Kyle Hamilton wrote:
On 5/17/05, Nelson Bolyard <[EMAIL PROTECTED]> wrote:
There are still a couple of countries where the usage of encryption is
outlawed.
True. Today they don't use SSL, or they use it illegally, not because
SSL/TLS cannot do unecnrypted operations, but because practically no
https servers want unencrypted operation.
There is still value in the keyed HMAC, to show that the
data has not been tampered with in-transit. (I seem to recall a paper
by Rivest where he suggested that in these circumstances, secrecy
could be attained by sending a bunch of plaintext data with invalid
HMACs, most of it completely bogus, but the real data being able to be
determined by the remote side due to the validity of the HMAC.)
There are three separate services/assertions offered by SSL:
1) Identification of the parties involved, through the use of
certificates and checking their validity. (Public-key cryptography
involved.)
The use of public key crypto is also the means by which the client and
server obtain their shared secrets that are used for the next two
assurances. The next two assurances depend on this one. This one
cannot be NULL. It is not optional.
2) Secrecy of data transmitted, through the use of shared keys and
bulk ciphers (RC4, RC2, Blowfish, Twofish, AES, etc.)
The SSL/TLS sspecifications don't include Blowfish or Twofish.
3) Authenticity of data transmitted, through the use of keyed HMACs.
(MD5, SHA-1, SHA-256, SHA-512, etc.)
The SSL/TLS sspecifications don't include SHA-256, SHA-512, etc.)
The values of each of these are up to the implementor and the user.
But the first and the last are not optional in SSL/TLS. Only the
encryption of data is optional, and that is precisely for the reason
you first cited: some countries make it illegal.
Would it be possible (i.e. what would the side effects be) to enable the
null cyphers in our SSL implementation, assuming that we made it so that
using them didn't invoke the lock?
Try it and see. mozilla 1.7.x provides UI to enable the null ciphers.
With FF, I think you can use about:config to enable
security.ssl3.rsa_null_md5
security.ssl3.rsa_null_sha
Is it possible to enable NULL-NULL-MD5 and NULL-NULL-SHA? Ephemeral
DH might be of interest here, to agree on a key for the HMAC.
No. The first of those 3 is the public key method (or methods) used.
There needs to be a method for "key exchange", or else the two parties
have no way to obtain shared secret keys.
MD5 has been declared 'insecure', and SHA-1 has been declared
'potentially insecure'. The US's FIPS standards are now phasing out
SHA-1, and are suggesting that SHA-256 or more
computationally-expensive hashing algorithms be used from here on out.
SSL and TLS specifications include only MD5 and SHA1.
Since there's no server implementation out there that I'm aware of
which allows unauthenticated SSL, the best bets for this are
RSA-NULL-MD5, RSA-NULL-SHA, DH-NULL-MD5, and DH-NULL-SHA.
Remind me again what I suggested above.
-Kyle
--
Nelson B, developer of mozilla's TLS,
member IETF-TLS WG,
co-author of IETF Internet Draft on ECC in TLS.
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
