[SSL Observatory] TLS 1.1/1.2 support

Erwann ABALEA erwann at abalea.com
Tue Aug 23 05:09:37 PDT 2011 

2011/8/23 Peter Gutmann <pgut001 at cs.auckland.ac.nz>:
> Erwann ABALEA <erwann at abalea.com> writes:
>>2011/8/22 Larry Seltzer <larry at larryseltzer.com>:
>>> From the presentation: "Lack of support for TLS v1.1 and v1.2 is a
>>> cause for concern"
>>>
>>> Why? It looks like very few people care.
>>
>>Very few, but on what surface?
>
> I'm actually somewhat reassured by the fact that no-one cares much about TLS
> 1.1 and 1.2, 1.1 solves a very academic, but at least non-zero, problem in a
> fully backwards-compatible manner, while 1.2 solves no identifiable problem
> (unless you count "HMAC-SHA1 is sooooo unfashionable, it's just not what
> they're wearing this year dahling" as an issue) while totally breaking
> compatibility with all existing deployed systems.

I have no problem with HMAC-SHA1, as it does have a proof of security.
TLSv1.2 adds a solution to an identifiable problem, as it is now
possible to use other hash functions as PRF (ciphersuites with SHA256
are defined). Without this, we are still bound to MD5+SHA1. I
understand that the use of MD5+SHA1 seems to offer a larger security
margin than MD5 or SHA1 alone, and that neither MD5 nor SHA1 fall
under a pre-image attack, but they're declining functions.
TLSv1.2 doesn't provide any solution to the use of RSAES-PKCS1v1_5,
which has no proof of security, but no real and practical attack
either.

>>As PKI operator employee, when we want to deploy our solutions, the customer
>>often asks about TLS1.1 and 1.2 support, or EDH group larger or equal to 2048
>>bits, or some enforcement that a 3DES key won't be used to encrypt more that
>>1GB of data.
>
> Applied Cryptography has a lot to answer for (sigh).  I've had both that and
> the more common must-have-the-latest-toy questions, "We must have TLS 1.2" ->
> "You realise that you're going to have major problems interoperating with
> anything using that because the entire industry is pretty much ignoring it" ->
> "Shiny, flashy, bling, want, want!".  Bigger sigh.

That's an answer I regularly give (among others: SHA1 is still
resistant to pre-image, attacks on RSAES-PKCS1v1_5 are not practical
at all, ...), but that looks like a chicken-and-egg problem. And in an
environment where you control the servers *and* clients, lack of
interoperability is no more an argument.

-- 
Erwann.

More information about the Observatory mailing list