IETF Logo Mail Archive

Re: [TLS] Re: NIST TLS recomendations

Bodo Moeller <bmoeller@acm.org> Sat, 04 November 2006 07:03 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GgFYr-0000so-CA; Sat, 04 Nov 2006 02:03:25 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GgFYq-0000sg-AO for tls@ietf.org; Sat, 04 Nov 2006 02:03:24 -0500
Received: from moutng.kundenserver.de ([212.227.126.188]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GgFYo-0007HF-Tc for tls@ietf.org; Sat, 04 Nov 2006 02:03:24 -0500
Received: from [80.142.131.106] (helo=tau.invalid) by mrelayeu.kundenserver.de (node=mrelayeu3) with ESMTP (Nemesis), id 0MKxQS-1GgFYm0utL-0004Z2; Sat, 04 Nov 2006 08:03:21 +0100
Received: by tau.invalid (Postfix, from userid 1000) id A13354DFF; Sat, 4 Nov 2006 08:03:18 +0100 (CET)
Date: Sat, 04 Nov 2006 08:03:18 +0100
From: Bodo Moeller <bmoeller@acm.org>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Subject: Re: [TLS] Re: NIST TLS recomendations
Message-ID: <20061104070318.GA26795@tau.invalid>
References: <B356D8F434D20B40A8CEDAEC305A1F2403585B1C@esebe105.NOE.Nokia.com> <E1Gg9IJ-0003hr-00@medusa01.cs.auckland.ac.nz>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <E1Gg9IJ-0003hr-00@medusa01.cs.auckland.ac.nz>
User-Agent: Mutt/1.5.9i
X-Provags-ID: kundenserver.de abuse@kundenserver.de login:2100a517a32aea841b51dac1f7c5a318
X-Spam-Score: 0.0 (/)
X-Scan-Signature: cab78e1e39c4b328567edb48482b6a69
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

On Sat, Nov 04, 2006 at 01:21:55PM +1300, Peter Gutmann wrote:
> <Pasi.Eronen@nokia.com> writes:

>> RFC 4279 does have "DHE_PSK" suites (Diffie-Hellman authenticated with a PSK;
>> nothing anonymous there). Is this what you meant by DH_anon_PSK, or something
>> else?

> Sort of.  It's a naming problem, the main TLS spec uses 'DH_anon' to mean 'key
> exchange without certificates', while the TLS-PSK spec uses 'DHE_PSK' to mean
> 'key exchange without certificates (but with mutual authentication via PSK)'
> (re-reading my earlier posting, I was pretty unclear on this :-).  My concern
> was that phrasing the authentication check purely as "verifying the
> certificate" (as in, for example, Bodo's suggested text) would cause problems
> if that were taken to apply to the PSK suites (and SRP and others) where
> there's no certificate to verify.  [...]

So here's an updated proposal.  This avoids the word "deprecated" (as by
Pasi's and Simon's earlier remarks), and avoids the word "certificate":

   The following cipher suites are used for completely anonymous Diffie-
   Hellman communications in which neither party is authenticated. Note
   that this mode is vulnerable to man-in-the-middle attacks.  Using
   this mode therefore is of limited use: These ciphersuites MUST NOT be
   used by TLS 1.2 implementations unless the application layer has
   specifically requested to allow anonymous key exchange.  (Anonymous
   key exchange may sometimes be acceptable, for example, to support
   opportunistic encryption when no set-up for authentication is in
   place, or when TLS is used as part of more complex security protocols
   that have other means to ensure authentication.)

    CipherSuite TLS_DH_anon_WITH_RC4_128_MD5           = { 0x00, 0x18 };
    CipherSuite TLS_DH_anon_WITH_DES_CBC_SHA           = { 0x00, 0x1A };
    CipherSuite TLS_DH_anon_WITH_3DES_EDE_CBC_SHA      = { 0x00, 0x1B };
    CipherSuite TLS_DH_anon_WITH_AES_128_CBC_SHA       = { 0x00, 0x34 };
    CipherSuite TLS_DH_anon_WITH_AES_256_CBC_SHA       = { 0x00, 0x3A };

   Note that using non-anonymous key exchange without actually verifying
   the key exchange is essentially equivalent to anonymous key exchange,
   and the same precautions apply.  While non-anonymous key exchange
   will generally involve a higher computational and communicational
   cost than anonymous key exchange, it may be in the interest of
   interoperability not to disable non-anonymous key exchange when the
   application layer is allowing anonymous key exchange.

Bodo

_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email