Re: [TLS] Updated TLS 1.2 I-D
Bodo Moeller <bmoeller@acm.org> Fri, 14 July 2006 10:04 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1G1KXJ-0005AG-Hl; Fri, 14 Jul 2006 06:04:41 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1G1KXI-0005AA-2e for tls@ietf.org; Fri, 14 Jul 2006 06:04:40 -0400
Received: from moutng.kundenserver.de ([212.227.126.186]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1G1KXF-0002Eq-Ih for tls@ietf.org; Fri, 14 Jul 2006 06:04:39 -0400
Received: from [134.147.40.251] (helo=tau.invalid) by mrelayeu.kundenserver.de (node=mrelayeu3) with ESMTP (Nemesis), id 0MKxQS-1G1KXC0AXr-0002iN; Fri, 14 Jul 2006 12:04:34 +0200
Received: by tau.invalid (Postfix, from userid 1000) id 63B5517D45; Fri, 14 Jul 2006 12:04:32 +0200 (CEST)
Date: Fri, 14 Jul 2006 12:04:32 +0200
From: Bodo Moeller <bmoeller@acm.org>
To: Gregory Chudov <gchudov@gmail.com>
Subject: Re: [TLS] Updated TLS 1.2 I-D
Message-ID: <20060714100431.GA9599@iota.site>
References: <20060625170241.E4704222425@laser.networkresonance.com> <4717c1330607132319g57470479l4892d842302b7ea0@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <4717c1330607132319g57470479l4892d842302b7ea0@mail.gmail.com>
User-Agent: Mutt/1.5.9i
X-Provags-ID: kundenserver.de abuse@kundenserver.de login:2100a517a32aea841b51dac1f7c5a318
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 538aad3a3c4f01d8b6a6477ca4248793
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
On Fri, Jul 14, 2006 at 10:19:38AM +0400, Gregory Chudov wrote: > Concerning Certificate Verify message: >> If the SignatureAlgorithm >> is DSA, then the sha_hash value must be used. If it is RSA, >> the same function (denoted Hash) must be used as was used to >> create the signature for the client's certificate. > This doesn't look reasonable. > > Aside from general "bad feeling" about this, i have at least three > examples in which this causes trouble: [...] Also, sha_hash is a SHA-1 hash, but the FIPS 186-3 (Digital Signature Standard) draft also provides for use of the longer SHAs from FIPS 180-2 for prime moduli over 1024 bits. (The subgroup size determines the recommended SHA variant, although it can be agreed to use stronger hash functions with truncation.) > My proposition is: > > 1) Change the structure of the CertificateVerify message to reflect > the change to CertificateRequest: [...] My suggestion is different: Don't change the definition of CertificateRequest in the first place, i.e. don't introduce HashType in the first place. Keep the definitions of the rsa_sign and dss_sign client authentication methods as in current TLS versions, but define new client authentication methods where the hashing is done differently. There could be something like dsa_sign_fips_186_3 where hashing is done as recommended in FIPS 186-3 (here I'm hoping that this actually gets standardized within a reasonable timeframe). There are only aesthetical reasons to get rid of the current MD5/SHA-1 concatenation in RSA client authentication. Authentication can only broken if the attack succeeds in real time (and this requires a second preimage, not just a collision!). As long as we have the current Finished message (which involves MD5 anyway, so no implementation can do without it), not much speaks against leaving RSA signing as it is now. However, here too we could add a FIPS 186-3 variant, meaning that depending on the modulus size a wider SHA can be used, adopting the "security strength" for RSA moduli from NIST SP 800-57 to obtain the appropriate SHA variant. (I.e., SHA-1 up to 1024 bits, SHA-224 up to 2048 bits, SHA-256 up to 3072 bits, SHA-384 up to 7680 bits, SHA-512 up to 15360 bits.) _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] Updated TLS 1.2 I-D Eric Rescorla
- Re: [TLS] Updated TLS 1.2 I-D Kyle Hamilton
- Re: [TLS] Updated TLS 1.2 I-D Bodo Moeller
- Re: [TLS] Updated TLS 1.2 I-D Peter Sylvester
- RE: [TLS] Updated TLS 1.2 I-D Pasi.Eronen
- Re: [TLS] Updated TLS 1.2 I-D Eric Rescorla
- Re: [TLS] Updated TLS 1.2 I-D Mohamad Badra
- RE: [TLS] Updated TLS 1.2 I-D Pasi.Eronen
- Re: [TLS] Updated TLS 1.2 I-D Bodo Moeller
- Re: [TLS] Updated TLS 1.2 I-D Peter Sylvester
- RE: [TLS] Updated TLS 1.2 I-D Pasi.Eronen
- Re: [TLS] Updated TLS 1.2 I-D Anyang Ren
- Re: [TLS] Updated TLS 1.2 I-D Eric Rescorla
- Re: [TLS] Updated TLS 1.2 I-D Anyang Ren
- Re: [TLS] Updated TLS 1.2 I-D Eric Rescorla
- RE: [TLS] Updated TLS 1.2 I-D Pasi.Eronen
- Re: [TLS] Updated TLS 1.2 I-D Rob Dugal
- Re: [TLS] Updated TLS 1.2 I-D Gregory Chudov
- Re: [TLS] Updated TLS 1.2 I-D Bodo Moeller