Remove 3DES ciphersuites #4367
Assignees
Labels
Comments
mpg
added
enhancement
needs-design-approval
component-tls
mbedtls-3
size-s
chris-jones-arm
changed the title
|
There has been no objection on the list, so I'm marking this as approved. |
|
|
|
@TRodziewicz I disagree, there's not dependency between those two issues either way. This task only touches the SSL module and does not depend on any change in libmbedcrypto. |
TRodziewicz
removed
the
needs-preceding-pr
|
#4587 was merged |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Context
When TLS 1.0 was standardized back in 1999, AES was not a standard yet (it was announced in 2001), so 3DES was one of of the strongest options, recommended by NIST at that time. Until TLS 1.3, later versions of TLS automatically inherited ciphersuites from previous versions, for ciphersuites based on 3DES can still be negotiated with TLS 1.1 and (D)TLS 1.2.
However, from the start 3DES was limited by its block size of 64 bits, and in 2016 the sweet32 attack made it clear that this limitation could be exploited in practice in several protocols including TLS, in settings where large amounts of data (a couple hundreds of GB) are transmitted or the attacker can cause such large amounts to be transmitted.
As a result several standard bodies started deprecated uses of 3DES in various protocols. NIST (who standardized DES then 3DES) deprecated 3DES in 2017 and disallowed its use in TLS in 2019 (though that's only NIST's guidelines, formally TLS is standardized by the IETF, not NIST). The IETF also deprecated 3DES in other standards.
In all currently maintained branches of Mbed TLS (2.16 and 2.x), 3DES ciphersuites are currently available but hidden by default: that is, they won't be offered or accepted unless the application explicitly includes them in the list of ciphersuites to be negotiated. There is currently a
config.hoption that can be disabled to "unhide" those and negotiate them by default. That option will be removed in Mbed TLS 3.0, regardless of whether the following proposal is accepted or not.Proposal
Remove support for 3DES ciphersuites entirely in Mbed TLS 3.0. There would be no way to use those ciphersuites, even by explicit request.
Note: this proposal is only about 3DES ciphersuites in TLS, not about the triple-DES primitive itself. That is to say, this proposal is not about
mbedtls_des*functions.Rationale
Security / best practices: 3DES has weaknesses/limitations and there are better alternatives, and more and more standard bodies are recommending against its use in TLS. There are much better alternatives.
Testing: since other implementations are also retiring 3DES suite, it becomes less and less convenient to perform interop testing with those ciphersuites. This cost is does not seem justified as there are better an more secure alternatives.
Work to do
3DESciphersuites fromssl_ciphersuites.candssl_ciphersuites.hMBEDTLS_REMOVE_3DES_CIPHERSUITESand let the code be as if it was disabled (since there aren't any ciphersuites to filter out any more)git grep _3DES_should find no match except in the ChangeLog, and the CI should still pass.Mailing-list discussion
https://lists.trustedfirmware.org/pipermail/mbed-tls/2021-April/000334.html
The text was updated successfully, but these errors were encountered: