Enabling AES-192 ciphers, how to expose DHE-RSA-AES192-GCM-SHA384

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Enabling AES-192 ciphers, how to expose DHE-RSA-AES192-GCM-SHA384

Leonard den Ottolander
Hello,

Considering that AES-192 seems to be very resistant against related key
attacks (http://eprint.iacr.org/2009/317) and the algorithm is already
available in the openssl code I am trying to expose the AES-192
ciphers.

Attached is a patch against 1.0.1u (adapted from the version I created
against RHEL "1.0.1e hobbled") that tries to accomplish this for plain
and EDH ciphers. Once I get this to work I will continue by adding the
EECDH ciphers.

The patch seems to work for most parts, except from exposing the
AES192-GCM ciphers. When the self test is run (make -C test apps tests)
it chokes with a client error:

ERROR in CLIENT                                                                
140069906728640:error:140740B5:SSL routines:SSL23_CLIENT_HELLO:no ciphers available:s23_clnt.c:502:
TLSv1.2, cipher (NONE) (NONE)
1 handshakes of 256 bytes done
Failed DHE-RSA-AES192-GCM-SHA384
make: *** [test_ssl] Error 1

The error occurs in ssl23_client_hello();

Note that the last hunk disables the testing of AES-192-GCM ciphers.
This is a hack to get the adapted RHEL srpm to build that should
eventually be removed. Time stamps on the files are also garbled as I
have not normalized the patch against a fresh tree yet. This is no
problem when applying it.

So my question is, could someone point me in the right direction on how
to expose the AES-192-GCM ciphers, i.e. what am I doing wrong that is
causing the client error?

Would the development team consider adding a patch exposing AES-192
ciphers in openssl once it's complete?

Thanks for your help.

Regards,
Leonard.

--
mount -t life -o ro /dev/dna /genetic/research



--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

openssl-1.0.1u.aes192.patch (25K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Enabling AES-192 ciphers, how to expose DHE-RSA-AES192-GCM-SHA384

Viktor Dukhovni
On Mon, Jan 09, 2017 at 07:57:43PM +0100, Leonard den Ottolander wrote:

> Considering that AES-192 seems to be very resistant against related key
> attacks (http://eprint.iacr.org/2009/317) and the algorithm is already
> available in the openssl code I am trying to expose the AES-192
> ciphers.

There are no AES-192 ciphersuites in the IANA TLS registry:

    http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4

so these cannot (interoperably) be used with TLS.

> +/* AES-192 */
> +    /* Cipher A8 */
> +    {
> +     0, /* not implemented (non-ephemeral DH) */
> +     TLS1_TXT_DH_DSS_WITH_AES_192_SHA256,
> +     TLS1_CK_DH_DSS_WITH_AES_192_SHA256,

That codepoint is: TLS_PSK_WITH_AES_128_GCM_SHA256

> +    /* Cipher A9 */
> +    {
> +     0, /* not implemented (non-ephemeral DH) */
> +     TLS1_TXT_DH_RSA_WITH_AES_192_SHA256,
> +     TLS1_CK_DH_RSA_WITH_AES_192_SHA256,

That codepoint is: TLS_PSK_WITH_AES_256_GCM_SHA384

> +    /* Cipher AA */
> +    {
> +     1,
> +     TLS1_TXT_DHE_DSS_WITH_AES_192_SHA256,
> +     TLS1_CK_DHE_DSS_WITH_AES_192_SHA256,

Another conflict.

> +    /* Cipher AB */
> +    {
> +     1,
> +     TLS1_TXT_DHE_RSA_WITH_AES_192_SHA256,
> +     TLS1_CK_DHE_RSA_WITH_AES_192_SHA256,

Another conflict...

--
        Viktor.
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: Enabling AES-192 ciphers, how to expose DHE-RSA-AES192-GCM-SHA384

Leonard den Ottolander
Hello Viktor,

On Mon, 2017-01-09 at 19:25 +0000, Viktor Dukhovni wrote:
> There are no AES-192 ciphersuites in the IANA TLS registry:
>
>     http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4
>
> so these cannot (interoperably) be used with TLS.

Right. I thought these reference IDs were only for internal use, but of
course that is not the case... Thanks for clearing that up.

Has anyone ever attempted to get such ciphers included in that IANA
list? It seems AES-192 is being treated rather stepmotherly in the
standards.

Regards,
Leonard.

--
mount -t life -o ro /dev/dna /genetic/research


--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: Enabling AES-192 ciphers, how to expose DHE-RSA-AES192-GCM-SHA384

Salz, Rich
 
> Has anyone ever attempted to get such ciphers included in that IANA list? It
> seems AES-192 is being treated rather stepmotherly in the standards.

AES 192 has been discussed at various times in the IETF mailing lists (see CFRG and TLS for most likely places).  Here's one posting:
https://www.ietf.org/mail-archive/web/cfrg/current/msg04820.html

My short summary is that if 128 isn't good enough for you, use 256.  192 is a midpoint that only makes things more complicated by adding more options (and potentially increases the size of the clienthello message, which has had deployment problems with some platforms).
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: Enabling AES-192 ciphers, how to expose DHE-RSA-AES192-GCM-SHA384

Leonard den Ottolander
Hello Rich,

On Mon, 2017-01-09 at 19:52 +0000, Salz, Rich wrote:
> AES 192 has been discussed at various times in the IETF mailing lists
> (see CFRG and TLS for most likely places).  Here's one posting:
> https://www.ietf.org/mail-archive/web/cfrg/current/msg04820.html
>
> My short summary is that if 128 isn't good enough for you, use 256.
> 192 is a midpoint that only makes things more complicated by adding
> more options (and potentially increases the size of the clienthello
> message, which has had deployment problems with some platforms).

Doesn't the fact that AES-192 seems to be more resistant against related
key attacks than AES-256 "in a world of 2^50 keys" count as an argument
for inclusion?

A related question, is the fact that AES-192 is more resistant to
related key attacks caused by the fact that it uses a key size that is
not an exponent of 2?

Regards,
Leonard.

--
mount -t life -o ro /dev/dna /genetic/research


--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: Enabling AES-192 ciphers, how to expose DHE-RSA-AES192-GCM-SHA384

Salz, Rich
> Doesn't the fact that AES-192 seems to be more resistant against related key
> attacks than AES-256 "in a world of 2^50 keys" count as an argument for
> inclusion?
>
> A related question, is the fact that AES-192 is more resistant to related key
> attacks caused by the fact that it uses a key size that is not an exponent of 2?


Take it up with the IETF folks; I was just summarizing why.
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev