Goodbye TLS_RSA

Goodbye TLS_RSA

Lachlan Turner Common Criteria

[Dec 13, 2017 update: The plot thickens… in early December researchers revived a 19-year-old vulnerability that allows performing RSA decryption and signing operations with the private key of a TLS server – known as The Robot Attack. ROBOT only affects TLS cipher modes that use RSA encryption.]


[Nov 6, 2017 update: NIAP has withdrawn Labgram #106 (moved to Superseded List) as NIST has announced an update to its transition plans. The NIST announcement indicates that a draft update to the relevant standard is expected in the summer of 2018.  We recommend that vendors not rely solely on TLS_RSA ciphers, allow admins to disable TLS_RSA and add support for cipher suites that use DHE or ECDHE for key transport.]


[Sep 29, 2017 update: We have heard through unofficial channels that Labgram #106 is on hold and the that further guidance from NIAP should be forthcoming ‘soon’. It would be prudent to be prepared to provide guidance to admins to disable TLS_RSA ciphers and add DHE or ECDHE ciphers to your Security Target if not already present]


NIAP has issued Labgram #106/Valgram #126 – Impact of NIST 2017 Transitions to NIAP and it’s a doozy!  You know that TLS_RSA_WITH_AES_128_CBC_SHA cipher suite that most NIAP Protection Profiles (PP) say is mandatory (even now)? Come January 1, 2018… not allowed. BOOM. Just like that.  In fact, no TLS_RSA suites will be allowed in any NIAP PCL product.  If TLS_RSA_* are the only cipher suites in use then the product will be archived off the list.  Just like that.

Vendors will have to go through assurance maintenance to be re-listed on the PCL (what this means for vendors will vary depending on the PP they were certified against and the changes required for the product to comply).

To quote the Labgram (partial extract):

NIST provided notice in NIST SP 800-131A Revision 1 Section 6, dated November 2015, that all non-56B-compliant key transport schemes will be disallowed after 2017.

NIST SP 800-56B Revision 1, dated September 2014, allows only RSAES-OAEP for key transport.  However, TLS specifications for TLSv1.2 (and earlier versions) use the RSAES-PKCS1-v1.5 scheme.  Therefore, for TLSv1.2 (and earlier versions) to be compliant to NIST SP 800-56B, only ECDH or DH schemes can be used.

We therefore assess that TLS_DHE_RSA ciphers are OK, because RSA is not doing the key transport in this case (see this handy little TLS reference), however, NIAP is yet to produce the Technical Decision(s) that will alter the PPs to definitively specify the TLS cipher suites that will be allowed. Cipher suites that use ECDHE will be OK.

Who does this impact?

  • Vendors with products on the PCL that include TLS_RSA in the Security Target
  • Vendors undergoing evaluation to get listed on the PCL, with TLS in the Security Target
  • Vendors preparing to enter evaluation to get listed on the PCL, with TLS in the product

What should you do? If you are in any of the above categories, you should speak with your lab or consultant, or get in touch with us to establish a strategy to handle Labgram 106 as soon as possible.