Re: [TLS] WGLC for rsa-aes-gcm and ecc-new-mac

["Bodo Moeller" <bmoeller at acm.org>]

On Wed, Feb 13, 2008 at 5:49 AM, Blumenthal, Uri <uri at ll.mit.edu> wrote:

> And the point of mixing an RSA-based suite into an ECC-based draft would be..?   The idea is to move from RSA to ECC.

You have just answered your own question, haven't you?

These ciphersuites are part of the transition path, in particulary if
we take into account the intrinsincally different time behavior of
authentication security and encryption security in scenarios where we
have an ephemeral data exchange as in TLS (rather than long-term data
storage) but may require long-term encryption security.

ECDH ciphersuites with RSA-based authentication mean that we can use
ECC with the certificates that are around now (i.e., without having to
obtain additional certificates specificallly for ECC).  Should it
happen that two years from now 2048-bit RSA and 2048-bit DH are
routinely broken but ECDH is unaffected, our current TLS sessions
using one of these mixed ECDHE_RSA ciphersuites will remain secure: An
adversary who now records all the data of our TLS connections won't be
able to decrypt it (but might sooner or later be able to decrypt data
from sessions using DHE_RSA ciphersuites).

Also, the ECDH ciphersuites with RSA for authentication are quite nice
for clients without a lot of computing power, since RSA signature
verification (with e = 0x10001 and the like) is very quickly done
compared to verification in most other signature schemes.

Bodo


>  -----Original Message-----
>  From: tls-bounces at ietf.org [mailto:tls-bounces at ietf.org] On Behalf Of Bodo Moeller
>  Sent: Wednesday, February 13, 2008 12:52 AM
>  To: Pasi.Eronen at nokia.com
>  Cc: tls at ietf.org
>  Subject: Re: [TLS] WGLC for rsa-aes-gcm and ecc-new-mac

>  > This message starts a WG last call on the following two drafts:
>  >
>  >   draft-ietf-tls-rsa-aes-gcm-02
>  >   draft-ietf-tls-ecc-new-mac-04
[...]
>  Given the form of rfc4346-bis that has now evolved, the ecc-new-mac
>  specification really should include ECDHE_RSA versions of the
>  ciphersuites that it specifies -- i.e., ciphersuites relying on RSA
>  for server authentication (since this is what the current base of
>  installed certificates mostly offers) but on ECDH for forward secrecy.
[...]
>  So I don't really agree with draft-ietf-tls-ecc-new-mac-## unless the
>  following ciphersuites are added, since I wouldn't really like to see
>  yet another boring ciphersuite specification just to cover these:
>
>        CipherSuite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256  = {0xXX,XX};
>        CipherSuite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384  = {0xXX,XX};
>
>        CipherSuite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256  = {0xXX,XX};
>        CipherSuite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384  = {0xXX,XX};
_______________________________________________
TLS mailing list
TLS at ietf.org
http://www.ietf.org/mailman/listinfo/tls