed by a
   hash/signature algorithm pair that appears in that extension.  Note
   that this implies that a certificate containing a key for one
   signature algorithm MAY be signed using a different signature
   algorithm (for instance, an RSA key signed with a DSA key).
?                                                               This is
?  a departure from TLS 1.1, which required that the algorithms be the
?  same.

I searched TLSv1.1 (rfc4346) from top to buttom but did NOT find any
requirements about signature algorithms of certificates in that spec.
I have also not noticed any such restrictions in TLS implementations
I looked at.

So I created a DSA-rootCA, an rsa-2048 server cert, started a TLSv1.0
with this and WindowsXP, Firefox3 an OpenSSL all happily communicate
with it.

So this part of rfc-5246 purports to solve a problem that actually
does not exist in earlier versions of TLS.  The "solution" that
TLSv1.2 alleges to provides looks more like a cumbersome
limitation to me.  While there is zero problem of using certificate
chains with arbitrary mixtures of signature algorithms in TLSv1.1
and prior, this doesn't work anymore when negotiating TLSv1.2,
in particular for signature algorithms which can not be represented
with the code points of TLSv1.2.


TLS implementations that do not want to hang on to carry along all
handshake messages may want the list of hashes permitted for the
"digitally signed" construct in ServerKeyExchange and CertificateVerify
to be as small as possible, while they may want to remain a liberal
as possible about digital signature algorithms on certificates,
similar to all version of TLS up to v1.1.

It's unclear for me what motivated conflating two quite contradictory
objectives into a single protocol element (the SignatureAlgorithm list
in the ClientHelloExtension SignatureAlgorithm applying to both
ServerCertificate and ServerKeyExchange handshake messages,
and the list of SignatureAlgorithms in CertificateRequest applying
to both ClientCertificate and CertificateVerify handshake messages.

As a result of this, any PKIs with less common digital signature
algorithms on path certificates that may have worked perfectly fine
with SSLv3, TLSv1.0 and TLSv1.1, and continue to work with an
implementation of TLSv1.2 that negotiates only v1.0 or v1.1 are
required to fail by the TLSv1.2 spec when TLSv1.2 is negotiated,
because of a lack of code points to represent digital signature AlgIDs
plus the complete lack of knowledge about the AlgIDs supported
in the PKI implementation within the architecturally independent
TLS protocol stack.



A year ago we started shipping support for GOST ciphersuites based on this
proposal:

      http://tools.ietf.org/html/draft-chudov-cryptopro-cptls-04

in our (at that time OEM) implementation of TLSv1.0, with the
GOST crypto algorithms provided to the TLS stack through a plugin-
interface to a third-party (certifiable) GOST crypto plugin.
 

A very similar capability exists in Windows XPsp2, where the GOST cipher
suites can be used with SChannel and MSIE6 after installation
of an adequate CryptoCSP, although XP's SChannel is an implementation
of TLSv1.0 with _no_ TLS extensions.

I believe there exists more flexibility in TLSv1.0/v1.1 architecture
than rfc5246 asserts.


-Martin

v2.23.0 | Report a Bug | By Email