TLS 1.3 Working Group Has Consensus to Deprecate RSA Key Transport

RSA key transport cipher suites could be deprecated in TLS 1.3 in favor of Diffie-Hellman Exchange or Elliptic curve Diffie-Hellman.

The IETF working group responsible for the TLS 1.3 standard is closing in on a decision to remove RSA key transport cipher suites from the protocol.

Decades-old RSA-based handshakes don’t cut it anymore, according to experts, who are anxious to put a modern protocol in place, one that can fend off an intense commitment from cybercriminals and intelligence agencies to snoop and steal data. The consensus is to support Diffie-Hellman Exchange or Elliptic Curve Diffie-Hellman Exchange, both of which support perfect forward secrecy, which experts are urging developers and standards-bearers to instill as a default encryption technology in new applications and build-outs.

“In the past year there has been increasing concern over the security of internet communications,” said Joseph Salowey, co-chair of the TLS and EMU Working Group at IETF. “Perfect forward secrecy is a desirable characteristic in this environment.  In addition the community would like to simplify TLS and remove features that add complexity or may lead to security issues in the future.”

Perfect-forward secrecy is taking on growing importance as more calls surface to encrypt everything on the Web. Perfect Forward Secrecy ensures that private session keys securing an encrypted connection are random and if one is compromised, it cannot be used to compromise other messages sent in the past.

For now, the TLS working group has a general consensus to remote support for key transport based on an RSA static key, Salowey said. The current draft of TLS 1.3 is in its early stages, he said, with a caveat that the consensus could change.

“It’s important that RSA certificates can still be used for authenticating connections; it’s the key exchange based on RSA key transport that is under discussion,” Salowey said. “RSA certificates used with DHE and ECDHE key agreement will still be supported.  This is a move to try to simplify the TLS 1.3 protocol.

“Multiple modes of key establishment with significantly different security properties have made formal security analysis of TLS difficult,” Salowey said.

Scrutiny of the security and privacy of online communication and business transactions is at an all-time high. With the disclosure of the Heartbleed bug in OpenSSL and other Internet-wide vulnerabilities such as Apple’s GoToFail and the GnuTLS vulnerability, increased pressure is being put on large technology providers to secure their networks with encryption.

The Electronic Frontier Foundation’s Encrypt the Web initiative is a running checklist of prominent companies and their encryption capacities. Many such as Twitter, Tumblr, Google, Facebook and Dropbox already support perfect forward secrecy, while others such as LinkedIn, Microsoft and most recently Yahoo have announced plans for support sometime this year.

As for the switch to DHE or ECDHE, there are pros and cons to both.

“DHE and ECDHE provide a consistent key establishment framework based on Diffie-Hellman protocols which should make security analysis easier.  They also provide perfect forward secrecy,” Salowey said. “RSA key transport tends to be less computationally expensive than DHE.  ECDHE has much better performance than DHE so the performance is more comparable with RSA key transport. Almost all implementations support RSA key transport today, while only a subset support DHE or ECDHE.”

Salowey added that RSA key transport will not be deprecated for TLS 1.2 and earlier.

“In TLS 1.3 RSA certificates would still be usable so I don’t anticipate interoperability issues since existing certificates would be usable,” he said. “Implementations that negotiate TLS 1.3 would need to adhere to the spec and support DHE or ECDHE for key exchange.”

Suggested articles