[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] Re: NIST TLS recomendations

On Wed, Nov 01, 2006 at 03:54:31PM +0100, Simon Josefsson wrote:
> Ray Perlner <ray.perlner@xxxxxxxx> writes:

>> Page 81 Section A5.
>> This section deprecates anonymous DH, which hopefully means that no
>> compliant version of TLS 1.2 will support this mode, (or any other
>> completely anonymous mode.)

> I don't read A5 that way.
> 
> Section A5 suggests (but no MUST NOT) that DH_anon for RC4/DES/3DES is
> deprecated, which I'd agree to.
> 
> However, section A5 appear to permit DH_anon with AES128/AES256.

This is true, but if you look at the rationale given in A.5 for
deprecating these three DH_anon cipersuites, it is quite clear that
the two AES DH_anon ciphersuites should have been deprecated too:

   The following cipher suites are used for completely anonymous Diffie-
                                                       ^^^^^^^^^^^^^^^^^
   Hellman communications in which neither party is authenticated. Note
   ^^^^^^^
   that this mode is vulnerable to man-in-the-middle attacks and is
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   therefore deprecated.
   ^^^^^^^^^^^^^^^^^^^^

Probably this inconsistency was introduced when the specification of
the AES ciphersuites was merged into the main TLS specification.

Having said that, I agree that DH_anon ciphersuites should not be
deprecated!  In particular, anonymous key exchange course should not
be explicitly forbidden (as per the NIST recommendation).

> I believe fully anonymous ciphers are a useful feature of TLS, and
> that they should stay.  Client/server authentication can and do happen
> via other protocols than TLS, and those protocols can use TLS channel
> bindings to protect against man in the middle attacks, if necessary.

This is exactly right, however it certainly is reasonable to add some
language to the specification that points out that these ciphersuites
should *usually* not be enabled.  Here is a proposal for A.5.

   The following cipher suites are used for completely anonymous Diffie-
   Hellman communications in which neither party is authenticated. Note
   that this mode is vulnerable to man-in-the-middle attacks.  Using
   this mode therefore is deprecated: These ciphersuites MUST NOT be
   used by TLS 1.1 implementations unless the application layer has
   specifically requested to allow anonymous key exchange.  (Anonymous
   key exchange may sometimes be acceptable, for example, to support
   opportunistic encryption when no set-up for authentication is in
   place, or when TLS is used as part of more complex security
   protocols that have other means to ensure authentication.)

    CipherSuite TLS_DH_anon_WITH_RC4_128_MD5           = { 0x00, 0x18 };
    CipherSuite TLS_DH_anon_WITH_DES_CBC_SHA           = { 0x00, 0x1A };
    CipherSuite TLS_DH_anon_WITH_3DES_EDE_CBC_SHA      = { 0x00, 0x1B };
    CipherSuite TLS_DH_anon_WITH_AES_128_CBC_SHA       = { 0x00, 0x34 };
    CipherSuite TLS_DH_anon_WITH_AES_256_CBC_SHA       = { 0x00, 0x3A };

Bodo


_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls