IETF Logo Mail Archive

Re: [TLS] security levels for TLS

Mike <mike-list@pobox.com> Thu, 11 October 2007 15:38 UTC

Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Ig06z-0004YB-SY; Thu, 11 Oct 2007 11:38:09 -0400
Received: from tls by megatron.ietf.org with local (Exim 4.43) id 1Ig06y-0004Xj-8O for tls-confirm+ok@megatron.ietf.org; Thu, 11 Oct 2007 11:38:08 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Ig06x-0004VY-V8 for tls@lists.ietf.org; Thu, 11 Oct 2007 11:38:07 -0400
Received: from rune.pobox.com ([208.210.124.79]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Ig06j-0007Fh-V5 for tls@lists.ietf.org; Thu, 11 Oct 2007 11:38:00 -0400
Received: from rune (localhost [127.0.0.1]) by rune.pobox.com (Postfix) with ESMTP id 5F8EF146879 for <tls@lists.ietf.org>; Thu, 11 Oct 2007 11:37:35 -0400 (EDT)
Received: from [192.168.1.8] (wsip-24-234-114-35.lv.lv.cox.net [24.234.114.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by rune.sasl.smtp.pobox.com (Postfix) with ESMTP id 1AD4A146874 for <tls@lists.ietf.org>; Thu, 11 Oct 2007 11:37:34 -0400 (EDT)
Message-ID: <470E4399.3010008@pobox.com>
Date: Thu, 11 Oct 2007 08:39:05 -0700
From: Mike <mike-list@pobox.com>
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: tls@lists.ietf.org
Subject: Re: [TLS] security levels for TLS
References: <c331d99a0710080621g7c0ec91et35c46553c23f4402@mail.gmail.com> <p0624082fc331b0ed0ecc@[192.168.1.100]> <FA998122A677CF4390C1E291BFCF59890849871E@EXCH.missi.ncsc.mil> <470D0243.3050009@pobox.com> <20071010180324.7ABC533C21@delta.rtfm.com>
In-Reply-To: <20071010180324.7ABC533C21@delta.rtfm.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 52f7a77164458f8c7b36b66787c853da
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

I think there is good reason to try to solve this problem
in the TLS layer.  The alternative is to force every TLS-
enabled application to solve it (and likely they won't
solve it and be less secure).  Wouldn't it be ideal if an
application could just say:

     TLS::SetSecurityLevel (3);

and know that the resulting connection will either meet
the (implementation-dependent) criteria for that level of
security, or the TLS negotiation will fail?

Currently an application has to do the following:

    1) configure TLS layer with acceptable cipher suites
    2) connect to server
    3) negotiate a TLS session
       (many applications will stop here)
    4) check that the negotiated parameters meet the
       application's idea of good security
    5) if not, abort TLS session, disconnect, remove
       some cipher suites from the acceptable list and
       goto step 1

This is inefficient and error-prone, and makes it much
harder to know how secure your IT infrastructure as a
whole is since there are as many points of failure as
there are applications.  Also as attacks improve and the
security requirements change, every application needs to
be reexamined and modified.

It would be much better if all that was needed was to
replace the TLS library with an updated version.  Or
better yet, the TLS library may have a plain text
configuration file for its security levels that could
be replaced, and all you need to do is restart your
applications.

> Absent some significant evidence that this is a problem in 
> practice, I'm against the TLS WG doing anything along these
> lines.

The folks at Opera Software have expressed how difficult
it was to secure their browser, and how insecure some
servers are (256-bit DH parameters!).  The W3C is also
attempting to solve this problem, but the need extends
beyond HTTPS.

Another issue I've been meaning to bring up is that
if you want forward secrecy, you need to use Diffie-
Hellman; however, there is no way to tell the server
the size of the parameter p you want.  Increasing the
size of p has significant performance implications,
so servers will typically use 1024 bits.  On my Windows
machine, it takes 0.02 seconds to generate a public key
and another 0.02 seconds to compute the secret using
1024-bit parameters.  Moving to 2048-bit parameters,
the computation time increases to 0.15 seconds each.
4096-bit computations take 1.1 seconds.  No server
operator will decrease throughput by a factor of 50
for everyone, just to accommodate the few who want
this level of security.  It would be better if those
who want to use 4096 bits could ask for it.

Mike


_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email