The Inquirer-Home

IETF drops RSA key transport from TLS 1.3

Adopts different vehicles for Transport Layer Security
Tue May 06 2014, 09:51
RSA security division of EMC logo

THE INTERNET ENGINEERING TASK FORCE (IETF) has dropped RSA from TLS 1.3 in favour of a combined approach.

An email from the IETF had the subject line, "Confirming Consensus on removing RSA key Transport from TLS 1.3" and contained a short note. The note is signed off by Cisco's Joseph Salowey, who is chair of the IETF TLS working group, and is dated 26 Apri.

The note said that discussions within the IETF working group found that Transport Layer Security (TLS) system have included RSA code for some time. It explained that over the years confidence in RSA has been shaken, adding that the consensus decision is to remove it from TLS 1.3.

"TLS has had cipher suites based on RSA key transport (aka "static RSA", TLS_RSA_WITH_*) since the days of SSL 2.0. These cipher suites have several drawbacks including lack of PFS, pre-master secret contributed only by the client, and the general weakening of RSA over time," said the note.

"It would make the security analysis simpler to remove this option from TLS 1.3. RSA certificates would still be allowed, but the key establishment would be via DHE or ECDHE. The consensus in the room at IETF-89 was to remove RSA key transport from TLS 1.3. If you have concerns about this decision please respond on the TLS list by April 11, 2014."

Responses were sent, and there was a suggestion that this was a bold move, however the last few messages on the mailing list drove the decision forward. The last note added, "The discussion on this list and others supports the consensus in IETF 89 to remove RSA key transport cipher suites from TLS 1.3. The Editor is requested to make the appropriate changes to the draft on Github."

The IETF told the INQUIRER that the decision has no one direct reason behind it, but a collection.

"The choice to move away from RSA based key transport is done out of a desire for protocols that support perfect forward secrecy and are easier to analyse," said Salowey.

"There is no current plan or desire to remove cipher modes that use the RSA public key signing algorithms with ephemeral DIffie-Hellman (DHE) based key agreement that provides perfect forward secrecy. Snowden revelations have raised the awareness of the importance of security protocols, the need for good security analysis and the desire for protocols with better security properties."

The community has responded on Twitter, and among commentators the feeling is that the move is a good one. µ

 

 

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Coding challenges

Who’s responsible for software errors?