[ogsa-wg] BSP: ciphersuites list

5 Sep 2006

      Hi All,

As part of the OGSA Basic Security Profile (OGSA-BSP) discussion, 
I am sending a note to describe general guidelines for selecting
ciphersuites with a list of proposed ciphersuites which are allowed 
to be used for a TLS/SSL connection and the available ciphersuites 
defined in the TLS and SSL specification.

The note is intended to be used for a discussion for selecting
acceptable ciphersuites (or discouraged ciphersuites).  
Because the WS-I BSP has already selected RECOMMENDED ciphersuites,
it is not needed to select our own RECOMMENDED ciphersuites 
additionally(,IMO).

My proposal for the revision of the OGSA-BSP Secure Channel is
- to add general guidelines for selecting ciphersuites described
  in the note as restrictions
- to list discouraged ciphersuites from the TLS and SSL 
  specifications in the Appendix.

Any comments are welcomed,
Takuya

8<------------- cut here ----------------------------------------
                                             Sep. 05  Takuya Mori

                "note: ciphersuites selection"   

* general guidelines for ciphersuite selection
  - a ciphersuite with NULL cipher algorithm SHOULD not be used
    because it provides no confidentiality
  - a key exchange algorithm with 'anon' SHOULD not be used
    because it provides no authentication
  - a cipher algorithm with key length less than 64 bits SHOULD
    not be used because it is known to be insecure
    (it includes DES algorithm and RC4 algorithm with 40 bits key)
  - MD5 hash algorithm SHOULD not be used because it is know 
    to be insecure

* proposed ciphersuites which are allowed to be used

  The following is the list of the ciphersuites from the
  TLS and SSL specifications which are allowed to be used.
  All the other ciphersuites available in the TLS and SSL
  specification are discouraged to be used.

   TLS_RSA_WITH_RC4_128_SHA
   SSL_RSA_WITH_RC4_128_SHA
   TLS_RSA_WITH_IDEA_CBC_SHA
   SSL_RSA_WITH_IDEA_CBC_SHA
   TLS_RSA_WITH_3DES_EDE_CBC_SHA
   SSL_RSA_WITH_3DES_EDE_CBC_SHA
   TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
   SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA
   TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
   SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA
   TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
   SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
   TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
   SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA

  Note: 
    The name of a ciphersuites represents the cipher mecanisms
    - a Protocol Name (TLS or SSL) followed by
    - a Key Exchange Algorithm followed by
    - _WITH_ or _EXPORT_WITH_ 
    - an Cipher Algorithm followed by
    - a Hash Algorithm

* available ciphersuites from TLS and SSL specifications.

  Note:
    The marks in the beginning of each line mean:
      R:  Recommended
      IS: InSecure algorithm or key length
      NE: No Encryption
      NA: No Authentication (Anonymous communication)

** ciphersuites defined in the TLS specification
   (note: all the cipherstuites are identical with
          the counterparts in SSL but have different names)
   ----
   NE   TLS_RSA_WITH_NULL_MD5                  = { 0x00,0x01 };
   NE   TLS_RSA_WITH_NULL_SHA                  = { 0x00,0x02 };
   IS   TLS_RSA_EXPORT_WITH_RC4_40_MD5         = { 0x00,0x03 };
   IS   TLS_RSA_WITH_RC4_128_MD5               = { 0x00,0x04 };
   R    TLS_RSA_WITH_RC4_128_SHA               = { 0x00,0x05 };
   IS   TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5     = { 0x00,0x06 };
   R    TLS_RSA_WITH_IDEA_CBC_SHA              = { 0x00,0x07 };
   IS   TLS_RSA_EXPORT_WITH_DES40_CBC_SHA      = { 0x00,0x08 };
   IS   TLS_RSA_WITH_DES_CBC_SHA               = { 0x00,0x09 };
   R    TLS_RSA_WITH_3DES_EDE_CBC_SHA          = { 0x00,0x0A };
   IS   TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA   = { 0x00,0x0B };
   IS   TLS_DH_DSS_WITH_DES_CBC_SHA            = { 0x00,0x0C };
   R    TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA       = { 0x00,0x0D };
   IS   TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA   = { 0x00,0x0E };
   IS   TLS_DH_RSA_WITH_DES_CBC_SHA            = { 0x00,0x0F };
   R    TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA       = { 0x00,0x10 };
   IS   TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA  = { 0x00,0x11 };
   IS   TLS_DHE_DSS_WITH_DES_CBC_SHA           = { 0x00,0x12 };
   R    TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA      = { 0x00,0x13 };
   IS   TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA  = { 0x00,0x14 };
   IS   TLS_DHE_RSA_WITH_DES_CBC_SHA           = { 0x00,0x15 };
   R    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA      = { 0x00,0x16 };
   NAIS TLS_DH_anon_EXPORT_WITH_RC4_40_MD5     = { 0x00,0x17 };
   NA   TLS_DH_anon_WITH_RC4_128_MD5           = { 0x00,0x18 };
   NAIS TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA  = { 0x00,0x19 };
   NAIS TLS_DH_anon_WITH_DES_CBC_SHA           = { 0x00,0x1A };
   NA   TLS_DH_anon_WITH_3DES_EDE_CBC_SHA      = { 0x00,0x1B };
   ----
o ciphersuites defined in the SSL specification.
  (note: the first 27 cipherstuites are identical with
         the counterparts in TLS but have different names)
  (note: SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA is not 
         recommended because it is not widely used other than
         the U.S. Government and their Military.)
   ----
   NE   SSL_RSA_WITH_NULL_MD5                  = { 0x00,0x01 };
   NE   SSL_RSA_WITH_NULL_SHA                  = { 0x00,0x02 };
   IS   SSL_RSA_EXPORT_WITH_RC4_40_MD5         = { 0x00,0x03 };
   IS   SSL_RSA_WITH_RC4_128_MD5               = { 0x00,0x04 };
   R    SSL_RSA_WITH_RC4_128_SHA               = { 0x00,0x05 };
   IS   SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5     = { 0x00,0x06 };
   R    SSL_RSA_WITH_IDEA_CBC_SHA              = { 0x00,0x07 };
   IS   SSL_RSA_EXPORT_WITH_DES40_CBC_SHA      = { 0x00,0x08 };
   IS   SSL_RSA_WITH_DES_CBC_SHA               = { 0x00,0x09 };
   R    SSL_RSA_WITH_3DES_EDE_CBC_SHA          = { 0x00,0x0A };
   IS   SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA   = { 0x00,0x0B };
   IS   SSL_DH_DSS_WITH_DES_CBC_SHA            = { 0x00,0x0C };
   R    SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA       = { 0x00,0x0D };
   IS   SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA   = { 0x00,0x0E };
   IS   SSL_DH_RSA_WITH_DES_CBC_SHA            = { 0x00,0x0F };
   R    SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA       = { 0x00,0x10 };
   IS   SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA  = { 0x00,0x11 };
   IS   SSL_DHE_DSS_WITH_DES_CBC_SHA           = { 0x00,0x12 };
   R    SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA      = { 0x00,0x13 };
   IS   SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA  = { 0x00,0x14 };
   IS   SSL_DHE_RSA_WITH_DES_CBC_SHA           = { 0x00,0x15 };
   R    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA      = { 0x00,0x16 };
   NAIS SSL_DH_anon_EXPORT_WITH_RC4_40_MD5     = { 0x00,0x17 };
   NA   SSL_DH_anon_WITH_RC4_128_MD5           = { 0x00,0x18 };
   NAIS SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA  = { 0x00,0x19 };
   NAIS SSL_DH_anon_WITH_DES_CBC_SHA           = { 0x00,0x1A };
   NAIS SSL_DH_anon_WITH_3DES_EDE_CBC_SHA      = { 0x00,0x1B };
   NE   SSL_FORTEZZA_DMS_WITH_NULL_SHA         = { 0X00,0X1C };
	SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA = { 0x00,0x1D };
   ----

* RECOMMENDED ciphersuites defined in the WS-I BSP.

  The following is the RECOMMENDED ciphersuites:
  for TLS-capable implementations 
   - TLS_RSA_WITH_AES_128_CBC_SHA or TLS_RSA_FIPS_WITH_AES_128_CBC_SHA
  for SSL-capable implementations 
   - SSL_RSA_WITH_AES_128_CBC_SHA or SSL_RSA_FIPS_WITH_AES_128_CBC_SHA

  (Actually, these ciphersuites are not from the TLS or SSL 
  specifications but from other specifications including RFC-3268, 
  "Advanced Encryption Standard (AES) Ciphersuites for Transport Layer 
  Security (TLS)".)

EOT
8<------------- cut here ----------------------------------------

----
    Takuya Mori
    moritaku@bx.jp.nec.com / tk-mori@isd.nec.co.jp
    System Platform Software Development Division
    NEC Corporation, Tokyo Japan