On Tue, Jun 19, 2018 at 03:17:26PM +0000, Ben Personick wrote:
> Hi Rich,
> Yes, I meant ECDHE_ECDSA and ECDHE_RSA are both supported in TLS 1.3, I’d
> been lead to believe that all RSA based ciphers were not supported.
>
> Having seem some further responses, it appears it is only the NON ECDHE RSA
> Based ciphers which are having support dropped in TLS 1.3
>
> Ie all Non-Elliptic Curve Diffie Hellman ciphers ( eg AES-256 w/o DH, with
> DH or EDH/DHE, but not ECDHE_RSA)
>
> And yeah, it’s been my experience everywhere, but I was pretty pumped up to
> have a better reason to push to start implementing ECDHE_ECDSA Ciphers in
> addition to our existing Ciphers.
I made a list of all supported cryptographic algorithms in base
TLS 1.3:
- Algorithms marked with [W] are widely supported.
- If preshared keys are used, no signatures are used (ligtens load at
cost of poor scalability).
- If preshared keys are used, those may be combined with asymmetric key
exchange (or may be used alone, giving very light but poorly scalable
key exchange).
- There are no-protocol level constraints on mixing and matching
algorithms of different kinds (except symmetric cipher and handshake
hash). The server might tweak relative preferences to try avoid wide
mismatches in strength, but MUST enable full cartesian product.
- Most work in TLS 1.2 too, if supported:
- The negotiation for classical Diffie-Hellman is broken in TLS 1.2,
leading many clients to just disable classical Diffie-Hellman
(1.3 fixes this issue).
- Classical Diffie-Hellman can only be combined with RSA signatures
(others can be combined with all signature types).
Asymmetric key exchanges:
- Elliptic-curve Diffie-Hellman using NIST P-256 curve[W]
- Elliptic-curve Diffie-Hellman ECDH using NIST P-384 curve[W]
- X25519 key exchange (a.k.a. Curve25519)[W]
- Elliptic-curve Diffie-Hellman ECDH using NIST P-521 curve
- X448 key exchange
- Diffie-Hellman with p=Pe(2048, 560316)
- Diffie-Hellman with p=Pe(3072, 2625351)
- Diffie-Hellman with p=Pe(4096, 5736041)
- Diffie-Hellman with p=Pe(6144, 15705020)
- Diffie-Hellman with p=Pe(8192, 10965728)
Where: Pe(n,x) = 2^n-2^(n-64)+{[2^(n-130)*e]+x}*2^64-1 (a n-bit
prime)
Signature algorithms:
- RSA-PSS using SHA-256 (using generic RSA or RSA-PSS keys)[W]
- RSA-PSS using SHA-384 (using generic RSA or RSA-PSS keys)[W]
- RSA-PSS using SHA-512 (using generic RSA or RSA-PSS keys)[W]
- ECDSA usign NIST P-256 curve and SHA-256[W]
- ECDSA usign NIST P-384 curve and SHA-384[W]
- ECDSA usign NIST P-521 curve and SHA-512[W]
- RSA PKCS#1v1.5 using SHA-256 (certificate signing only)[W]
- RSA PKCS#1v1.5 using SHA-384 (certificate signing only)[W]
- RSA PKCS#1v1.5 using SHA-512 (certificate signing only)[W]
- Ed25519
- Ed448
Symmetric algorithms:
- 128-bit AES in GCM mode with SHA-256 handshake hash.[W]
- 256-bit AES in GCM mode with SHA-384 handshake hash.[W]
- 256-bit Chacha20 and Poly1305 with SHA-256 handshake hash.[W]
- 128-bit AES in CCM mode with SHA-256 handshake hash.
- 128-bit AES in CCM(64-bit tag) mode with SHA-256 handshake hash.
-Ilari
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
