Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hmac-sha2-06

D.Rogers@gmx.net Wed, 15 April 2015 09:54 UTC

Return-Path: <D.Rogers@gmx.net>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0D9A1A0086 for <kitten@ietfa.amsl.com>; Wed, 15 Apr 2015 02:54:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.186
X-Spam-Level:
X-Spam-Status: No, score=-1.186 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hs4wU1eWCDKC for <kitten@ietfa.amsl.com>; Wed, 15 Apr 2015 02:54:21 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 003DD1A006D for <kitten@ietf.org>; Wed, 15 Apr 2015 02:54:20 -0700 (PDT)
Received: from [93.214.238.26] by 3capp-gmx-bs24.server.lan (via HTTP); Wed, 15 Apr 2015 11:54:17 +0200
MIME-Version: 1.0
Message-ID: <trinity-4f1ce1f7-6610-4a7e-aca8-c3205d929e2e-1429091657571@3capp-gmx-bs24>
From: D.Rogers@gmx.net
To: "Luke Howard" <lukeh@padl.com>
Content-Type: text/html; charset=UTF-8
Date: Wed, 15 Apr 2015 11:54:17 +0200
Importance: normal
Sensitivity: Normal
In-Reply-To: <597E759F-7941-4619-BCE0-DF604221EBB5@padl.com>
References: <alpine.GSO.1.10.1503301227280.22210@multics.mit.edu> <551D6C35.4080108@mit.edu> <alpine.GSO.1.10.1504081626110.22210@multics.mit.edu> <5525B044.8070509@mit.edu> <CAC2=hnfbLoRAQLwDQhL7pVYMS8kqfc1rAA6Ha1np1h1WnhT5aw@mail.gmail.com> <55271546.6020505@mit.edu>, <597E759F-7941-4619-BCE0-DF604221EBB5@padl.com>
X-UI-Message-Type: mail
X-Priority: 3
X-Provags-ID: V03:K0:5CW/SIMb8RuboAbdpBoRDK36RyKY124NODlpbFHNc/c UsEvkqkYCBobDu8AKBXHkp2pt3kWodEySuXmfXDWBzciCAsruy RCDgk9Iy7qTsr9D/7rRQY55tXaOUpe/p9toydughg4tKG7VdoB 8JMmWMzPj0woJmt3NIHmGLRAjoSTF+0L865plNrHKcqoEHxO28 9X00vNJDCI6nlkpO7+SypzoC20cbOevOmxs7l75VALtOTl3/PN mBC5fZHClvYfWSwuN+zheraHBYTvfT+6anfEqabNjDEoXbhiNn OGonFY=
X-UI-Out-Filterresults: notjunk:1;
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/r_Lpg3UtuiC6pouKO5u8BTgHBq0>
Cc: "kitten@ietf.org" <kitten@ietf.org>, "mjjenki@tycho.ncsc.mil" <mjjenki@tycho.ncsc.mil>
Subject: Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hmac-sha2-06
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Apr 2015 09:54:23 -0000

Hi Luke,
 
as I understand it truncating introduces potential predicablities and therefore weeknesses.
Here the argument is that truncating from a 384 set to 196, is no more secure than truncating from 256 to 196.
Starting from a larger set and truncating to the same end result does improve security, it may reduce it.
As would truncating 256 to 256, could be less secure than using straight 256, but it would be interesting to know if anyone has examined that.
SHA-256 of the SHA-2 family is a significant improvement over its predecessor SHA-1. So, where the ouput size has to be limited, using anything more than 256 is not necessary.
In terms of performance though, SHA-384 computes slightly faster than SHA-256.
 
Dean
Gesendet: Mittwoch, 15. April 2015 um 06:59 Uhr
Von: "Luke Howard" <lukeh@padl.com>
An: "Greg Hudson" <ghudson@MIT.EDU>
Cc: "kitten@ietf.org" <kitten@ietf.org>rg>, "mjjenki@tycho.ncsc.mil" <mjjenki@tycho.ncsc.mil>
Betreff: Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hmac-sha2-06

> On 10 Apr 2015, at 10:11 am, Greg Hudson <ghudson@MIT.EDU> wrote:
>
> * If the goal is to meet a checklist of Suite B requirements, using
> SHA-384 over SHA-256 internally might be necessary, but it really is
> just a meaningless checklist tick. Moreover, the small integrity tag
> and checksum lengths could mean that the draft doesn't actually satisfy
> Suite B--I can't speak confidently either way on that point.
>
> * If the goal is to achieve some real security strength, using truncated
> SHA-384 is not an improvement over using truncated SHA-256.

I am not a cryptographer but Greg’s arguments make sense to me. Why not always truncate the hash to 256 bits when using 256-bit AES keys?

— Luke
_______________________________________________
Kitten mailing list
Kitten@ietf.org
https://www.ietf.org/mailman/listinfo/kitten" target="_blank" rel="nofollow">https://www.ietf.org/mailman/listinfo/kitten