Skip to main content

Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)
draft-ietf-uta-tls-bcp-11

The information below is for an old version of the document that is already published as an RFC.
Document Type
This is an older version of an Internet-Draft that was ultimately published as RFC 7525.
Authors Yaron Sheffer , Ralph Holz , Peter Saint-Andre
Last updated 2020-01-21 (Latest revision 2015-02-20)
Replaces draft-sheffer-tls-bcp
RFC stream Internet Engineering Task Force (IETF)
Intended RFC status Best Current Practice
Formats
Reviews
Additional resources Mailing list discussion
Stream WG state Submitted to IESG for Publication
Document shepherd Orit Levin
Shepherd write-up Show Last changed 2015-01-12
IESG IESG state Became RFC 7525 (Best Current Practice)
Action Holders
(None)
Consensus boilerplate Yes
Telechat date (None)
Responsible AD Stephen Farrell
Send notices to (None)
IANA IANA review state Version Changed - Review Needed
IANA action state No IANA Actions
draft-ietf-uta-tls-bcp-11
Internet-Draft             TLS Recommendations             February 2015

   During IESG review, Richard Barnes, Alissa Cooper, Spencer Dawkins,
   Stephen Farrell, Barry Leiba, Kathleen Moriarty, and Pete Resnick
   provided comments that led to further improvements.

   The authors gratefully acknowledge the assistance of Leif Johansson
   and Orit Levin as the working group chairs and Pete Resnick as the
   sponsoring Area Director.

9.  References

9.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2818]  Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.

   [RFC3766]  Orman, H. and P. Hoffman, "Determining Strengths For
              Public Keys Used For Exchanging Symmetric Keys", BCP 86,
              RFC 3766, April 2004.

   [RFC4492]  Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B.
              Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites
              for Transport Layer Security (TLS)", RFC 4492, May 2006.

   [RFC4949]  Shirey, R., "Internet Security Glossary, Version 2", RFC
              4949, August 2007.

   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
              (TLS) Protocol Version 1.2", RFC 5246, August 2008.

   [RFC5288]  Salowey, J., Choudhury, A., and D. McGrew, "AES Galois
              Counter Mode (GCM) Cipher Suites for TLS", RFC 5288,
              August 2008.

   [RFC5289]  Rescorla, E., "TLS Elliptic Curve Cipher Suites with
              SHA-256/384 and AES Galois Counter Mode (GCM)", RFC 5289,
              August 2008.

   [RFC5746]  Rescorla, E., Ray, M., Dispensa, S., and N. Oskov,
              "Transport Layer Security (TLS) Renegotiation Indication
              Extension", RFC 5746, February 2010.

   [RFC6066]  Eastlake, D., "Transport Layer Security (TLS) Extensions:
              Extension Definitions", RFC 6066, January 2011.

Sheffer, et al.          Expires August 24, 2015               [Page 20]
Internet-Draft             TLS Recommendations             February 2015

   [RFC6125]  Saint-Andre, P. and J. Hodges, "Representation and
              Verification of Domain-Based Application Service Identity
              within Internet Public Key Infrastructure Using X.509
              (PKIX) Certificates in the Context of Transport Layer
              Security (TLS)", RFC 6125, March 2011.

   [RFC6176]  Turner, S. and T. Polk, "Prohibiting Secure Sockets Layer
              (SSL) Version 2.0", RFC 6176, March 2011.

   [RFC6347]  Rescorla, E. and N. Modadugu, "Datagram Transport Layer
              Security Version 1.2", RFC 6347, January 2012.

   [RFC7465]  Popov, A., "Prohibiting RC4 Cipher Suites", RFC 7465,
              February 2015.

9.2.  Informative References

   [BETTERCRYPTO]
              bettercrypto.org, , "Applied Crypto Hardening", 2015,
              <https://bettercrypto.org/static/applied-crypto-
              hardening.pdf>.

   [CAB-Baseline]
              CA/Browser Forum, , "Baseline Requirements for the
              Issuance and Management of Publicly-Trusted Certificates
              Version 1.1.6", 2013, <https://www.cabforum.org/
              documents.html>.

   [DegabrieleP07]
              Degabriele, J. and K. Paterson, "Attacking the IPsec
              standards in encryption-only configurations", 2007,
              <http://dx.doi.org/10.1109/SP.2007.8>.

   [ECRYPT-II]
              Smart, N., "ECRYPT II Yearly Report on Algorithms and
              Keysizes (2011-2012)", 2012,
              <http://www.ecrypt.eu.org/documents/D.SPA.20.pdf>.

   [Heninger2012]
              Heninger, N., Durumeric, Z., Wustrow, E., and J.
              Halderman, "Mining Your Ps and Qs: Detection of Widespread
              Weak Keys in Network Devices", Usenix Security Symposium
              2012, 2012.

   [I-D.ietf-dane-smtp-with-dane]
              Dukhovni, V. and W. Hardaker, "SMTP security via
              opportunistic DANE TLS", draft-ietf-dane-smtp-with-dane-10
              (work in progress), May 2014.

Sheffer, et al.          Expires August 24, 2015               [Page 21]
Internet-Draft             TLS Recommendations             February 2015

   [I-D.ietf-dane-srv]
              Finch, T., Miller, M., and P. Saint-Andre, "Using DNS-
              Based Authentication of Named Entities (DANE) TLSA Records
              with SRV Records", draft-ietf-dane-srv-06 (work in
              progress), June 2014.

   [I-D.ietf-tls-downgrade-scsv]
              Moeller, B. and A. Langley, "TLS Fallback Signaling Cipher
              Suite Value (SCSV) for Preventing Protocol Downgrade
              Attacks", draft-ietf-tls-downgrade-scsv-02 (work in
              progress), November 2014.

   [I-D.ietf-tls-session-hash]
              Bhargavan, K., Delignat-Lavaud, A., Pironti, A., Langley,
              A., and M. Ray, "Transport Layer Security (TLS) Session
              Hash and Extended Master Secret Extension", draft-ietf-
              tls-session-hash-03 (work in progress), November 2014.

   [I-D.ietf-tls-sslv3-diediedie]
              Barnes, R., Thomson, M., Pironti, A., and A. Langley,
              "Deprecating Secure Sockets Layer Version 3.0", draft-
              ietf-tls-sslv3-diediedie-00 (work in progress), December
              2014.

   [I-D.ietf-uta-xmpp]
              Saint-Andre, P. and a. alkemade, "Use of Transport Layer
              Security (TLS) in the Extensible Messaging and Presence
              Protocol (XMPP)", draft-ietf-uta-xmpp-05 (work in
              progress), January 2015.

   [Kleinjung2010]
              Kleinjung, T., "Factorization of a 768-Bit RSA Modulus",
              CRYPTO 10, 2010, <https://eprint.iacr.org/2010/006.pdf>.

   [Krawczyk2001]
              Krawczyk, H., "The order of encryption and authentication
              for protecting communications (Or: how secure is SSL?)",
              CRYPTO 01, 2001, <https://eprint.iacr.org/2001/045.pdf>.

   [Multiple-Encryption]
              Merkle, R. and M. Hellman, "On the security of multiple
              encryption", Communications of the ACM 24, 1981,
              <http://dl.acm.org/citation.cfm?id=358718>.

Sheffer, et al.          Expires August 24, 2015               [Page 22]
Internet-Draft             TLS Recommendations             February 2015

   [NIST.SP.800-56A]
              Barker, E., Chen, L., Roginsky, A., and M. Smid,
              "Recommendation for Pair-Wise Key Establishment Schemes
              Using Discrete Logarithm Cryptography", NIST Special
              Publication 800-56A, 2013, <http://nvlpubs.nist.gov/
              nistpubs/SpecialPublications/NIST.SP.800-56Ar2.pdf>.

   [POODLE]   Moeller, B., Duong, T., and K. Kotowicz, "This POODLE
              Bites: Exploiting the SSL 3.0 Fallback", 2014, <https://
              www.openssl.org/~bodo/ssl-poodle.pdf>.

   [PatersonRS11]
              Paterson, K., Ristenpart, T., and T. Shrimpton, "Tag size
              does matter: attacks and proofs for the TLS record
              protocol", 2011,
              <http://dx.doi.org/10.1007/978-3-642-25385-0_20>.

   [RFC2246]  Dierks, T. and C. Allen, "The TLS Protocol Version 1.0",
              RFC 2246, January 1999.

   [RFC3602]  Frankel, S., Glenn, R., and S. Kelly, "The AES-CBC Cipher
              Algorithm and Its Use with IPsec", RFC 3602, September
              2003.

   [RFC4346]  Dierks, T. and E. Rescorla, "The Transport Layer Security
              (TLS) Protocol Version 1.1", RFC 4346, April 2006.

   [RFC4347]  Rescorla, E. and N. Modadugu, "Datagram Transport Layer
              Security", RFC 4347, April 2006.

   [RFC5077]  Salowey, J., Zhou, H., Eronen, P., and H. Tschofenig,
              "Transport Layer Security (TLS) Session Resumption without
              Server-Side State", RFC 5077, January 2008.

   [RFC5116]  McGrew, D., "An Interface and Algorithms for Authenticated
              Encryption", RFC 5116, January 2008.

   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
              Housley, R., and W. Polk, "Internet X.509 Public Key
              Infrastructure Certificate and Certificate Revocation List
              (CRL) Profile", RFC 5280, May 2008.

   [RFC6090]  McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic
              Curve Cryptography Algorithms", RFC 6090, February 2011.

   [RFC6101]  Freier, A., Karlton, P., and P. Kocher, "The Secure
              Sockets Layer (SSL) Protocol Version 3.0", RFC 6101,
              August 2011.

Sheffer, et al.          Expires August 24, 2015               [Page 23]
Internet-Draft             TLS Recommendations             February 2015

   [RFC6120]  Saint-Andre, P., "Extensible Messaging and Presence
              Protocol (XMPP): Core", RFC 6120, March 2011.

   [RFC6460]  Salter, M. and R. Housley, "Suite B Profile for Transport
              Layer Security (TLS)", RFC 6460, January 2012.

   [RFC6698]  Hoffman, P. and J. Schlyter, "The DNS-Based Authentication
              of Named Entities (DANE) Transport Layer Security (TLS)
              Protocol: TLSA", RFC 6698, August 2012.

   [RFC6797]  Hodges, J., Jackson, C., and A. Barth, "HTTP Strict
              Transport Security (HSTS)", RFC 6797, November 2012.

   [RFC6960]  Santesson, S., Myers, M., Ankney, R., Malpani, A.,
              Galperin, S., and C. Adams, "X.509 Internet Public Key
              Infrastructure Online Certificate Status Protocol - OCSP",
              RFC 6960, June 2013.

   [RFC6961]  Pettersen, Y., "The Transport Layer Security (TLS)
              Multiple Certificate Status Request Extension", RFC 6961,
              June 2013.

   [RFC6989]  Sheffer, Y. and S. Fluhrer, "Additional Diffie-Hellman
              Tests for the Internet Key Exchange Protocol Version 2
              (IKEv2)", RFC 6989, July 2013.

   [RFC7435]  Dukhovni, V., "Opportunistic Security: Some Protection
              Most of the Time", RFC 7435, December 2014.

   [RFC7457]  Sheffer, Y., Holz, R., and P. Saint-Andre, "Summarizing
              Known Attacks on Transport Layer Security (TLS) and
              Datagram TLS (DTLS)", RFC 7457, February 2015.

   [Smith2013]
              Smith, B., "Proposal to Change the Default TLS
              Ciphersuites Offered by Browsers.", 2013, <https://
              briansmith.org/browser-ciphersuites-01.html>.

   [Soghoian2011]
              Soghoian, C. and S. Stamm, "Certified lies: Detecting and
              defeating government interception attacks against SSL.",
              Proc. 15th Int. Conf. Financial Cryptography and Data
              Security , 2011.

Sheffer, et al.          Expires August 24, 2015               [Page 24]
Internet-Draft             TLS Recommendations             February 2015

   [triple-handshake]
              Delignat-Lavaud, A., Bhargavan, K., and A. Pironti,
              "Triple Handshakes Considered Harmful: Breaking and Fixing
              Authentication over TLS", 2014, <https://secure-
              resumption.com/>.

Appendix A.  Change Log

   Note to RFC Editor: please remove this section before publication.

A.1.  draft-ietf-uta-tls-bcp-08

   o  More WGLC feedback.

   o  TLS 1.1 is now SHOULD NOT, just like TLS 1.0.

   o  SHOULD NOT use curves of less than 192 bits for ECDH.

   o  Clarification regarding OCSP and OSCP stapling.

A.2.  draft-ietf-uta-tls-bcp-07

   o  WGLC feedback.

A.3.  draft-ietf-uta-tls-bcp-06

   o  Undo unauthenticated TLS, following another long thread on the
      list.

A.4.  draft-ietf-uta-tls-bcp-05

   o  Lots of comments by Sean Turner.

   o  Unauthenticated TLS, following a long thread on the list.

A.5.  draft-ietf-uta-tls-bcp-04

   o  Some cleanup, and input from TLS WG discussion on applicability.

A.6.  draft-ietf-uta-tls-bcp-03

   o  Disallow truncated HMAC.

   o  Applicability to DTLS.

   o  Some more text restructuring.

   o  Host name validation is sometimes irrelevant.

Sheffer, et al.          Expires August 24, 2015               [Page 25]
Internet-Draft             TLS Recommendations             February 2015

   o  HSTS: MUST implement, SHOULD deploy.

   o  Session identities are not protected, only tickets are.

   o  Clarified the target audience.

A.7.  draft-ietf-uta-tls-bcp-02

   o  Rearranged some sections for clarity and re-styled the text so
      that normative text is followed by rationale where possible.

   o  Removed the recommendation to use Brainpool curves.

   o  Triple Handshake mitigation.

   o  MUST NOT negotiate algorithms lower than 112 bits of security.

   o  MUST implement SNI, but use per local policy.

   o  Changed SHOULD NOT negotiate or fall back to SSLv3 to MUST NOT.

   o  Added hostname validation.

   o  Non-normative discussion of DH exponent reuse.

A.8.  draft-ietf-tls-bcp-01

   o  Clarified that specific TLS-using protocols may have stricter
      requirements.

   o  Changed TLS 1.0 from MAY to SHOULD NOT.

   o  Added discussion of "optional TLS" and HSTS.

   o  Recommended use of the Signature Algorithm and Renegotiation Info
      extensions.

   o  Use of a strong cipher for a resumption ticket: changed SHOULD to
      MUST.

   o  Added an informational discussion of certificate revocation, but
      no recommendations.

A.9.  draft-ietf-tls-bcp-00

   o  Initial WG version, with only updated references.

Sheffer, et al.          Expires August 24, 2015               [Page 26]
Internet-Draft             TLS Recommendations             February 2015

A.10.  draft-sheffer-tls-bcp-02

   o  Reorganized the content to focus on recommendations.

   o  Moved description of attacks to a separate document (draft-
      sheffer-uta-tls-attacks).

   o  Strengthened recommendations regarding session resumption.

A.11.  draft-sheffer-tls-bcp-01

   o  Clarified our motivation in the introduction.

   o  Added a section justifying the need for forward secrecy.

   o  Added recommendations for RSA and DH parameter lengths.  Moved
      from DHE to ECDHE, with a discussion on whether/when DHE is
      appropriate.

   o  Recommendation to avoid fallback to SSLv3.

   o  Initial information about browser support - more still needed!

   o  More clarity on compression.

   o  Client can offer stronger cipher suites.

   o  Discussion of the regular TLS mandatory cipher suite.

A.12.  draft-sheffer-tls-bcp-00

   o  Initial version.

Authors' Addresses

   Yaron Sheffer
   Intuit
   4 HaHarash St.
   Hod HaSharon  4524075
   Israel

   Email: yaronf.ietf@gmail.com

Sheffer, et al.          Expires August 24, 2015               [Page 27]
Internet-Draft             TLS Recommendations             February 2015

   Ralph Holz
   Technische Universitaet Muenchen
   Boltzmannstr. 3
   Garching  85748
   Germany

   Email: ralph.ietf@gmail.com

   Peter Saint-Andre
   &yet

   Email: peter@andyet.com
   URI:   https://andyet.com/

Sheffer, et al.          Expires August 24, 2015               [Page 28]