Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)
draft-ietf-uta-tls-bcp-11
The information below is for an old version of the document that is already published as an RFC.
Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 7525.
|
|
---|---|---|---|
Authors | Yaron Sheffer , Ralph Holz , Peter Saint-Andre | ||
Last updated | 2020-01-21 (Latest revision 2015-02-20) | ||
Replaces | draft-sheffer-tls-bcp | ||
RFC stream | Internet Engineering Task Force (IETF) | ||
Intended RFC status | Best Current Practice | ||
Formats | |||
Reviews |
GENART Last Call review
(of
-08)
by Robert Sparks
Ready w/nits
|
||
Additional resources | Mailing list discussion | ||
Stream | WG state | Submitted to IESG for Publication | |
Document shepherd | Orit Levin | ||
Shepherd write-up | Show Last changed 2015-01-12 | ||
IESG | IESG state | Became RFC 7525 (Best Current Practice) | |
Action Holders |
(None)
|
||
Consensus boilerplate | Yes | ||
Telechat date | (None) | ||
Responsible AD | Stephen Farrell | ||
Send notices to | (None) | ||
IANA | IANA review state | Version Changed - Review Needed | |
IANA action state | No IANA Actions |
draft-ietf-uta-tls-bcp-11
Internet-Draft TLS Recommendations February 2015 During IESG review, Richard Barnes, Alissa Cooper, Spencer Dawkins, Stephen Farrell, Barry Leiba, Kathleen Moriarty, and Pete Resnick provided comments that led to further improvements. The authors gratefully acknowledge the assistance of Leif Johansson and Orit Levin as the working group chairs and Pete Resnick as the sponsoring Area Director. 9. References 9.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000. [RFC3766] Orman, H. and P. Hoffman, "Determining Strengths For Public Keys Used For Exchanging Symmetric Keys", BCP 86, RFC 3766, April 2004. [RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B. Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)", RFC 4492, May 2006. [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", RFC 4949, August 2007. [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, August 2008. [RFC5288] Salowey, J., Choudhury, A., and D. McGrew, "AES Galois Counter Mode (GCM) Cipher Suites for TLS", RFC 5288, August 2008. [RFC5289] Rescorla, E., "TLS Elliptic Curve Cipher Suites with SHA-256/384 and AES Galois Counter Mode (GCM)", RFC 5289, August 2008. [RFC5746] Rescorla, E., Ray, M., Dispensa, S., and N. Oskov, "Transport Layer Security (TLS) Renegotiation Indication Extension", RFC 5746, February 2010. [RFC6066] Eastlake, D., "Transport Layer Security (TLS) Extensions: Extension Definitions", RFC 6066, January 2011. Sheffer, et al. Expires August 24, 2015 [Page 20] Internet-Draft TLS Recommendations February 2015 [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)", RFC 6125, March 2011. [RFC6176] Turner, S. and T. Polk, "Prohibiting Secure Sockets Layer (SSL) Version 2.0", RFC 6176, March 2011. [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer Security Version 1.2", RFC 6347, January 2012. [RFC7465] Popov, A., "Prohibiting RC4 Cipher Suites", RFC 7465, February 2015. 9.2. Informative References [BETTERCRYPTO] bettercrypto.org, , "Applied Crypto Hardening", 2015, <https://bettercrypto.org/static/applied-crypto- hardening.pdf>. [CAB-Baseline] CA/Browser Forum, , "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates Version 1.1.6", 2013, <https://www.cabforum.org/ documents.html>. [DegabrieleP07] Degabriele, J. and K. Paterson, "Attacking the IPsec standards in encryption-only configurations", 2007, <http://dx.doi.org/10.1109/SP.2007.8>. [ECRYPT-II] Smart, N., "ECRYPT II Yearly Report on Algorithms and Keysizes (2011-2012)", 2012, <http://www.ecrypt.eu.org/documents/D.SPA.20.pdf>. [Heninger2012] Heninger, N., Durumeric, Z., Wustrow, E., and J. Halderman, "Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices", Usenix Security Symposium 2012, 2012. [I-D.ietf-dane-smtp-with-dane] Dukhovni, V. and W. Hardaker, "SMTP security via opportunistic DANE TLS", draft-ietf-dane-smtp-with-dane-10 (work in progress), May 2014. Sheffer, et al. Expires August 24, 2015 [Page 21] Internet-Draft TLS Recommendations February 2015 [I-D.ietf-dane-srv] Finch, T., Miller, M., and P. Saint-Andre, "Using DNS- Based Authentication of Named Entities (DANE) TLSA Records with SRV Records", draft-ietf-dane-srv-06 (work in progress), June 2014. [I-D.ietf-tls-downgrade-scsv] Moeller, B. and A. Langley, "TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks", draft-ietf-tls-downgrade-scsv-02 (work in progress), November 2014. [I-D.ietf-tls-session-hash] Bhargavan, K., Delignat-Lavaud, A., Pironti, A., Langley, A., and M. Ray, "Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension", draft-ietf- tls-session-hash-03 (work in progress), November 2014. [I-D.ietf-tls-sslv3-diediedie] Barnes, R., Thomson, M., Pironti, A., and A. Langley, "Deprecating Secure Sockets Layer Version 3.0", draft- ietf-tls-sslv3-diediedie-00 (work in progress), December 2014. [I-D.ietf-uta-xmpp] Saint-Andre, P. and a. alkemade, "Use of Transport Layer Security (TLS) in the Extensible Messaging and Presence Protocol (XMPP)", draft-ietf-uta-xmpp-05 (work in progress), January 2015. [Kleinjung2010] Kleinjung, T., "Factorization of a 768-Bit RSA Modulus", CRYPTO 10, 2010, <https://eprint.iacr.org/2010/006.pdf>. [Krawczyk2001] Krawczyk, H., "The order of encryption and authentication for protecting communications (Or: how secure is SSL?)", CRYPTO 01, 2001, <https://eprint.iacr.org/2001/045.pdf>. [Multiple-Encryption] Merkle, R. and M. Hellman, "On the security of multiple encryption", Communications of the ACM 24, 1981, <http://dl.acm.org/citation.cfm?id=358718>. Sheffer, et al. Expires August 24, 2015 [Page 22] Internet-Draft TLS Recommendations February 2015 [NIST.SP.800-56A] Barker, E., Chen, L., Roginsky, A., and M. Smid, "Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography", NIST Special Publication 800-56A, 2013, <http://nvlpubs.nist.gov/ nistpubs/SpecialPublications/NIST.SP.800-56Ar2.pdf>. [POODLE] Moeller, B., Duong, T., and K. Kotowicz, "This POODLE Bites: Exploiting the SSL 3.0 Fallback", 2014, <https:// www.openssl.org/~bodo/ssl-poodle.pdf>. [PatersonRS11] Paterson, K., Ristenpart, T., and T. Shrimpton, "Tag size does matter: attacks and proofs for the TLS record protocol", 2011, <http://dx.doi.org/10.1007/978-3-642-25385-0_20>. [RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC 2246, January 1999. [RFC3602] Frankel, S., Glenn, R., and S. Kelly, "The AES-CBC Cipher Algorithm and Its Use with IPsec", RFC 3602, September 2003. [RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.1", RFC 4346, April 2006. [RFC4347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer Security", RFC 4347, April 2006. [RFC5077] Salowey, J., Zhou, H., Eronen, P., and H. Tschofenig, "Transport Layer Security (TLS) Session Resumption without Server-Side State", RFC 5077, January 2008. [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated Encryption", RFC 5116, January 2008. [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, May 2008. [RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic Curve Cryptography Algorithms", RFC 6090, February 2011. [RFC6101] Freier, A., Karlton, P., and P. Kocher, "The Secure Sockets Layer (SSL) Protocol Version 3.0", RFC 6101, August 2011. Sheffer, et al. Expires August 24, 2015 [Page 23] Internet-Draft TLS Recommendations February 2015 [RFC6120] Saint-Andre, P., "Extensible Messaging and Presence Protocol (XMPP): Core", RFC 6120, March 2011. [RFC6460] Salter, M. and R. Housley, "Suite B Profile for Transport Layer Security (TLS)", RFC 6460, January 2012. [RFC6698] Hoffman, P. and J. Schlyter, "The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA", RFC 6698, August 2012. [RFC6797] Hodges, J., Jackson, C., and A. Barth, "HTTP Strict Transport Security (HSTS)", RFC 6797, November 2012. [RFC6960] Santesson, S., Myers, M., Ankney, R., Malpani, A., Galperin, S., and C. Adams, "X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP", RFC 6960, June 2013. [RFC6961] Pettersen, Y., "The Transport Layer Security (TLS) Multiple Certificate Status Request Extension", RFC 6961, June 2013. [RFC6989] Sheffer, Y. and S. Fluhrer, "Additional Diffie-Hellman Tests for the Internet Key Exchange Protocol Version 2 (IKEv2)", RFC 6989, July 2013. [RFC7435] Dukhovni, V., "Opportunistic Security: Some Protection Most of the Time", RFC 7435, December 2014. [RFC7457] Sheffer, Y., Holz, R., and P. Saint-Andre, "Summarizing Known Attacks on Transport Layer Security (TLS) and Datagram TLS (DTLS)", RFC 7457, February 2015. [Smith2013] Smith, B., "Proposal to Change the Default TLS Ciphersuites Offered by Browsers.", 2013, <https:// briansmith.org/browser-ciphersuites-01.html>. [Soghoian2011] Soghoian, C. and S. Stamm, "Certified lies: Detecting and defeating government interception attacks against SSL.", Proc. 15th Int. Conf. Financial Cryptography and Data Security , 2011. Sheffer, et al. Expires August 24, 2015 [Page 24] Internet-Draft TLS Recommendations February 2015 [triple-handshake] Delignat-Lavaud, A., Bhargavan, K., and A. Pironti, "Triple Handshakes Considered Harmful: Breaking and Fixing Authentication over TLS", 2014, <https://secure- resumption.com/>. Appendix A. Change Log Note to RFC Editor: please remove this section before publication. A.1. draft-ietf-uta-tls-bcp-08 o More WGLC feedback. o TLS 1.1 is now SHOULD NOT, just like TLS 1.0. o SHOULD NOT use curves of less than 192 bits for ECDH. o Clarification regarding OCSP and OSCP stapling. A.2. draft-ietf-uta-tls-bcp-07 o WGLC feedback. A.3. draft-ietf-uta-tls-bcp-06 o Undo unauthenticated TLS, following another long thread on the list. A.4. draft-ietf-uta-tls-bcp-05 o Lots of comments by Sean Turner. o Unauthenticated TLS, following a long thread on the list. A.5. draft-ietf-uta-tls-bcp-04 o Some cleanup, and input from TLS WG discussion on applicability. A.6. draft-ietf-uta-tls-bcp-03 o Disallow truncated HMAC. o Applicability to DTLS. o Some more text restructuring. o Host name validation is sometimes irrelevant. Sheffer, et al. Expires August 24, 2015 [Page 25] Internet-Draft TLS Recommendations February 2015 o HSTS: MUST implement, SHOULD deploy. o Session identities are not protected, only tickets are. o Clarified the target audience. A.7. draft-ietf-uta-tls-bcp-02 o Rearranged some sections for clarity and re-styled the text so that normative text is followed by rationale where possible. o Removed the recommendation to use Brainpool curves. o Triple Handshake mitigation. o MUST NOT negotiate algorithms lower than 112 bits of security. o MUST implement SNI, but use per local policy. o Changed SHOULD NOT negotiate or fall back to SSLv3 to MUST NOT. o Added hostname validation. o Non-normative discussion of DH exponent reuse. A.8. draft-ietf-tls-bcp-01 o Clarified that specific TLS-using protocols may have stricter requirements. o Changed TLS 1.0 from MAY to SHOULD NOT. o Added discussion of "optional TLS" and HSTS. o Recommended use of the Signature Algorithm and Renegotiation Info extensions. o Use of a strong cipher for a resumption ticket: changed SHOULD to MUST. o Added an informational discussion of certificate revocation, but no recommendations. A.9. draft-ietf-tls-bcp-00 o Initial WG version, with only updated references. Sheffer, et al. Expires August 24, 2015 [Page 26] Internet-Draft TLS Recommendations February 2015 A.10. draft-sheffer-tls-bcp-02 o Reorganized the content to focus on recommendations. o Moved description of attacks to a separate document (draft- sheffer-uta-tls-attacks). o Strengthened recommendations regarding session resumption. A.11. draft-sheffer-tls-bcp-01 o Clarified our motivation in the introduction. o Added a section justifying the need for forward secrecy. o Added recommendations for RSA and DH parameter lengths. Moved from DHE to ECDHE, with a discussion on whether/when DHE is appropriate. o Recommendation to avoid fallback to SSLv3. o Initial information about browser support - more still needed! o More clarity on compression. o Client can offer stronger cipher suites. o Discussion of the regular TLS mandatory cipher suite. A.12. draft-sheffer-tls-bcp-00 o Initial version. Authors' Addresses Yaron Sheffer Intuit 4 HaHarash St. Hod HaSharon 4524075 Israel Email: yaronf.ietf@gmail.com Sheffer, et al. Expires August 24, 2015 [Page 27] Internet-Draft TLS Recommendations February 2015 Ralph Holz Technische Universitaet Muenchen Boltzmannstr. 3 Garching 85748 Germany Email: ralph.ietf@gmail.com Peter Saint-Andre &yet Email: peter@andyet.com URI: https://andyet.com/ Sheffer, et al. Expires August 24, 2015 [Page 28]