Re: [Cryptography] What TLS ciphersuites are still OK?
On 10/09/13 15:58, james hughes wrote: On Sep 9, 2013, at 9:10 PM, Tony Arcieri mailto:basc...@gmail.com>> wrote: On Mon, Sep 9, 2013 at 9:29 AM, Ben Laurie mailto:b...@links.org>> wrote: And the brief summary is: there's only one ciphersuite left that's good, and unfortunately its only available in TLS 1.2: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 A lot of people don't like GCM either ;) Yes, GCM does have implementation sensitivities particularly around the IV generation. That being said, the algorithm is better than most and the implementation sensitivity obvious (don't ever reuse an IV). I think the difficulty of getting a fast constant time implementation on platforms without AES-NI type hardware support are more of a concern. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] What TLS ciphersuites are still OK?
On 09/11/2013 12:54 PM, Alan Braggins wrote: On 10/09/13 15:58, james hughes wrote: On Sep 9, 2013, at 9:10 PM, Tony Arcieri mailto:basc...@gmail.com>> wrote: On Mon, Sep 9, 2013 at 9:29 AM, Ben Laurie mailto:b...@links.org>> wrote: And the brief summary is: there's only one ciphersuite left that's good, and unfortunately its only available in TLS 1.2: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 A lot of people don't like GCM either ;) Yes, GCM does have implementation sensitivities particularly around the IV generation. That being said, the algorithm is better than most and the implementation sensitivity obvious (don't ever reuse an IV). I think the difficulty of getting a fast constant time implementation on platforms without AES-NI type hardware support are more of a concern. Is this any different from plain old AES-CBC? ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] What TLS ciphersuites are still OK?
On Sep 9, 2013, at 9:10 PM, Tony Arcieri wrote: > On Mon, Sep 9, 2013 at 9:29 AM, Ben Laurie wrote: >> And the brief summary is: there's only one ciphersuite left that's good, and >> unfortunately its only available in TLS 1.2: >> >> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 > > A lot of people don't like GCM either ;) Yes, GCM does have implementation sensitivities particularly around the IV generation. That being said, the algorithm is better than most and the implementation sensitivity obvious (don't ever reuse an IV).___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] What TLS ciphersuites are still OK?
On 10/09/13 14:03, Ben Laurie wrote: On 10 September 2013 03:59, james hughes mailto:hugh...@mac.com>> wrote: [...] TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 I retract my previous "+1" for this ciphersuite. This is hard coded 1024 DHE and 1024bit RSA. It is not hard coded to 1024 bit RSA. I have seen claims that some platforms hard code DHE to 1024 bits, but I have not investigated these claims. If true, something should probably be done. Yes - hard code them all to 1024-bit. Then dump TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 in the bin where it belongs. Then replace it with a suite such as TLS_DHE2048_WITH_RSA2048_WITH_AES_128_GCM_SHA256. Would a non-cryptographer know what TLS_DHE2048_WITH_RSA2048_WITH_AES_128_GCM_SHA256 meant? No. So for heaven's sake call it Ben's_suite or something, with a nice logo or icon, not TLS_DHE2048_WITH_RSA2048_WITH_AES_128_GCM_SHA256. They won't know what Ben's_suite means either, but they may trust you (or perhaps not, if you are still Working for Google ...) The problem with TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 is that you don't know what you are getting. [ The other problem is of course that the main browsers don't make it easy to find out which suite is actually in use ... :( ] Hmmm, can a certificate have several keylengths to choose from? And, if the suite allows it, can a certificate have an RSA key for authentication and a different RSA key for session key setup (cf RIPA)? -- Peter Fairbrother ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] What TLS ciphersuites are still OK?
On 10 September 2013 03:59, james hughes wrote: > > On Sep 9, 2013, at 2:49 PM, Stephen Farrell > wrote: > > On 09/09/2013 05:29 PM, Ben Laurie wrote: > > Perry asked me to summarise the status of TLS a while back ... luckily I > don't have to because someone else has: > > http://tools.ietf.org/html/draft-sheffer-tls-bcp-00 > > In short, I agree with that draft. And the brief summary is: there's only > one ciphersuite left that's good, and unfortunately its only available in > TLS 1.2: > > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 > > I retract my previous "+1" for this ciphersuite. This is hard coded 1024 > DHE and 1024bit RSA. > It is not hard coded to 1024 bit RSA. I have seen claims that some platforms hard code DHE to 1024 bits, but I have not investigated these claims. If true, something should probably be done. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] What TLS ciphersuites are still OK?
On Mon, Sep 9, 2013 at 9:29 AM, Ben Laurie wrote: > And the brief summary is: there's only one ciphersuite left that's good, > and unfortunately its only available in TLS 1.2: > > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 > > A lot of people don't like GCM either ;) So we're screwed! Well, aside from maybe this draft supporting Salsa20: http://tools.ietf.org/html/draft-josefsson-salsa20-tls-02 -- Tony Arcieri ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] What TLS ciphersuites are still OK?
Hi Hanno, Please send any comments on this draft to the TLS Working Group mailing list, t...@ietf.org. Thanks, Yaron On 09/10/2013 12:14 AM, Hanno Böck wrote: On Mon, 9 Sep 2013 17:29:24 +0100 Ben Laurie wrote: Perry asked me to summarise the status of TLS a while back ... luckily I don't have to because someone else has: http://tools.ietf.org/html/draft-sheffer-tls-bcp-00 In short, I agree with that draft. And the brief summary is: there's only one ciphersuite left that's good, and unfortunately its only available in TLS 1.2: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 I don't really see from the document why the authors discourage ECDHE-suites and AES-256. Both should be okay and we end up with four suites: [...] ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] What TLS ciphersuites are still OK?
On 09/10/2013 02:01 PM, Ben Laurie wrote: >> Claiming that all the rest are no good also seems overblown, if >> that's what you meant. > > Other than minor variations on the above, all the other ciphersuites have > problems - known attacks, unreviewed ciphers, etc. There are issues, sure. And way too many ciphersuites certainly. > If you think there are other ciphersuites that can be recommended - > particularly ones that are available on versions of TLS other than 1.2, > then please do name them. Since they're talking about it now on the TLS wg list, I'll leave that them (and to folks who're qualified to figure if the NIST, brainpool etc curves are ok, which doesn't include me :-) What I was pointing out is that there's a bit of a gap between "no good" and "not what we'd recommend today." Since getting rid of deployment of old stuff takes years, I think its better that we don't overstate the issues that do exist. But I very much welcome Yaron's draft and hope it shoots along quickly. S. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] What TLS ciphersuites are still OK?
On 9 September 2013 22:49, Stephen Farrell wrote: > > Hi Ben, > > On 09/09/2013 05:29 PM, Ben Laurie wrote: > > Perry asked me to summarise the status of TLS a while back ... luckily I > > don't have to because someone else has: > > > > http://tools.ietf.org/html/draft-sheffer-tls-bcp-00 > > > > In short, I agree with that draft. And the brief summary is: there's only > > one ciphersuite left that's good, and unfortunately its only available in > > TLS 1.2: > > > > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 > > I don't agree the draft says that at all. It recommends using > the above ciphersuite. (Which seems like a good recommendation > to me.) It does not say anything much, good or bad, about any > other ciphersuite. > > Claiming that all the rest are no good also seems overblown, if > that's what you meant. > Other than minor variations on the above, all the other ciphersuites have problems - known attacks, unreviewed ciphers, etc. If you think there are other ciphersuites that can be recommended - particularly ones that are available on versions of TLS other than 1.2, then please do name them. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] What TLS ciphersuites are still OK?
On Sep 9, 2013, at 2:49 PM, Stephen Farrell wrote: > On 09/09/2013 05:29 PM, Ben Laurie wrote: >> Perry asked me to summarise the status of TLS a while back ... luckily I >> don't have to because someone else has: >> >> http://tools.ietf.org/html/draft-sheffer-tls-bcp-00 >> >> In short, I agree with that draft. And the brief summary is: there's only >> one ciphersuite left that's good, and unfortunately its only available in >> TLS 1.2: >> >> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 > > I don't agree the draft says that at all. It recommends using > the above ciphersuite. (Which seems like a good recommendation > to me.) It does not say anything much, good or bad, about any > other ciphersuite. > > Claiming that all the rest are no good also seems overblown, if > that's what you meant. I retract my previous "+1" for this ciphersuite. This is hard coded 1024 DHE and 1024bit RSA. From http://en.wikipedia.org/wiki/Key_size >> As of 2003 RSA Security claims that 1024-bit RSA keys are equivalent in >> strength to 80-bit symmetric keys 80 bit strength. Hard coded key sizes. Nice. AES 128 with a key exchange of 80 bits. What's a factor of 2^48 among friends…. additionally, as predicted in 2003… >> 1024-bit keys are likely to become crackable some time between 2006 and 2010 >> and that >> 2048-bit keys are sufficient until 2030. >> 3072 bits should be used if security is required beyond 2030 They were off by 3 years. What now? ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] What TLS ciphersuites are still OK?
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 On 2013-09-09 at 23:14 +0200, Hanno Böck wrote: > Also, DHE should only be considered secure with a large enough modulus > (>=2048 bit). Apache hard-fixes this to 1024 bit and it's not > configurable. So there even can be made an argument that ECDHE is more > secure - it doesn't have a widely deployed webserver using it in an > insecure way. Bear in mind that TLS does not include D-H parameter size negotiation and various deployed clients and servers have under-documented fixed lower and upper bounds on the sizes. When those bounds are breached, what tends to happen is that TLS negotiation fails. At that point, the common approaches seen today are to throw up an error message (site down) or fallback to cleartext, *not* to disable the D-H suites and try TLS again. When I recoded Exim's GnuTLS integration, I originally made the D-H parameter generation just ask GnuTLS what sizes I should feed it for "NORMAL", in an attempt to get Exim out of the policy business and to trust the crypto libraries. I discovered the hard way that this value was higher than the upper-bound of the NSS crypto library, so that change made Thunderbird unable to talk to those release candidates of Exim. I had to write new security-parameter handling code during the RC series to work around this interoperability issue. The NSS upper limit was 2236 bits. Meanwhile, I discovered in the past week or so that prior to Exim 4.80 (when I redid the integration), Debian were patching the Exim code so that on Debian Exim installs the configured minimum acceptable size of D-H parameters was 2048 bits. Most sites were probably configuring 1024, or using Debian, so we had a source of real-world TLS breakage in mail-systems. Fortunately, that affects TLS-as-a-client from an MTA, where there's no trustworthy concept of remote identity yet (but DANE is changing that) so no host identity to verify, so the TLS between mail-servers that haven't configured stronger policy out-of-band is only protection against passive sniffing, at best. If folks are going to seriously start looking at how TLS can be improved in ways which make it less likely for systems to fail catastrophically, then *some* kind of D-H size limit negotiation, with clients able to decide to avoid D-H (if that's otherwise acceptable to policy) is pretty much required if the parameter sizes are ever to be changed to more useful values in real-world deployments. Apache are being conservative, but not without reason. - -Phil -BEGIN PGP SIGNATURE- iEUEAREDAAYFAlIug94ACgkQQDBDFTkDY384lQCgiuzP2Huj8e0dnvCPyByrBSZF jkAAkgL/CydbMoeFe3CaG2yuxmDk9ew= =8xFI -END PGP SIGNATURE- ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] What TLS ciphersuites are still OK?
Hi Ben, On 09/09/2013 05:29 PM, Ben Laurie wrote: > Perry asked me to summarise the status of TLS a while back ... luckily I > don't have to because someone else has: > > http://tools.ietf.org/html/draft-sheffer-tls-bcp-00 > > In short, I agree with that draft. And the brief summary is: there's only > one ciphersuite left that's good, and unfortunately its only available in > TLS 1.2: > > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 I don't agree the draft says that at all. It recommends using the above ciphersuite. (Which seems like a good recommendation to me.) It does not say anything much, good or bad, about any other ciphersuite. Claiming that all the rest are no good also seems overblown, if that's what you meant. S. > > > > ___ > The cryptography mailing list > cryptography@metzdowd.com > http://www.metzdowd.com/mailman/listinfo/cryptography > ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] What TLS ciphersuites are still OK?
On Sep 9, 2013, at 9:29 AM, Ben Laurie wrote: > Perry asked me to summarise the status of TLS a while back ... luckily I > don't have to because someone else has: > > http://tools.ietf.org/html/draft-sheffer-tls-bcp-00 > > In short, I agree with that draft. And the brief summary is: there's only one > ciphersuite left that's good, and unfortunately its only available in TLS 1.2: > > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 +1 I have read the document and it does not mention key lengths. I would suggest that 2048 bit is large enough for the next ~5? years or so. 2048 bit for both D-H and RSA. How are the key lengths specified? ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] What TLS ciphersuites are still OK?
On Mon, 9 Sep 2013 17:29:24 +0100 Ben Laurie wrote: > Perry asked me to summarise the status of TLS a while back ... > luckily I don't have to because someone else has: > > http://tools.ietf.org/html/draft-sheffer-tls-bcp-00 > > In short, I agree with that draft. And the brief summary is: there's > only one ciphersuite left that's good, and unfortunately its only > available in TLS 1.2: > > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 I don't really see from the document why the authors discourage ECDHE-suites and AES-256. Both should be okay and we end up with four suites: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Also, DHE should only be considered secure with a large enough modulus (>=2048 bit). Apache hard-fixes this to 1024 bit and it's not configurable. So there even can be made an argument that ECDHE is more secure - it doesn't have a widely deployed webserver using it in an insecure way. cu, -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42 signature.asc Description: PGP signature ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
[Cryptography] What TLS ciphersuites are still OK?
Perry asked me to summarise the status of TLS a while back ... luckily I don't have to because someone else has: http://tools.ietf.org/html/draft-sheffer-tls-bcp-00 In short, I agree with that draft. And the brief summary is: there's only one ciphersuite left that's good, and unfortunately its only available in TLS 1.2: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography