[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[TLS] Re: NIST TLS recomendations

To: Bodo Moeller <bmoeller@xxxxxxx>
Subject: [TLS] Re: NIST TLS recomendations
From: Simon Josefsson <jas@xxxxxxxxxxx>
Date: Sat, 04 Nov 2006 10:23:28 +0100
Cc: tls@xxxxxxxx
In-reply-to: <20061104070318.GA26795@xxxxxxxxxxx> (Bodo Moeller's message of "Sat\, 4 Nov 2006 08\:03\:18 +0100")
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
Openpgp: id=B565716F; url=http://josefsson.org/key.txt
References: <B356D8F434D20B40A8CEDAEC305A1F2403585B1C@xxxxxxxxxxxxxxxxxxxxxx> <E1Gg9IJ-0003hr-00@xxxxxxxxxxxxxxxxxxxxxxxxxx> <20061104070318.GA26795@xxxxxxxxxxx>
User-agent: Gnus/5.110006 (No Gnus v0.6) Emacs/22.0.90 (gnu/linux)

Bodo Moeller <bmoeller@xxxxxxx> writes:

> So here's an updated proposal.  This avoids the word "deprecated" (as by
> Pasi's and Simon's earlier remarks), and avoids the word "certificate":
>
>    The following cipher suites are used for completely anonymous Diffie-
>    Hellman communications in which neither party is authenticated. Note
>    that this mode is vulnerable to man-in-the-middle attacks.  Using
>    this mode therefore is of limited use: These ciphersuites MUST NOT be
>    used by TLS 1.2 implementations unless the application layer has
>    specifically requested to allow anonymous key exchange.  (Anonymous
>    key exchange may sometimes be acceptable, for example, to support
>    opportunistic encryption when no set-up for authentication is in
>    place, or when TLS is used as part of more complex security protocols
>    that have other means to ensure authentication.)
>
>     CipherSuite TLS_DH_anon_WITH_RC4_128_MD5           = { 0x00, 0x18 };
>     CipherSuite TLS_DH_anon_WITH_DES_CBC_SHA           = { 0x00, 0x1A };
>     CipherSuite TLS_DH_anon_WITH_3DES_EDE_CBC_SHA      = { 0x00, 0x1B };
>     CipherSuite TLS_DH_anon_WITH_AES_128_CBC_SHA       = { 0x00, 0x34 };
>     CipherSuite TLS_DH_anon_WITH_AES_256_CBC_SHA       = { 0x00, 0x3A };
>
>    Note that using non-anonymous key exchange without actually verifying
>    the key exchange is essentially equivalent to anonymous key exchange,
>    and the same precautions apply.  While non-anonymous key exchange
>    will generally involve a higher computational and communicational
>    cost than anonymous key exchange, it may be in the interest of
>    interoperability not to disable non-anonymous key exchange when the
>    application layer is allowing anonymous key exchange.

This looks fine!

Thanks,
Simon

_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

References:
- RE: [TLS] Re: NIST TLS recomendations
  - From: Pasi.Eronen
- RE: [TLS] Re: NIST TLS recomendations
  - From: Peter Gutmann
- Re: [TLS] Re: NIST TLS recomendations
  - From: Bodo Moeller

Prev by Date: Re: [TLS] Re: NIST TLS recomendations
Next by Date: milk route milligram-hour
Previous by thread: Re: [TLS] Re: NIST TLS recomendations
Next by thread: RE: [TLS] Re: NIST TLS recomendations
Index(es):
- Date
- Thread