Hello,
This is a request for feedback about the next major release of Mbed TLS (Mbed TLS 4.0). (Mbed TLS 3.6 LTS will remain supported with its current feature set until at least Q2 2027.) Please reply to this thread or on the GitHub issue linked below. If you wish to leave feedback privately, you can reply privately and your feedback will be anonymized before sharing outside Arm.
https://github.com/Mbed-TLS/mbedtls/issues/8170
We are considering removing support for RSA and RSA-PSK key exchanges in Mbed TLS 4. These are cipher suites that use RSA encryption, as opposed to cipher suites using a key agreement (ECDHE) plus RSA signature. These key exchanges are hard to implement securely (we believe we got it right, but it's very delicate code), and they add significantly to the complexity of the TLS code. They have been formally deprecated for a long time and were removed in TLS 1.3. However, I'm aware that some ecosystems are clinging to RSA key exchange.
Are RSA-encryption key exchanges still relevant for Mbed TLS? If you want Mbed TLS 4 to keep supporting RSA-encryption cipher suites in TLS 1.2, please let us know and tell us about your use cases.
Best regards,
Note that if we remove RSA-decryption cipher suites in TLS, we'll probably remove RSA PKCS#1v1.5 encryption/decryption from the crypto library. PKCS#1v1.5 decryption is strongly deprecated due to the difficulty of using it without side channels.
https://github.com/Mbed-TLS/mbedtls/issues/8459
We would retain PKCS#1v1.5 signature, PSS signature and OAEP encryption/decryption, which are not insecure the way v1.5 decryption is.
-- Gilles Peskine
On 29/05/2024 19:44, Gilles Peskine via mbed-tls wrote:
Hello,
This is a request for feedback about the next major release of Mbed TLS (Mbed TLS 4.0). (Mbed TLS 3.6 LTS will remain supported with its current feature set until at least Q2 2027.) Please reply to this thread or on the GitHub issue linked below. If you wish to leave feedback privately, you can reply privately and your feedback will be anonymized before sharing outside Arm.
https://github.com/Mbed-TLS/mbedtls/issues/8170
We are considering removing support for RSA and RSA-PSK key exchanges in Mbed TLS 4. These are cipher suites that use RSA encryption, as opposed to cipher suites using a key agreement (ECDHE) plus RSA signature. These key exchanges are hard to implement securely (we believe we got it right, but it's very delicate code), and they add significantly to the complexity of the TLS code. They have been formally deprecated for a long time and were removed in TLS 1.3. However, I'm aware that some ecosystems are clinging to RSA key exchange.
Are RSA-encryption key exchanges still relevant for Mbed TLS? If you want Mbed TLS 4 to keep supporting RSA-encryption cipher suites in TLS 1.2, please let us know and tell us about your use cases.
Best regards,
mbed-tls@lists.trustedfirmware.org
-
Gilles Peskine