Hi, I went through all the entries in the Cipher Suites, Supported Groups, and Signature Scheme registries including TLS 1.2 entries and found several more entries where the “Recommended” value should be downgraded and where the IANA downgrading is not currently done by RFC8447bis.
* rsa_pkcs1_sha1 and ecdsa_sha1 should be marked as discouraged. * rsa_pkcs1_sha256_legacy, rsa_pkcs1_sha384_legacy, rsa_pkcs1_sha512_legacy which enables RSASSA-PKCS1-v1_5 in signed TLS 1.3 handshake messages should be marked as discouraged. * In addition to ffdhe2048 there are a lot of TLS 1.2 groups (secp160k1, secp160r1, secp160r2, sect163k1, sect163r1, sect163r2, secp192k1, secp192r1, sect193r1, sect193r2, secp224k1, secp224r1m sect233k1, sect233r1, and sect239k1) with less than 128-bit security that should be marked as discouraged. For some reason there seems to be a common misunderstanding on requirements on 112-bit security. NIST and ANSSI only allow < 128-bit security if the application data does not have to be protected after 2030. * RFC 9113 and draft-ietf-tls-deprecate-obsolete-kex lists a lot of TLS 1.2 cipher suites like TLS_RSA_WITH_NULL_MD5 that should be marked as discouraged. This document is now very much related to RFC8447bis and draft-ietf-tls-deprecate-obsolete-kex. Cheers, John From: internet-dra...@ietf.org <internet-dra...@ietf.org> Date: Thursday, 19 January 2023 at 19:43 To: John Mattsson <john.matts...@ericsson.com>, John Mattsson <john.matts...@ericsson.com> Subject: New Version Notification for draft-mattsson-tls-psk-ke-dont-dont-dont-05.txt A new version of I-D, draft-mattsson-tls-psk-ke-dont-dont-dont-05.txt has been successfully submitted by John Preuß Mattsson and posted to the IETF repository. Name: draft-mattsson-tls-psk-ke-dont-dont-dont Revision: 05 Title: NULL Encryption and Key Exchange Without Forward Secrecy are Discouraged Document date: 2023-01-19 Group: Individual Submission Pages: 16 URL: https://www.ietf.org/archive/id/draft-mattsson-tls-psk-ke-dont-dont-dont-05.txt Status: https://datatracker.ietf.org/doc/draft-mattsson-tls-psk-ke-dont-dont-dont/ Html: https://www.ietf.org/archive/id/draft-mattsson-tls-psk-ke-dont-dont-dont-05.html Htmlized: https://datatracker.ietf.org/doc/html/draft-mattsson-tls-psk-ke-dont-dont-dont Diff: https://author-tools.ietf.org/iddiff?url2=draft-mattsson-tls-psk-ke-dont-dont-dont-05 Abstract: Massive pervasive monitoring attacks using key exfiltration and made possible by key exchange without forward secrecy have been reported. If key exchange without Diffie-Hellman is used, static exfiltration of the long-term authentication keys enables passive attackers to compromise all past and future connections. Malicious actors can get access to long-term keys in different ways: physical attacks, hacking, social engineering attacks, espionage, or by simply demanding access to keying material with or without a court order. Exfiltration attacks are a major cybersecurity threat. If NULL encryption is used an on-path attacker can read all application data. The use of psk_ke and NULL encryption are not following zero trust principles of minimizing the impact of breach and governments have already made deadlines for their deprecation. This document evaluates TLS pre-shared key exchange modes, (EC)DHE groups, signature algorithms, and cipher suites and downgrades many entries to "N" and "D" where "D" indicates that the entries are "Discouraged". The IETF Secretariat
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
