| draft-ietf-tls-oldversions-deprecate-04.txt | draft-ietf-tls-oldversions-deprecate-05.txt | |||
|---|---|---|---|---|
| Internet Engineering Task Force K. Moriarty | Internet Engineering Task Force K. Moriarty | |||
| Internet-Draft Dell EMC | Internet-Draft Dell EMC | |||
| Updates: 8465 8422 8261 7568 7562 7525 S. Farrell | Updates: 8465 8422 8261 7568 7562 7525 S. Farrell | |||
| 7507 7465 7030 6750 6749 6739 Trinity College Dublin | 7507 7465 7030 6750 6749 6739 Trinity College Dublin | |||
| 6460 6084 6083 6367 6347 6176 May 10, 2019 | 6460 6084 6083 6367 6347 6176 June 20, 2019 | |||
| 6042 6012 5878 5734 5469 5456 | 6042 6012 5878 5734 5469 5456 | |||
| 5422 5415 5364 5281 5263 5238 | 5422 5415 5364 5281 5263 5238 | |||
| 5216 5158 5091 5054 5049 5024 | 5216 5158 5091 5054 5049 5024 | |||
| 5023 5019 5018 4992 4976 4975 | 5023 5019 5018 4992 4976 4975 | |||
| 4964 4851 4823 4791 4785 4744 | 4964 4851 4823 4791 4785 4744 | |||
| 4743 4732 4712 4681 4680 4642 | 4743 4732 4712 4681 4680 4642 | |||
| 4616 4582 4540 4531 4513 4497 | 4616 4582 4540 4531 4513 4497 | |||
| 4279 4261 4235 4217 4168 4162 | 4279 4261 4235 4217 4168 4162 | |||
| 4111 4097 3983 3943 3903 3887 | 4111 4097 3983 3943 3903 3887 | |||
| 3871 3856 3767 3749 3656 3568 | 3871 3856 3767 3749 3656 3568 | |||
| 3552 3501 3470 3436 3329 3261 | 3552 3501 3470 3436 3329 3261 | |||
| (if approved) | (if approved) | |||
| Intended status: Best Current Practice | Intended status: Best Current Practice | |||
| Expires: November 11, 2019 | Expires: December 22, 2019 | |||
| Deprecating TLSv1.0 and TLSv1.1 | Deprecating TLSv1.0 and TLSv1.1 | |||
| draft-ietf-tls-oldversions-deprecate-04 | draft-ietf-tls-oldversions-deprecate-05 | |||
| Abstract | Abstract | |||
| This document, if approved, formally deprecates Transport Layer | This document, if approved, formally deprecates Transport Layer | |||
| Security (TLS) versions 1.0 [RFC2246] and 1.1 [RFC4346] and moves | Security (TLS) versions 1.0 [RFC2246] and 1.1 [RFC4346] and moves | |||
| these documents to the historic state. These versions lack support | these documents to the historic state. These versions lack support | |||
| for current and recommended cipher suites, and various government and | for current and recommended cipher suites, and various government and | |||
| industry profiles of applications using TLS now mandate avoiding | industry profiles of applications using TLS now mandate avoiding | |||
| these old TLS versions. TLSv1.2 has been the recommended version for | these old TLS versions. TLSv1.2 has been the recommended version for | |||
| IETF protocols since 2008, providing sufficient time to transition | IETF protocols since 2008, providing sufficient time to transition | |||
| skipping to change at page 2, line 20 ¶ | skipping to change at page 2, line 20 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on November 11, 2019. | This Internet-Draft will expire on December 22, 2019. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2019 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.1. RFCs Updated . . . . . . . . . . . . . . . . . . . . . . 4 | 1.1. RFCs Updated . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 | 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2. Support for Deprecation . . . . . . . . . . . . . . . . . . . 4 | 2. Support for Deprecation . . . . . . . . . . . . . . . . . . . 4 | |||
| 3. SHA-1 Usage Problematic in TLSv1.0 and TLSv1.1 . . . . . . . 5 | 3. SHA-1 Usage Problematic in TLSv1.0 and TLSv1.1 . . . . . . . 5 | |||
| 4. Do Not Use TLSv1.0 . . . . . . . . . . . . . . . . . . . . . 6 | 4. Do Not Use TLSv1.0 . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 5. Do Not Use TLSv1.1 . . . . . . . . . . . . . . . . . . . . . 6 | 5. Do Not Use TLSv1.1 . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 6. Updates to RFC7525 . . . . . . . . . . . . . . . . . . . . . 7 | 6. Updates to RFC7525 . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | |||
| 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 | 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 | 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 10.1. Normative References . . . . . . . . . . . . . . . . . . 8 | 10.1. Normative References . . . . . . . . . . . . . . . . . . 8 | |||
| 10.2. Informative References . . . . . . . . . . . . . . . . . 16 | 10.2. Informative References . . . . . . . . . . . . . . . . . 16 | |||
| Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 21 | Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 21 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 | |||
| 1. Introduction | 1. Introduction | |||
| Transport Layer Security (TLS) versions 1.0 [RFC2246] and 1.1 | Transport Layer Security (TLS) versions 1.0 [RFC2246] and 1.1 | |||
| [RFC4346] were superceded by TLSv1.2 [RFC5246] in 2008, which has now | [RFC4346] were superceded by TLSv1.2 [RFC5246] in 2008, which has now | |||
| itself been superceded by TLSv1.3 [RFC8446]. It is therefore timely | itself been superceded by TLSv1.3 [RFC8446]. It is therefore timely | |||
| to further deprecate these old versions. The expectation is that | to further deprecate these old versions. The expectation is that | |||
| TLSv1.2 will continue to be used for many years alongside TLSv1.3. | TLSv1.2 will continue to be used for many years alongside TLSv1.3. | |||
| TLSv1.1 and TLSv1.0 are also actively being deprecated in accordance | ||||
| with guidance from government agencies (e.g. NIST SP 80052r2 | ||||
| [NIST800-52r2]) and industry consortia such as the Payment Card | ||||
| Industry Association (PCI) [PCI-TLS1]. | ||||
| 3GPP have deprecated TLSv1.0 and DTLSv1.0 since their release-14 in | ||||
| 2016. [TGPP33310] | ||||
| The primary technical reasons for deprecating these versions include: | The primary technical reasons for deprecating these versions include: | |||
| o They require implementation of older cipher suites that are no | o They require implementation of older cipher suites that are no | |||
| longer desirable for cryptographic reasons, e.g. TLSv1.0 makes | longer desirable for cryptographic reasons, e.g. TLSv1.0 makes | |||
| TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA mandatory to implement | TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA mandatory to implement | |||
| o Lack of support for current recommended cipher suites, especially | o Lack of support for current recommended cipher suites, especially | |||
| using AEAD ciphers which are not supported prior to TLSv1.2. | using AEAD ciphers which are not supported prior to TLSv1.2. | |||
| Note: registry entries for no-longer-desirable ciphersuites remain | Note: registry entries for no-longer-desirable ciphersuites remain | |||
| in the registries, but many TLS registries are being updated | in the registries, but many TLS registries are being updated | |||
| through [RFC8447] which denotes such entries as "not recommended." | through [RFC8447] which denotes such entries as "not recommended." | |||
| skipping to change at page 5, line 41 ¶ | skipping to change at page 5, line 29 ¶ | |||
| TLS 1.3, specified in TLSv1.3 [RFC8446], represents a significant | TLS 1.3, specified in TLSv1.3 [RFC8446], represents a significant | |||
| change to TLS that aims to address threats that have arisen over | change to TLS that aims to address threats that have arisen over | |||
| the years. Among the changes are a new handshake protocol, a new | the years. Among the changes are a new handshake protocol, a new | |||
| key derivation process that uses the HMAC-based Extract-and-Expand | key derivation process that uses the HMAC-based Extract-and-Expand | |||
| Key Derivation Function (HKDF), and the removal of cipher suites | Key Derivation Function (HKDF), and the removal of cipher suites | |||
| that use static RSA or DH key exchanges, the CBC mode of | that use static RSA or DH key exchanges, the CBC mode of | |||
| operation, or SHA-1. The list of extensions that can be used with | operation, or SHA-1. The list of extensions that can be used with | |||
| TLS 1.3 has been reduced considerably. | TLS 1.3 has been reduced considerably. | |||
| The German Federal Office for Information Security, recommends | ||||
| against use of TLS versions less than 1.2 in the publication | ||||
| Cryptographic Mechanisms: Recommendations and Key Lengths | ||||
| [TR-02102-2]. | ||||
| 3. SHA-1 Usage Problematic in TLSv1.0 and TLSv1.1 | 3. SHA-1 Usage Problematic in TLSv1.0 and TLSv1.1 | |||
| The integrity of both TLSv1.0 and TLSv1.1 depends on a running SHA-1 | The integrity of both TLSv1.0 and TLSv1.1 depends on a running SHA-1 | |||
| hash of the exchanged messages. This makes it possible to perform a | hash of the exchanged messages. This makes it possible to perform a | |||
| downgrade attack on the handshake by an attacker able to perform 2^77 | downgrade attack on the handshake by an attacker able to perform 2^77 | |||
| operations, well below the acceptable modern security margin. | operations, well below the acceptable modern security margin. | |||
| Similarly, the authentication of the handshake depends on signatures | Similarly, the authentication of the handshake depends on signatures | |||
| made using SHA-1 hash or a not stronger concatenation of MD-5 and | made using SHA-1 hash or a not stronger concatenation of MD-5 and | |||
| SHA-1 hashes, allowing the attacker to impersonate a server when it | SHA-1 hashes, allowing the attacker to impersonate a server when it | |||
| skipping to change at page 17, line 5 ¶ | skipping to change at page 17, line 5 ¶ | |||
| <https://www.rfc-editor.org/info/rfc8465>. | <https://www.rfc-editor.org/info/rfc8465>. | |||
| 10.2. Informative References | 10.2. Informative References | |||
| [Bhargavan2016] | [Bhargavan2016] | |||
| Bhargavan, K. and G. Leuren, "Transcript Collision | Bhargavan, K. and G. Leuren, "Transcript Collision | |||
| Attacks: Breaking Authentication in TLS, IKE, and SSH | Attacks: Breaking Authentication in TLS, IKE, and SSH | |||
| https://www.mitls.org/downloads/ | https://www.mitls.org/downloads/ | |||
| transcript-collisions.pdf", 2016. | transcript-collisions.pdf", 2016. | |||
| [Canada] Treasury Board of Canada Secretariat, "Implementing HTTPS | ||||
| for Secure Web Connections: Information Technology Policy | ||||
| Implementation Notice (ITPIN)", June 2018, | ||||
| <https://www.canada.ca/en/treasury-board- | ||||
| secretariat/services/information-technology/ | ||||
| policy-implementation-notices/ | ||||
| implementing-https-secure-web-connections-itpin.html>. | ||||
| [NIST800-52r2] | [NIST800-52r2] | |||
| National Institute of Standards and Technology, "NIST | National Institute of Standards and Technology, "NIST | |||
| SP800-52r2 https://csrc.nist.gov/CSRC/media/Publications/ | SP800-52r2 https://csrc.nist.gov/CSRC/media/Publications/ | |||
| sp/800-52/rev-2/draft/documents/sp800-52r2-draft.pdf", | sp/800-52/rev-2/draft/documents/sp800-52r2-draft.pdf", | |||
| 2018. | 2018. | |||
| [PCI-TLS1] | ||||
| PCI Security Standards Council, "Migrating from SSL and | ||||
| Early TLS https://www.pcisecuritystandards.org/documents/ | ||||
| Migrating-from-SSL-Early-TLS-Info-Supp-v1_1.pdf", 2016. | ||||
| [RFC3316] Arkko, J., Kuijpers, G., Soliman, H., Loughney, J., and J. | [RFC3316] Arkko, J., Kuijpers, G., Soliman, H., Loughney, J., and J. | |||
| Wiljakka, "Internet Protocol Version 6 (IPv6) for Some | Wiljakka, "Internet Protocol Version 6 (IPv6) for Some | |||
| Second and Third Generation Cellular Hosts", RFC 3316, | Second and Third Generation Cellular Hosts", RFC 3316, | |||
| DOI 10.17487/RFC3316, April 2003, | DOI 10.17487/RFC3316, April 2003, | |||
| <https://www.rfc-editor.org/info/rfc3316>. | <https://www.rfc-editor.org/info/rfc3316>. | |||
| [RFC3489] Rosenberg, J., Weinberger, J., Huitema, C., and R. Mahy, | [RFC3489] Rosenberg, J., Weinberger, J., Huitema, C., and R. Mahy, | |||
| "STUN - Simple Traversal of User Datagram Protocol (UDP) | "STUN - Simple Traversal of User Datagram Protocol (UDP) | |||
| Through Network Address Translators (NATs)", RFC 3489, | Through Network Address Translators (NATs)", RFC 3489, | |||
| DOI 10.17487/RFC3489, March 2003, | DOI 10.17487/RFC3489, March 2003, | |||
| skipping to change at page 20, line 32 ¶ | skipping to change at page 21, line 5 ¶ | |||
| 2017, <https://www.rfc-editor.org/info/rfc8261>. | 2017, <https://www.rfc-editor.org/info/rfc8261>. | |||
| [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | |||
| Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | |||
| <https://www.rfc-editor.org/info/rfc8446>. | <https://www.rfc-editor.org/info/rfc8446>. | |||
| [RFC8447] Salowey, J. and S. Turner, "IANA Registry Updates for TLS | [RFC8447] Salowey, J. and S. Turner, "IANA Registry Updates for TLS | |||
| and DTLS", RFC 8447, DOI 10.17487/RFC8447, August 2018, | and DTLS", RFC 8447, DOI 10.17487/RFC8447, August 2018, | |||
| <https://www.rfc-editor.org/info/rfc8447>. | <https://www.rfc-editor.org/info/rfc8447>. | |||
| [TGPP33310] | ||||
| 3GPP, "TS 33.310 - Network Domain Security (NDS); | ||||
| Authentication Framework (AF)", 2016. | ||||
| [TR-02102-2] | ||||
| The German Federal Office for Information Security https:/ | ||||
| /www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/ | ||||
| TechGuidelines/TG02102/BSI-TR-02102-2.pdf, "Technical | ||||
| Guideline TR-02102-2 Cryptographic Mechanisms: | ||||
| Recommendations and Key Lengths", 2019. | ||||
| Appendix A. Change Log | Appendix A. Change Log | |||
| [[RFC editor: please remove this before publication.]] | [[RFC editor: please remove this before publication.]] | |||
| From draft-ietf-tls-oldversions-deprecate-04 to draft-ietf-tls- | ||||
| oldversions-deprecate-05: | ||||
| o Removed references to goverment related deprecation statements: | ||||
| US, Canada, and Germany. NIST documentation rationale remains as | ||||
| a reference describing the relevent RFCs and justification. | ||||
| From draft-ietf-tls-oldversions-deprecate-02 to draft-ietf-tls- | From draft-ietf-tls-oldversions-deprecate-02 to draft-ietf-tls- | |||
| oldversions-deprecate-03: | oldversions-deprecate-03: | |||
| o Added 8261 to updates list based on IETF-104 meeting. | o Added 8261 to updates list based on IETF-104 meeting. | |||
| From draft-ietf-tls-oldversions-deprecate-01 to draft-ietf-tls- | From draft-ietf-tls-oldversions-deprecate-01 to draft-ietf-tls- | |||
| oldversions-deprecate-02: | oldversions-deprecate-02: | |||
| o Correction: 2nd list of referenced RFCs in Section 1.1 aren't | o Correction: 2nd list of referenced RFCs in Section 1.1 aren't | |||
| informatively refering to tls1.0/1.1 | informatively refering to tls1.0/1.1 | |||
| End of changes. 12 change blocks. | ||||
| 43 lines changed or deleted | 13 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||