IETF Logo Mail Archive

Re: [TLS] Last Call: <draft-kanno-tls-camellia-00.txt> (Additionx

Nikos Mavrogiannopoulos <nmav@gnutls.org> Wed, 09 March 2011 15:26 UTC

Return-Path: <n.mavrogiannopoulos@gmail.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3140B3A689F; Wed, 9 Mar 2011 07:26:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sM1CRop0ZkaW; Wed, 9 Mar 2011 07:26:47 -0800 (PST)
Received: from mail-qy0-f179.google.com (mail-qy0-f179.google.com [209.85.216.179]) by core3.amsl.com (Postfix) with ESMTP id 189553A6821; Wed, 9 Mar 2011 07:26:47 -0800 (PST)
Received: by qyk7 with SMTP id 7so516278qyk.10 for <multiple recipients>; Wed, 09 Mar 2011 07:28:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=CkYy8xQwyjVVbxeY/5VmrgkdE+U2hapNtZJDEf3p6tk=; b=v3oI4DZx6ToK+FKrSgGniN4dgs0xy/D7xtjo2abgfNytmb+AO8x45y4pN9WkNWHqXp wUaLSfyC1JMxGNMAUnY9sRzntVSE4A82SgEG0zt+SqNZ9vd60LwS2c1QRuz5NUVIhbMX iiR1iaVG+nkXmWkKw9/Ks3VFekOYDGWcyRmnY=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=OX4G1/fAFFPWEONjVbCYaVQOBxPHIzdXd9ABpXv9pnHG5QjsEzTBuyudykES3QHQMq +OD5nKPQBPxXdogyOIVHUI1R3J/BgfnuBrWrThfqKKidgNfVSrZ8Sbckf6FuqViqvC8D exJf6rMWVRg5ucZ5lq3SB5MUGOqCzC+SFaw+g=
MIME-Version: 1.0
Received: by 10.229.114.80 with SMTP id d16mr5328408qcq.18.1299684483274; Wed, 09 Mar 2011 07:28:03 -0800 (PST)
Sender: n.mavrogiannopoulos@gmail.com
Received: by 10.229.20.71 with HTTP; Wed, 9 Mar 2011 07:28:03 -0800 (PST)
In-Reply-To: <AANLkTin0D7KYn-c4OfnoY_SPD7jDZThpjKLrrEZBU7h3@mail.gmail.com>
References: <AANLkTik07Zte5ERfG_+GHd_ag9o3UguzCE6gEzjnSHKe@mail.gmail.com> <201103081845.p28IjCY0007292@fs4113.wdf.sap.corp> <AANLkTim=g981ne+Y-ZdgATdimRmgfjyM81YEuPAhyhCV@mail.gmail.com> <AANLkTimJzVoobdBTLEKbBdm2SLMaoRC3XLKQxXDZZ7tQ@mail.gmail.com> <AANLkTin0D7KYn-c4OfnoY_SPD7jDZThpjKLrrEZBU7h3@mail.gmail.com>
Date: Wed, 09 Mar 2011 16:28:03 +0100
X-Google-Sender-Auth: cpwoJSdlfMFfPUWPSyc2P9yQfEI
Message-ID: <AANLkTimBMwV-SBQrG9OdLauQWHbYKqSHAtprQpGvHM41@mail.gmail.com>
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: tls@ietf.org, ietf@ietf.org
Subject: Re: [TLS] Last Call: <draft-kanno-tls-camellia-00.txt> (Additionx
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Mar 2011 15:26:48 -0000

On Wed, Mar 9, 2011 at 3:34 PM, Eric Rescorla <ekr@rtfm.com> wrote:

>> I'm not a specialist in MAC algorithms but by checking
>> the ECRYPT II[0] report of 2009-2010, I can try making some points.
>> A MAC has a security level that depends on the size of the MAC
>> and the size of the key. That is a 12-byte MAC has security level of
>> MIN(2^{key_size}, 2^{96}) [1], irrespective of the key size used.
>> As I understand the addition of SHA-384 as PRF was to increase
>> the security margin of TLS comparing to the SHA-1 PRF. This
>> is not occuring now because a MAC based on algorithm that
>> returns 384-bits and truncates it  to 96 can offer nothing more
>> than an algorithm that outputs 160 bits and are trucated to 96.
>> Hence there is no significant difference than SHA-1 or SHA-384
>> in that case, so why define SHA-384 anyway?
> If you recall, the reason why TLS 1.2 was done was not primarily because
> of concerns about SHA-1's 160-bit output being large enough but because
> people started developing analytic attacks on MD5 and SHA-1 that brought
> it's security level down below the nominal level.
> In other words, there are many applications where 80 bits of security is
> fine, but people don't want to use SHA-1 because they don't trust it.

Such things should be explicit then. In any case I think there is a mistake
here since RFC5288 defines the AES-256 ciphersuites with SHA-384 as
PRF, and the AES-128 ciphersuites with SHA-256, thus there was
intention to match the security strength of the cipher with the size
of the hash.

If this wasn't the intention, then it is pretty much misleading, and should
be explicit. E.g. Although we define SHA-384 as PRF in this ciphersuite, it
is being truncated in 96 bits. The choice for SHA-384 was because .....


> Because the attack model for MACs is not the same as the attack model
> for encryption. The encryption is susceptible to offline attack, whereas
> with a MAC all you need to do is get the guessing probability sufficiently
> low because *any* failed forgery causes connection termination.

This depends on the threat model you have. There might be cases where
the case you describe is no problem for the adversary.

regards,
Nikos

v2.23.0 | Report a Bug | By Email