[TLS] Two notes on TLS 1.2 after implementing it in GnuTLS
Simon Josefsson <simon@josefsson.org> Tue, 28 November 2006 20:35 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gp9fS-0002YP-JJ; Tue, 28 Nov 2006 15:35:02 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gp9fS-0002YJ-67 for tls@lists.ietf.org; Tue, 28 Nov 2006 15:35:02 -0500
Received: from 178.230.13.217.in-addr.dgcsystems.net ([217.13.230.178] helo=yxa.extundo.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Gp9fN-0001SF-Ks for tls@lists.ietf.org; Tue, 28 Nov 2006 15:35:02 -0500
Received: from localhost.localdomain (yxa.extundo.com [217.13.230.178]) (authenticated bits=0) by yxa.extundo.com (8.13.4/8.13.4/Debian-3sarge3) with ESMTP id kASKYSFA030665 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <tls@lists.ietf.org>; Tue, 28 Nov 2006 21:34:29 +0100
Resent-To: tls@lists.ietf.org
Resent-From: Simon Josefsson <simon@josefsson.org>
Resent-Date: Tue, 28 Nov 2006 21:34:28 +0100
Resent-Message-ID: <87bqmrmht7.fsf@latte.josefsson.org>
X-Hashcash: 1:22:061126:tls@lists.ietf.org::985X3Ic3h9+Ps4qz:3++p
From: Simon Josefsson <simon@josefsson.org>
To: tls@lists.ietf.org
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
Date: Sun, 26 Nov 2006 12:37:59 +0100
Message-ID: <87hcwmtp48.fsf@latte.josefsson.org>
User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/22.0.91 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Spam-Status: No, score=-2.2 required=4.0 tests=AWL,BAYES_00, FORGED_RCVD_HELO autolearn=unavailable version=3.1.1
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on yxa-iv
X-Virus-Scanned: ClamAV version 0.88.2, clamav-milter version 0.88.2 on yxa.extundo.com
X-Virus-Status: Clean
X-Spam-Score: 0.6 (/)
X-Scan-Signature: 1676547e4f33b5e63227e9c02bd359e3
Subject: [TLS] Two notes on TLS 1.2 after implementing it in GnuTLS
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Sender: tls-bounces@lists.ietf.org
Errors-To: tls-bounces@lists.ietf.org
Resent-Date: Tue, 28 Nov 2006 15:35:02 -0500
Hello. I have implemented TLS 1.2 in GnuTLS following draft-ietf-tls-rfc4346-bis-02.txt. I was able to connect successfully to https://www.mikestoolbox.net:4433/ (thanks Mike!) so I believe my implementation is ready enough that I can write down some of my thoughts on the draft. 1. It would have reduced implementation time if there were a list of protocol syntax changes. For example, it took me some debugging to understand that CertificateRequest was modified from (RFC 4346): struct { ClientCertificateType certificate_types<1..2^8-1>; DistinguishedName certificate_authorities<0..2^16-1>; } CertificateRequest; into struct { ClientCertificateType certificate_types<1..2^8-1>; HashType certificate_hash<1..2^8-1>; DistinguishedName certificate_authorities<0..2^16-1>; } CertificateRequest; In general I recommend to add new fields to the end of a structure instead of in the middle of it. It makes version-aware parsers cleaner. 2. The modification to change RSA signing was to change: In RSA signing, a 36-byte structure of two hashes (one SHA and one MD5) is signed (encrypted with the private key). It is encoded with PKCS #1 block type 1, as described in [PKCS1A]. into: In RSA signing, the output of the chosen hash function is encoded as a PKCS #1 DigestInfo and then signed using block type 01 as described in Section 8.1 as described in [PKCS1A]. This could be improved with some helpful discussion to guide implementers. PKCS1A is under-specified and even incorrect here. Is there a reason we don't reference PKCS1B here? DigestInfo mis-handling was the cause of the recent bugs that affected OpenSSL, Mozilla NSS, GnuTLS and several proprietary TLS libraries for X.509 signature validations. It would be unfortunate if TLS 1.2 introduce the same problem into TLS itself. The problems with PKCS1A are: 1) It uses BER encoding, when PKCS1B correctly changed this to DER. 2) It doesn't specify whether the parameters field should be NULL or omitted for non-MD2/MD4/MD5 algorithms. I don't think there is any controversy around 1). DER should be used. Whether to use a DigestInfo.AlgorithmIdentifier.parameters field that is NULL or omitted seems somewhat problematic. PKCS1A says regarding MD2/MD4/MD5: For these object identifiers, the parameters field of the digestAlgorithm value should be NULL. It doesn't say anything about other hashes. PKCS1B says: The parameters field associated with id-sha1, id-sha256, id-sha384, and id-sha512 should be omitted, but if present, shall have a value of type NULL. However the example in PKCS1B uses NULL: SHA-1: (0x)30 21 30 09 06 05 2b 0e 03 02 1a 05 00 04 14 || H. Further, appendix H of PKCS1B contains additional discussions: * The requirement that the parameters in an AlgorithmIdentifier value for id-sha1, id-sha256, id-sha384, and id-sha512 be NULL was changed to a recommendation that the parameters be omitted (while still allowing the parameters to be NULL). This is to align with the definitions originally promulgated by NIST. Implementations MUST accept AlgorithmIdentifier values both without parameters and with NULL parameters. I note that Mike's server required a NULL here. I initially didn't send one, my ASN.1 library computed a DER encoding with an omitted parameters field. For reference, that DER code is: SHA-1: 30 1f 30 07 06 05 2b 0e 03 02 1a 04 14 || H Mike's server didn't accept this. This will leads to interoperability problems with TLS 1.2 unless the specification is more explicit about the problem. I suggest adding after this paragraph: In RSA signing, the output of the chosen hash function is encoded as a PKCS #1 DigestInfo and then signed using block type 01 as described in Section 8.1 as described in [PKCS1A]. This new paragraph: As discussed in [PKCS1B], the DigestInfo MUST be DER encoded and for digest algorithms without parameters (which include SHA-1) the DigestInfo.AlgorithmIdentifier.parameters field SHOULD be omitted but implementations MUST accept both without parameters and with NULL parameters. Other text instead would be fine, but I strongly believe that this problem should be mentioned explicitly because we have seen that it has serious failure modes (false positives in RSA signature verification). For the record, I wouldn't have any problem with saying that the parameters field MUST be omitted -- the fewer choices the better. However, that would be a taking things a bit further than PKCS1B. Thanks, Simon _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- Re: [TLS] Re: Two notes on TLS 1.2 after implemen… Peter Gutmann
- [TLS] Two notes on TLS 1.2 after implementing it … Simon Josefsson
- Re: [TLS] Two notes on TLS 1.2 after implementing… Mike
- [TLS] Re: Two notes on TLS 1.2 after implementing… Simon Josefsson
- RE: [TLS] Two notes on TLS 1.2 after implementing… Pasi.Eronen
- Re: [TLS] Two notes on TLS 1.2 after implementing… Mike
- Re: [TLS] Two notes on TLS 1.2 after implementing… Peter Gutmann
- RE: [TLS] Re: Two notes on TLS 1.2 after implemen… Pasi.Eronen
- [TLS] Re: Two notes on TLS 1.2 after implementing… Simon Josefsson
- Re: [TLS] Re: Two notes on TLS 1.2 after implemen… Kyle Hamilton
- RE: [TLS] Re: Two notes on TLS 1.2 after implemen… Pasi.Eronen
- RE: [TLS] Re: Two notes on TLS 1.2 after implemen… Simon Josefsson
- RE: [TLS] Re: Two notes on TLS 1.2 after implemen… Russ Housley
- Re: [TLS] Re: Two notes on TLS 1.2 after implemen… Dr Stephen Henson
- RE: [TLS] Re: Two notes on TLS 1.2 after implemen… Pasi.Eronen
- Re: [TLS] Re: Two notes on TLS 1.2 after implemen… Mike
- RE: [TLS] Re: Two notes on TLS 1.2 after implemen… Peter Gutmann
- RE: [TLS] Re: Two notes on TLS 1.2 after implemen… Peter Williams
- RE: [TLS] Re: Two notes on TLS 1.2 after implemen… Peter Gutmann
- RE: [TLS] Re: Two notes on TLS 1.2 after implemen… Peter Williams