idnits 2.17.1 draft-mavrogiannopoulos-tls-dss-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (June 8, 2011) is 4705 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '20' on line 147 -- Possible downref: Non-RFC (?) normative reference: ref. 'DSS' ** Obsolete normative reference: RFC 4492 (Obsoleted by RFC 8422) ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) -- Obsolete informational reference (is this intentional?): RFC 2246 (Obsoleted by RFC 4346) Summary: 3 errors (**), 0 flaws (~~), 1 warning (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group N. Mavrogiannopoulos 3 Internet-Draft KUL 4 Intended status: Standards Track June 8, 2011 5 Expires: December 10, 2011 7 Using transport layer security (TLS) with DSA and ECDSA ciphersuites 8 draft-mavrogiannopoulos-tls-dss-01 10 Abstract 12 This memo clarifies the usage of the digital signature algorithm 13 (DSA) with extended key lengths, in the transport layer security 14 (TLS) protocol earlier than 1.2, and makes clarifications for the 15 usage of DSA and its elliptic curves equivalent (ECDSA) in TLS 1.2. 17 Status of This Memo 19 This Internet-Draft is submitted in full conformance with the 20 provisions of BCP 78 and BCP 79. 22 Internet-Drafts are working documents of the Internet Engineering 23 Task Force (IETF). Note that other groups may also distribute 24 working documents as Internet-Drafts. The list of current Internet- 25 Drafts is at http://datatracker.ietf.org/drafts/current/. 27 Internet-Drafts are draft documents valid for a maximum of six months 28 and may be updated, replaced, or obsoleted by other documents at any 29 time. It is inappropriate to use Internet-Drafts as reference 30 material or to cite them other than as "work in progress." 32 This Internet-Draft will expire on December 10, 2011. 34 Copyright Notice 36 Copyright (c) 2011 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents 41 (http://trustee.ietf.org/license-info) in effect on the date of 42 publication of this document. Please review these documents 43 carefully, as they describe your rights and restrictions with respect 44 to this document. Code Components extracted from this document must 45 include Simplified BSD License text as described in Section 4.e of 46 the Trust Legal Provisions and are provided without warranty as 47 described in the Simplified BSD License. 49 Table of Contents 51 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 52 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 3 53 3. DSA in FIPS-186-3 . . . . . . . . . . . . . . . . . . . . . . . 3 54 4. The SSL 3.0, TLS 1.0 and 1.1 protocols . . . . . . . . . . . . 4 55 4.1. DSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 56 4.2. ECDSA . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 57 5. The TLS protocol 1.2 . . . . . . . . . . . . . . . . . . . . . 5 58 5.1. DSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 59 5.1.1. Parameters not allowed by DSS . . . . . . . . . . . . . 6 60 5.2. ECDSA . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 61 6. Security Considerations . . . . . . . . . . . . . . . . . . . . 7 62 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7 63 7.1. Normative References . . . . . . . . . . . . . . . . . . . 7 64 7.2. Informative References . . . . . . . . . . . . . . . . . . 8 66 1. Introduction 68 The TLS protocols support the DSA algorithm even from its first 69 incarnation in [RFC2246]. However the latest DSA publication from 70 NIST at [DSS], suggests some changes that do not straightforwardly 71 apply to the TLS protocols. 73 In this document we describe the differences on the new DSS 74 algorithms[DSS], and define a profile for TLS implementations. 76 2. Terminology 78 This document uses the same notation and terminology used in the TLS 79 Protocol specification [RFC5246]. 81 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 82 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 83 document are to be interpreted as described in [RFC2119]. 85 3. DSA in FIPS-186-3 87 In this section we discuss the differences between the old DSS 88 publication [OLDDSS] and the new one [DSS], that justify the need for 89 a TLS profile. 91 DSA parameters include a prime modulus p and a prime divisor of p-1 92 called q. In [OLDDSS] the bit length of p was fixed to 1024 bits, 93 the length of q to 160 bits and the underlying hash algorithm was 94 fixed to SHA-1. However the DSA algorithm in [DSS] allows more 95 lengths for p and q, as well different hash algorithms, than the 96 older version which is currently referred by TLS protocols. 98 The new document relies on the "bits of security" term defined in 99 [SP800-57], and recommends that security strength of the hash 100 algorithm matches the security strength of other DSA parameters. It 101 is required either the bits of the hash algorithm to match the bits 102 of length of q (N), or if the hash size is larger, only the N 103 leftmost bits of the hash output are being used. The corresponding 104 mappings are shown in Table 1 and Table 2. 106 +----------------+-----------+------------------+ 107 | Hash algorithm | Hash size | Bits of security | 108 +----------------+-----------+------------------+ 109 | SHA-1 | 160 | 80 | 110 | SHA-224 | 224 | 112 | 111 | SHA-256 | 256 | 128 | 112 | SHA-384 | 384 | 192 | 113 | SHA-512 | 512 | 256 | 114 +----------------+-----------+------------------+ 116 Table 1 118 +------------+------------+-------------+---------------------------+ 119 | Length of | Length of | Bits of | Matching hash algorithms | 120 | p (L) | q (N) | security | | 121 +------------+------------+-------------+---------------------------+ 122 | 1024 | 160 | 80 | SHA-1, SHA-224, SHA-256, | 123 | | | | SHA-384, SHA-512 | 124 | 2048 | 224 | 112 | SHA-224, SHA-256, | 125 | | | | SHA-384, SHA-512 | 126 | 2048 | 256 | (112,128) | SHA-256, SHA-384, SHA-512 | 127 | 3072 | 256 | 128 | SHA-256, SHA-384, SHA-512 | 128 +------------+------------+-------------+---------------------------+ 130 Table 2 132 4. The SSL 3.0, TLS 1.0 and 1.1 protocols 134 4.1. DSA 136 The SSL 3.0, TLS 1.0 and 1.1 protocols support ciphersuites that 137 utilize the DSA algorithms for signing. The digital signatures are 138 used for the "Server key exchange" and "Certificate verify" messages. 139 In those messages there is no indication of the signature algorithm 140 used, thus the selection is implicit. The signature contained in 141 both messages is defined, for the DSA algorithm, as: 143 select (SignatureAlgorithm) 144 { 145 case dsa: 146 digitally-signed struct { 147 opaque sha_hash[20]; 148 }; 149 } Signature; 151 This structure refers to the DSA algorithm with L=1024 and N=160, but 152 this is not an explicit requirement of those protocols and several 153 existing implementations are using the SHA-1 algorithm for all DSA 154 key sizes. For this reason it is RECOMMENDED not to use DSA keys of 155 sizes other than L=1024 and N=160 in combination with those 156 protocols. 158 If however keys of sizes larger than L=1024 and N=160 have to be 159 used, then the SHA-1 algorithm has to be used. 161 4.2. ECDSA 163 For TLS negotiation to proceed smoothly when an ECDSA enabled 164 ciphersuite is negotiated both parties must agree to a curve. 165 However given that [RFC4492] lists a very large number of curves but 166 doesn't recommend any, it is unclear which curves should be used in 167 certificates for TLS. 169 To improve interoperability implementations SHOULD use certificates 170 with curves restricted to the recommended by [RFC5480]. Those are 171 summarized in Table 3. 173 +-----------+ 174 | Curve | 175 +-----------+ 176 | secp224r1 | 177 | secp256r1 | 178 | secp384r1 | 179 | secp521r1 | 180 +-----------+ 182 Table 3 184 5. The TLS protocol 1.2 186 This version of the protocol also requires signatures for the "Server 187 key exchange" and "Certificate verify" messages. However in this 188 version signature algorithm negotiation is explicit via the 189 "Signature algorithms" extension. The signature used is as below: 191 struct { 192 SignatureAndHashAlgorithm algorithm; 193 opaque signature<0..2^16-1>; 194 } DigitallySigned; 196 It is however desirable for interoperability reasons to restrict the 197 available options. This would allow constrained clients to support 198 only the required algorithms, and servers that do not cache all 199 messages up to "Certificate verify" in order to calculate the 200 signature, to carry a single hash state instead. 202 5.1. DSA 204 In this case a signature algorithm should be selected that matches 205 the requirements as in Table 4. Implementations SHOULD select the 206 algorithms shown on that table. 208 +--------------+--------------+------------+--------+---------------+ 209 | Length of p | Length of q | Hash | Hash | Truncated | 210 | in bits | in bits | algorithm | size | hash size | 211 +--------------+--------------+------------+--------+---------------+ 212 | 1024 | 160 | SHA-1 | 20 | 20 | 213 | 2048 | 224 | SHA-256 | 32 | 28 | 214 | 2048 | 256 | SHA-256 | 32 | 32 | 215 | 3072 | 256 | SHA-256 | 32 | 32 | 216 +--------------+--------------+------------+--------+---------------+ 218 Table 4 220 Note: When the hash size does not match the length of q, then only 221 the leftmost bytes of the hash, that match the length of q, are used. 222 This is indicated in the "Truncated hash size" column of the table. 224 5.1.1. Parameters not allowed by DSS 226 TLS implementations MUST NOT support parameter lengths not allowed by 227 [DSS]. If illegal parameters are encountered, the handshake should 228 be aborted using an "illegal_parameter" alert. 230 5.2. ECDSA 232 The signature hash algorithm SHOULD be selected in way that matches 233 the requirements of Table 5. Also implementations SHOULD use 234 certificates with curves restricted to the recommended by [RFC5480]. 235 Those are summarized in Table 3. 237 +----------------+----------------+-----------+---------------------+ 238 | ECDSA key size | Hash algorithm | Hash size | Truncated hash size | 239 +----------------+----------------+-----------+---------------------+ 240 | 192 | SHA-256 | 32 | 24 | 241 | 224 | SHA-256 | 32 | 28 | 242 | 256 | SHA-256 | 32 | 32 | 243 | 384 | SHA-384 | 48 | 48 | 244 | 512 | SHA-512 | 64 | 64 | 245 +----------------+----------------+-----------+---------------------+ 247 Table 5 249 Note: As with DSA, when the hash size does not match the curve key 250 size, only the leftmost bytes of the hash are used. This size is 251 shown in the "Truncated hash size" column of the table. 253 6. Security Considerations 255 When DSA keys are being used in connections that involve the SSL 3.0, 256 TLS 1.0 or TLS 1.1 protocols then the entire connection security 257 depends on the SHA-1 algorithm. This is about 80-bits of security 258 irrespective of the sizes of the DSA keys. 260 All security considerations discussed in [RFC5246], apply to this 261 document. 263 7. References 265 7.1. Normative References 267 [DSS] NIST FIPS PUB 186-3, "Digital Signature Standard", 268 National Institute of Standards and Technology, U.S. 269 Department of Commerce , June 2009. 271 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 272 Requirement Levels", BCP 14, RFC 2119, March 1997. 274 [RFC5480] Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk, 275 "Elliptic Curve Cryptography Subject Public Key 276 Information", RFC 5480, March 2009. 278 [RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and 279 B. Moeller, "Elliptic Curve Cryptography (ECC) Cipher 280 Suites for Transport Layer Security (TLS)", RFC 4492, 281 May 2006. 283 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 284 (TLS) Protocol Version 1.2", RFC 5246, August 2008. 286 7.2. Informative References 288 [OLDDSS] NIST FIPS PUB 186, "Digital Signature Standard", National 289 Institute of Standards and Technology, U.S. Department of 290 Commerce , May 1994. 292 [SP800-57] NIST FIPS SP 800-57, "Recommendation for Key Management", 293 National Institute of Standards and Technology, U.S. 294 Department of Commerce , March 2007. 296 [RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", 297 RFC 2246, January 1999. 299 Author's Address 301 Nikos Mavrogiannopoulos 302 ESAT/COSIC Katholieke Universiteit Leuven 303 Kasteelpark Arenberg 10, bus 2446 304 Leuven-Heverlee, B-3001 305 Belgium 307 EMail: nikos.mavrogiannopoulos@esat.kuleuven.be