Presentation is loading. Please wait.

Presentation is loading. Please wait.

TLS 1.2 and NIST SP 800-56A Tim Polk November 10, 2006.

Published byDarleen Brittany Williams Modified over 8 years ago

Similar presentations

Presentation on theme: "TLS 1.2 and NIST SP 800-56A Tim Polk November 10, 2006."— Presentation transcript:

1 TLS 1.2 and NIST SP 800-56A Tim Polk November 10, 2006

2 Acknowledgements The bulk of the analysis was performed by Ray Perlner at NIST Reviewed -01 draft

3 Background NIST publishes cryptographic standards and specifications –Agencies protecting unclassified data with cryptography need to use Approved algorithms Based on FIPS 140, FISMA, etc.. –Exception: where no Approved algorithms exist, agencies can select any algorithm CMVP may impose additional constraints

4 FIPS 140 Implementation Guidance, 12/2005 “The following protocols are acceptable for use in the FIPS mode to establish keys to be used for encryption and decryption:” –SSL v3.1 –TLS and EAP-TLS –IPSEC –SSH v2

5 NIST 800-56A, Key Establishment Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography –Published March, 2006 Specifies key derivation function(s) –Basically, one kdf with two input formatting variants (ASN.1 and concatenated values)

6 800-56A KDF Overview.. Generate keying material with a hash function from the shared secret and… –Cryptographic algorithm(s) identifier –Identifiers for communicating parties –Nonces (required if keys are static) –Optional information from both parties The derived key material is bound to the complete communications context

7 Silence Was Golden Now that we specify a kdf… the FIPS 140 IG will be changing Current proposal: –Accept protocols with 800-56A KDF No such protocols exist –Review protocols that use non-conforming KDFs, accept with time limits TLS is proposed for acceptance through the end of 2010

8 Now That We’re Here… This is clearly a bad situation –The WG chair reviewed the 800-56A KDF and determined it isn’t a good fit for TLS –The AD requested that NIST reconsider the problem Could NIST accept the TLS kdf without an expiration date?

9 Analysis NIST could accept TLS 1.2 without an expiration date, with a few minor fixes Finished message binds the context to the communications channel effectively –Niche cases exist where these bindings might not be established

10 Certificate Hash Certificate hash needs to be mandatory –If the hash is not included with the client certificate URL, the finished message will not factor in the name associated with the key. Hash needs agility –The protocol mandates SHA-1, which is fine as a default, but there is no mechanism to specify a stronger algorithm.

11 Upgrade Security Guidance to Requirements TLS recommends mechanisms to protect against –Timing attacks (6.2.3.2, 7.4.9.1) –Bliechenbacher attack (7.4.9.1) Can TLS 1.2 upgrade these to MUST? Consider extending guidance for blinding to non-RSA key exchange algorithms?

12 Clarifications in Error Handling Need to clarify when alerts MUST be sent versus MAY be sent –Responses on list have been helpful; would like to see this information in the spec

13 Incremental Changes IVs –MUST use one of the specified IV generation techniques Certificate Handling, HMAC truncation –Should require explicit agreement DH –Recommend maintaining leading zeroes

14 Anonymous Diffie-Hellman Frankly, it makes us nervous. List traffic does not support expunging Anonymous DH –Need to ensure that Anonymous DH is only used with user agreement –Bodo Moeller has suggested text: http://www1.ietf.org/mail- archive/web/tls/current/msg00900.html

15 Further Information NIST 800-56A (see 5.8) –http://csrc.nist.gov/publications/nistpubs/80 0-56A/sp800-56A_May-3-06.pdfhttp://csrc.nist.gov/publications/nistpubs/80 0-56A/sp800-56A_May-3-06.pdf Personal draft with KDFs –http://www.ietf.org/internet-drafts/draft- dang-nistkdf-01.txthttp://www.ietf.org/internet-drafts/draft- dang-nistkdf-01.txt

16 Questions?

Download ppt "TLS 1.2 and NIST SP 800-56A Tim Polk November 10, 2006."

Similar presentations

1 IETF KEYPROV WG Protocol Basis and Characteristics IEEE P1619.3 April 11, 2007 Andrea Doherty.

1 IETF KEYPROV WG Protocol Basis and Characteristics IEEE P April 11, 2007 Andrea Doherty.
Cryptography and Network Security Chapter 16

Cryptography and Network Security Chapter 16
Web security: SSL and TLS

Web security: SSL and TLS
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 Lecture 12 SSL/TLS (Secure Sockets Layer / Transport Layer Security) CIS 4362 - CIS 5357 Network Security.

1 Lecture 12 SSL/TLS (Secure Sockets Layer / Transport Layer Security) CIS CIS 5357 Network Security.
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Cryptography and Network Security

Cryptography and Network Security
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.

17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Web Security (SSL / TLS)

Web Security (SSL / TLS)
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
COMP043-Cryptology Week 4 – Certs and Sigs. Digital Signatures Digital signatures provide –Integrity –Authenticity and –Non-repudiation How do they work?

COMP043-Cryptology Week 4 – Certs and Sigs. Digital Signatures Digital signatures provide –Integrity –Authenticity and –Non-repudiation How do they work?
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.

Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Similar presentations

Ads by Google