IETF Logo Mail Archive

Re: [TLS] DSS with other than SHA-1 algorithms

Martin Rex <mrex@sap.com> Wed, 13 April 2011 00:20 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfc.amsl.com
Delivered-To: tls@ietfc.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfc.amsl.com (Postfix) with ESMTP id 72F2FE06D9 for <tls@ietfc.amsl.com>; Tue, 12 Apr 2011 17:20:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.964
X-Spam-Level:
X-Spam-Status: No, score=-9.964 tagged_above=-999 required=5 tests=[AWL=0.285, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([208.66.40.236]) by localhost (ietfc.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JoRRlCHuiEjz for <tls@ietfc.amsl.com>; Tue, 12 Apr 2011 17:20:16 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfc.amsl.com (Postfix) with ESMTP id 47F85E06B8 for <tls@ietf.org>; Tue, 12 Apr 2011 17:20:16 -0700 (PDT)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id p3D0K34M001686 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 13 Apr 2011 02:20:03 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201104130020.p3D0K20X013444@fs4113.wdf.sap.corp>
To: simon@josefsson.org
Date: Wed, 13 Apr 2011 02:20:02 +0200
In-Reply-To: <878vvmy4cr.fsf@latte.josefsson.org> from "Simon Josefsson" at Apr 7, 11 08:15:16 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] DSS with other than SHA-1 algorithms
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Apr 2011 00:20:17 -0000

Simon Josefsson wrote:
> 
> Peter Gutmann <pgut001@cs.auckland.ac.nz> writes:
> > 
> > Hovav Shacham <hovav@cs.ucsd.edu> writes:
> > >
> > >How about we remove DSA support from TLS, then?

The decision in 1997 to mandate DHE_DSS was more of a political
than a technical decision, because the DH patent had just expired
and the RSA patent would not expire until 2000 (albeit the RSA
patent existed only in that part of the world where patent filing
was allowed up to a year after publication).


>
> > Possibly a bit extreme, but we could at least mark it "historical" or 
> > "deprecated" or something.  In fact we could do that for an awful lot of 
> > existing cipher suites.  Note that this isn't changing the standard
> > in any way, it's just documenting what's already the norm among
> > implementations.  If a cipher suite's been in there for ten years
> > and there are, approximately, zero cases of it being used, then
> > saying "Don't bother with this one" in order to help guide
> > implementers seems sensible.
> 
> Unfortunately I think DSA is still mandatory-to-implement in some
> protocols.  That makes it a bit more complicated, but still doable.

DHE_DSS was mandatory to implement _only_ for TLSv1.0 (but not SSLv3!):

 TLSv1.0      http://tools.ietf.org/html/rfc2246#section-9

   9. Mandatory Cipher Suites

   In the absence of an application profile standard specifying
   otherwise, a TLS compliant application MUST implement the cipher
   suite TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA.


 TLSv1.1      http://tools.ietf.org/html/rfc4346#section-9

   In the absence of an application profile standard specifying
   otherwise, a TLS compliant application MUST implement the cipher
   suite TLS_RSA_WITH_3DES_EDE_CBC_SHA.

 TLSv1.2      http://tools.ietf.org/html/rfc5246#section-9

   In the absence of an application profile standard specifying
   otherwise, a TLS-compliant application MUST implement the cipher
   suite TLS_RSA_WITH_AES_128_CBC_SHA (see Appendix A.5 for the
   definition).


The wording in that section 9 looks garbled to me.
I assume this requirement was supposed to apply to
"TLS compliant implementations", and not application callers of TLS
(applications would not implement, but rather request cipher suites).


In practice, a TLS implementation without these two cipher suites

      CipherSuite TLS_RSA_WITH_RC4_128_SHA              = { 0x00,0x05 };
      CipherSuite TLS_RSA_WITH_3DES_EDE_CBC_SHA         = { 0x00,0x0A };

will likely encounter interop problems with a number of TLS peers,
whereas TLS implementations with _only_ RSA (no DH, no DHE, no DSS)
hardly ever missed those cipher suites, except maybe in a few
exotic PKIs.


SSLv3 does not appear to have any mandatory cipher suites.
Section D.1 of the SSL version 3 draft (draft302.txt) says this:

   D.4 CipherSuites

   SSL supports a range of key sizes and security levels, including
   some which provide no or minimal security.  A proper implementation
   will probably not support many cipher suites.  


-Martin

v2.23.0 | Report a Bug | By Email