[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: question on cipher suites

To: "Kyle Meadors" <kyle@xxxxxxxxxxxxxxxxx>
Subject: Re: question on cipher suites
From: Paul V Ford-Hutchinson <paulfordh@xxxxxxxxxx>
Date: Wed, 22 Jun 2005 00:15:06 +0100
Cc: ietf-ediint@xxxxxxx
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-ediint/mail-archive/>
List-id: <ietf-ediint.imc.org>
List-unsubscribe: <mailto:ietf-ediint-request@imc.org?body=unsubscribe>
Sender: owner-ietf-ediint@xxxxxxxxxxxx

I would say that an FTP/TLS server implementation (I.E. code) which does not allow the user/administrator to change CipherSuites, is broken.

The choice of CipherSuites should be a security decision, based around a risk analysis from the Business. How a developer can assume that that analysis can have only one outcome is beyond understanding.

I would be against defining a 'minimum CipherSuite' or some-such in AS3 (I have not defined one in the FTP/TLS document); as yesterday's 'minimum' is tomorrow's 'trivially broken' and providing a proscriptive method to force insecurity seems wrong to me.

If two peers wish to share business data, the security controls around that data should be mutually decided and not left to a technical specification. The basic way that this mutual decision is embodied, is in the TLS Handshake's CipherSuite negotiation; I see no compelling reason to augment or restrict that in a higher level protocol document.

If anything, AS3 should mandate that the allowed CipherSuite values MUST be configurable on both Client and Server. IIRC, AS2 is silent on this - https (if used) has the same problem.

Paul

--
Paul Ford-Hutchinson, CISSP : eCommerce application security
e: paulfordh@xxxxxxxxxx
e: paul.ford-hutchinson@xxxxxxxxxxxxxxxxxxx
p: MPT-6, IBM , PO Box 31, Birmingham Rd, Warwick, CV34 5JL
t: +44 (0)1926 462005
w: http://www.ford-hutchinson.com/~fh-1-pfh/ftps-ext.html

"Kyle Meadors" <kyle@xxxxxxxxxxxxxxxxx>
Sent by: owner-ietf-ediint@xxxxxxxxxxxx

21/06/2005 19:58

To	<ietf-ediint@xxxxxxx>
cc
Subject	question on cipher suites

An issue was recently brought up in regards to using TLS in AS3. Within the TLS handshaking, the connecting AS3 application only uses one cipher, 3DES, in the handshaking. In this case, the FTP server receiving the connection does not support 3DES but does support others. Since the AS3 app does not support anything but 3DES, it can not work through the handshaking to find a cipher both agree on.

Would it be necessary to state something within the AS3 draft about supporting a specific set of ciphers. Or, is this outside the scope of AS3 since it may lie only with the FTP server be beyond the control of the AS3 application.

Kyle Meadors
Principal, Test Process
Drummond Group Inc.
615.384.5006

--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.323 / Virus Database: 267.7.8/22 - Release Date: 6/17/2005

References:
- question on cipher suites
  - From: Kyle Meadors

Prev by Date: Re: question on cipher suites
Previous by thread: Re: question on cipher suites
Index(es):
- Date
- Thread