Hi Yaron, Ralph, Peter, and uta folks,
I have following comments of draft-ietf-uta-tls-bcp-01 in term of
alternative algorithm.
I believe that the I-D should add recommended cipher suites with
alternative algorithm because it takes a lot of time to migrate from
insecure pritmive to secure one in the case where we depend on single
primitive when vulnerability of the pritmive is found.
So the I-D should include alternative algorithms
- with different design policy from algorithm which your I-D recommends
- which are widely implemented
- which are internationally standalized
I recommend the folloing alternative cryptographic primitives.
| recommended primitives | alternative primitives|
-----------------------------------------------------------------------
Key Exchange | ECDHE | (DHE)*1 |
Signature | RSA | ECDSA |
Symmetric cipher | AES | Camellia |
Modes of operation*2 | GCM | - |
MAC | HMAC-SHA-2 | - |
Elliptic Curve | Brainpool | (NIST-curve)*1 |
-----------------------------------------------------------------------
*1 DHE and NIST-curve have already recommended.
*2 It shows modes of operation for constructing AEAD in this table.
[Rationale]
Signature: ECDSA vs DSS
I think that there are ECDSA and DSS as candidate of alternative algorithm.
ECDSA and DSS are widely implemented.
However, DSS is based on similar mathmatical tools with RSA.
On the other hand, ECDSA is based on elliptic curves.
Furthermore, certificates signed by DSS are rare and
certificates signed by ECDSA are increasing.
So I propose ECDSA as alternative algorithm for signature.
symmetric cipher: Camellia vs SEED
I think that there are Camellia and SEED as candidate of alternative
algorithm.
Camellia and SEED have different design policy from AES and are widely
implemented.
I recommend Camellia because RFC6367 for Camellia_GCM in TLS is prepared
and specification of Camellia is compatible with AES.
(key length and block size)
Modes of Operation (AEAD)
There are CCM and OCB as candidate of alternative modes.
However, these modes widely have not implemented yet.
Hence, there is currently no suitable primitive for alternative modes of
operation.
MAC
there is only HMAC as alternative algorithm and
And there is HMAC-SHA-3 as candidate of alternative hash function.
However, FIPS202 (SHA-3) call for public comments before August 26, 2014.
Hence, there is currently no suitable primitive for alternative MAC.
Here, I review recommended cipher suites of TLS-BCP.
* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
I would like to propose additions of the following cipher suites.
* ECDHE_ECDSA_AES_128_GCM_SHA-256
* ECDHE_RSA_Camellia_128_GCM_SHA-256
* ECDHE_ECDSA_Camellia_128_GCM_SHA-256
* DHE_ECDSA_AES_128_GCM_SHA-256
* DHE_RSA_Camellia_128_GCM_SHA-256
* DHE_ECDSA_Camellia_128_GCM_SHA-256
Best,
--
Kohei KASAMATSU
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
