On Sun, Oct 11, 2015 at 09:25:10AM +0200, Rick van Rein wrote: > > *From:* internet-dra...@ietf.org > > > > Name: draft-vanrein-tls-kdh > > Revision: 00 > > Hello TLS WG, > > I would like to propose new CipherSuites for TLS. The cryptography is > founded on Kerberos authentication and DH encryption, cryptographically > bound together. The mechanism uses mutual authentication, although > clients may use anonymous tickets. > > Any feedback that you may have (technical, or WG-procedural) is kindly > welcomed. I will also send this to the Kitten WG.
Some quick comments: - The signed DH share does not look to be bound to anything (crypto parameters negotiation, randoms, server key exchange, etc..). I can't offhand say what that would lead to, but it looks even worse than TLS ServerKeyExchange, which has known vulernabilities due to lack of binding to things like ciphersuite. - The ciphersuite list looks bad: 1) IDEA (bad idea), CBC (don't use), apparent SHA-1 prf-hash (REALLY bad idea)[1][2]. - Even use of DH is questionable. [1] All the current ciphersuites have SHA-256 or SHA-384 prf-hash (the prf-hash of existing ciphers was grandfathered as SHA-256, even if the name has _SHA or _MD5). [2] AFAIK, proving security properties of TLS against active attack needs assumption that prf-hash is secure. And we know SHA-1 isn't. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
