rustls-rustcrypto icon indicating copy to clipboard operation
rustls-rustcrypto copied to clipboard
verified publisher icon RustCrypto

Missing Algorithms / Cipher Suites

Open pinkforest opened this issue 2 years ago • 9 comments

TBD - Just putting this up and working up what peeps may want

Assuming upstreamed impl:

  • https://github.com/stevefan1999-personal/rustls-provider-rustcrypto/blob/master/src/lib.rs#L37C2-L44C51

RFC/IANA

  • TLS 1.3 Mandatory - RFC 8446 s. 9.1 at https://www.rfc-editor.org/rfc/rfc8446#page-102
  • IANA TLS Parameters: https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml
  • Recommendations for TLS at https://datatracker.ietf.org/doc/html/rfc7525

Configurations

  • Mozilla: https://wiki.mozilla.org/Security/Server_Side_TLS#Cipher_names_correspondence_table

TLS 1.3 - Cipher Suites

Cipher Suite RFC Implemented
TLS_AES_128_GCM_SHA256 Must :heavy_check_mark:
TLS_AES_256_GCM_SHA384 Should :heavy_check_mark:
TLS_AES_128_CCM_SHA256 Should
TLS_CHACHA20_POLY1305_SHA256 Should :heavy_check_mark:
AEGIS .. - ?

TLS 1.3 - Algorithms

Algorithm RFC Scope Implemented Which Impl
rsa_pkcs1_sha256 Must certificates :heavy_check_mark:
rsa_pss_rsae_sha256 Must CertificateVerify and certificates :heavy_check_mark:
ecdsa_secp256r1_sha256 Must CertificateVerify and certificates :heavy_check_mark:
secp256r1 (NIST P-256) Must Key Exchange :heavy_check_mark:
X25519 (RFC7748) Should Key Exchange :heavy_check_mark:
X448 (RFC8418) draft Key Exchange

TLS 1.2 - Cipher Suites

Cipher Suite RFC Implemented Which Impl
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 :heavy_check_mark:
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA25 :heavy_check_mark:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 Recommended :thinking:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Recommended :thinking:
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 Recommended :thinking:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Recommended :thinking:

Browser Support

  • TLS1.3 https://caniuse.com/tls1-3

Stats

  • https://blog.apnic.net/2022/08/17/tls-1-3-a-story-of-experimentation-and-centralization/

pinkforest avatar Sep 15 '23 13:09 pinkforest

Re: TLS_DHE_* ciphersuites, we don't currently have an implementation of FFDH(E). I'm also not super enthusiastic about adding such support as it's effectively been obsoleted by the TLS_ECDHE_* ciphersuites.

tarcieri avatar Sep 19 '23 17:09 tarcieri

It would be nice to add the GOST cipher suite described in the RFC 9367, though we currently do not have implementation of the GOST curves (it should be relatively easy to add them based on the primeorder crate).

newpavlov avatar Sep 19 '23 17:09 newpavlov

It would be nice to add the GOST cipher suite

But... why? It's not widely deployed, and not really meaningfully better than the widely deployed alternatives (though admittedly I am not up to date on the literature there).

ctz avatar Sep 26 '23 17:09 ctz

It's the same story as with FIPS, in some cases you don't have choice but to use it (and BTW I do dislike the MGM mode with its 127-bit nonces and lack of misuse resistance despite using two block cipher invocations per block). If someone is interested in implementing other regional standards, I think we should include them as well. Attracting such captive audience could be quite useful for additional security audits of the whole stack, since they often have to pass through a rigorous certification process.

newpavlov avatar Sep 26 '23 18:09 newpavlov

Does anyone remember know / what happened at IETF with OCB getting it to TLS 1.3 ?

Like after draft-zauner-tls-aes-ocb-04 Or https://mailarchive.ietf.org/arch/msg/tls/qZiGzQiePuURYTZrd3bHUFKrtD4/

I'm keen getting AEGIS supported given CAESAR entry and some draft activity in IETF + implementations picking up

  • https://eprint.iacr.org/2013/695.pdf
  • https://datatracker.ietf.org/doc/draft-irtf-cfrg-aegis-aead/
  • https://github.com/jedisct1/draft-denis-tls-aegis

Frank wrote Portable C libaegis and Zig AEGIS-..-X which ended into Zig std and picotls has implementation and BoringSSL has experimental etc. etc.

pinkforest avatar Mar 29 '24 19:03 pinkforest

I've recently asked about it. It's possible work might resume.

tarcieri avatar Mar 29 '24 19:03 tarcieri

When doing #66 it reminded OpenSSL has Goldilocks / curve448 supported group - since 2018 and FIPS 186-5 / RFC8418

pinkforest avatar Apr 28 '24 14:04 pinkforest

There was some discussion of upstreaming an Ed448 implementation here: https://github.com/RustCrypto/elliptic-curves/issues/114#issuecomment-2054201295

tarcieri avatar May 03 '24 19:05 tarcieri

Frank has brought in Rust AEGIS here: https://github.com/jedisct1/rust-aegis

Would love to compose these things universaly via cfg's coming together at the rustls using binary - so raised issue:

  • https://github.com/jedisct1/rust-aegis/issues/5

Inspired by that - raised which begs overall configuration for CryptoProvider bringing it all together for the binary:

  • #79

pinkforest avatar Jun 26 '24 10:06 pinkforest