[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ietf-tls
Subject:    Re: [TLS] Enforcing keyUsage restrictions (was Re: Safe ECC usage)
From:       mrex () sap ! com (Martin Rex)
Date:       2013-10-12 4:50:01
Message-ID: 20131012045001.94DFA1A9F9 () ld9781 ! wdf ! sap ! corp
[Download RAW message or body]

Manuel P=E9gouri=E9-Gonnard wrote:
> Santosh Chokhani wrote:
> >
> > DS bit for RSA based TLS server is not appropriate since the Server key=
 is
> > used by the client to encrypt and never used for digital signature
> > verification.
>
> Your seem to have RSA key exchange in mind, while Brian was talking about
> ECDHE_RSA or DHE_RSA key exchanges, where the server's RSA key is used to=
 sign
> the parameters in the ServerKeyExchange message. The point was precisely =
that,
> if the keyUsage bits were respected, then setting only DS would force to =
use
> only forward secret key exchanges with this certificate.

It might result in more TLS implementations to work around the interop
problem and disable keyUsage checks like Peter did.

Really, the best that could happen to the NSA is that everyone starts
using ECDHE with Nist curves, aka Suite B.  It just would not make sense
(and amount to a huge waste of tax dollars) if these were _not_ bugged!

The defects in (EC)DSA look rather accidental to me, and EC_Dual_DRNG was
deliberatly set up to deceive folks on what was _really_ subverted.
Considering how it is being used, ECDHE as part of Suite B is the
single point of failure that is by far the most convenient, because
it will work for large-scale passive eavesdropping.


The original "digitally-signed" in SSLv3 and TLSv1.0 for RSA was using
a conservative design, since it combined two hash algorithms (SHA1+MD5).
In TLSv1.2 this was artificially neutered -- (rsa,md5) is a valid signature
algorithm according to the TLSv1.2 spec, but ridiculously weak.

If we were to "fix" TLS, then we should use combinations of algorithms
more often, rather than less.  Such as making it possible to use
an RSA premaster secret XORed with a DHE or ECDHE shared secret.


-Martin

[prev in list] [next in list] [prev in thread] [next in thread]