[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: My two cents on TLS mandatory ciphers [Long]

To: <ietf-tls@xxxxxxxxxxxxx>
Subject: Re: My two cents on TLS mandatory ciphers [Long]
From: Tim Dierks <timd@xxxxxxxxxxxxx>
Date: Fri, 25 Jul 1997 19:32:44 -0700
Reply-to: <ietf-tls@xxxxxxxxxxxxx>

At 6:36 PM -0700 7/25/97, David Wagner wrote:
>Bottom line: if I were deploying a SSL/TLS implementation that needed
>high-grade security (e.g. a 128-bit server for Internet banking applications),
>I'd turn off support for auth-only, anonymous, and exportable ciphersuites.
>(Even if I didn't know of any direct attacks, I'm worried enough by
>the history to be especially cautious in this regard.)  That's why I
>believe it would be a bad move to make any of those ciphersuites mandatory.

Let me note that I don't believe any of these attacks can affect an
implementation which supports certain levels of encryption, but only
releases data on suitable levels of encryption. For example, consider a web
server which holds three classes of documents: Public, Confidential and
Secret. What's more, a decision has been made that auth-only is OK for
Public documents, 40 bit security is sufficient for Confidential, but
128-bit is required for Secret.

If an installation tests what level of security has been negotiated for any
particular connection and uses that information to restrict the
distribution of documents, then I don't believe that any of the class of
attacks which David descibes can be used to gain access to documents with
less work than would be normally required to break a secure connection
transmitting that document, even though the implementation supports weaker
ciphers.

All installations which support several ciphers with different security
characteristics _must_ do this check to be considered secure.

Of course, if I were deploying a server where all the information I wanted
to transmit required a high level of security, I would disable the weaker
cipher suites, as there's no reason to provide the foothold of speaking
weak ciphers when you know you won't be willing to do interesting things
over such channels.

The problem is servers which assume that they will negotiate the strongest
available security. Bottom line: if your server will transmit secret data
over a weak connection, you've set a bar of weak security, even if your
clients have strong encryption available.

 - Tim

Tim Dierks - timd@xxxxxxxxxxxxx - www.consensus.com
     Software Haruspex - Consensus Development
  Developer of SSL Plus: SSL 3.0 Integration Suite

Prev by Date: Re: Comments on Mandatory Ciphers and a Proposal
Next by Date: Re: tls
Previous by thread: Re: My two cents on TLS mandatory ciphers [Long]
Next by thread: Re: My two cents on TLS mandatory ciphers
Index(es):
- Date
- Thread