Re: [TLS] Last Call: <draft-kanno-tls-camellia-00.txt> (Additionx
Eric Rescorla <ekr@rtfm.com> Wed, 09 March 2011 16:43 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5D4E63A687A for <tls@core3.amsl.com>; Wed, 9 Mar 2011 08:43:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.929
X-Spam-Level:
X-Spam-Status: No, score=-102.929 tagged_above=-999 required=5 tests=[AWL=0.048, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YHZH5tMttsBD for <tls@core3.amsl.com>; Wed, 9 Mar 2011 08:43:36 -0800 (PST)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id 3379D3A6859 for <tls@ietf.org>; Wed, 9 Mar 2011 08:43:36 -0800 (PST)
Received: by iwl42 with SMTP id 42so865770iwl.31 for <tls@ietf.org>; Wed, 09 Mar 2011 08:44:52 -0800 (PST)
MIME-Version: 1.0
Received: by 10.43.45.137 with SMTP id uk9mr8750486icb.31.1299689092534; Wed, 09 Mar 2011 08:44:52 -0800 (PST)
Received: by 10.42.234.9 with HTTP; Wed, 9 Mar 2011 08:44:52 -0800 (PST)
In-Reply-To: <201103091638.p29GciBt020741@fs4113.wdf.sap.corp>
References: <AANLkTi=-PgLxsMsCnPn8NMqteNR7KYQr+wWGH=GvxyoB@mail.gmail.com> <201103091638.p29GciBt020741@fs4113.wdf.sap.corp>
Date: Wed, 09 Mar 2011 08:44:52 -0800
Message-ID: <AANLkTi=FThxfRiejVLyt_CjOOQ1uPoYZJ6mHWA-4j2wL@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
To: mrex@sap.com
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: tls@ietf.org
Subject: Re: [TLS] Last Call: <draft-kanno-tls-camellia-00.txt> (Additionx
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Mar 2011 16:43:37 -0000
This message does not appear to provide anything new, so in the interest of not going around in circles, I'll forego a detailed response. -Ekr On Wed, Mar 9, 2011 at 8:38 AM, Martin Rex <mrex@sap.com> wrote: > Eric Rescorla wrote: >> >> > Yes, I'm aware what TLSv1.2 says. >> >> Then why did you call it a hard limit above? It's not. > > How do two independent implementations of rfc-5246 use finished > messages truncated to no less than 128 bits with the cipher suites > > TLS_RSA_WITH_AES_256_CBC_SHA256 { 0x00, 0x3D } > TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 { 0x00, 0x6A } > TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 { 0x00, 0x6B } > > If the answer is "they can not", then this is what I > consider a "hard limit". > >> >> > But I'm much more aware of >> > the complete lack of guidance (a pointer to rfc-2104 section 5 >> > would have been sufficient). >> >> As both Hovav and I have explained to you, >> we don't think that guidance is relevant here. > > I hear you saying "nobody needs more than 640KB^W96-bit security for HMACs". > The IPSEC fanciers seem to be disagreeing with you by a margin. > > From Hovav I only know what he wrote, not what he thinks: > >> >> Any truncation of HMAC-SHA384 -- the PRF at hand -- to fewer than 384/2 >> = 192 bits means you are in the former regime rather than the latter. >> That's fine, provided k-bit security is sufficient, as 96-bit security is >> here; it just means that having built HMAC using SHA384 was overkill, which >> it of course was. > > The existance and contents of rfc4868 indicates that not everyone > in the IETF might be agreeing to your opinion that truncation of > HMACs to 96 is sufficient security for everyone and everything. > > > For me, a TLS cipher suite spec that wants to provider stronger > security than what is available in the base spec and therefore redefines > the PRF with a hash that has a longer output value, the truncation of > the verify_data in the finished message _is_ relevant. > > There is another TLS documents (TLS extensions) that _correctly_ > points to [HMAC]/[RFC2104] Section 5 for the details of the HMAC > truncation: > > http://tools.ietf.org/html/rfc6066#section-7 > and > http://tools.ietf.org/html/rfc4366#section-3.5 > > say > > Subsequently during the > session, clients and servers MUST use truncated HMACs, calculated as > specified in [HMAC]. > > > So it is somewhat unlikely that implementors really miss the truncation > size guidance in that referenced section 5 of [HMAC]: > > http://tools.ietf.org/html/rfc2104#section-5 > > > The section where TLSv1.2 does truncation (on the verify_data): > > http://tools.ietf.org/html/rfc5246#section-7.4.9 > > lacks this pointer to rfc-2104 section 5. > > I consider this a defect of rfc-5246 with the result as seen > in the spec named in the subject of this thread. > > > Having just re-read 7.4.9 -- where does draft-kanno-tls-camellia-00 > actually comply to this MUST of rfc-5246? > > Any cipher suite which defines a different PRF MUST > also define the Hash to use in the Finished computation. > > > A grep -i -e "finish" -e "verify" does not find a match. > > > > -Martin > > > >> >> >> > Alternatively, if they favour your attitude that actually >> > SHA-1 would have been good enough, and SHA-256 is plenty, >> > they should remove all the -SHA384 ciphersuites from the >> > document. >> >> Yes, that would be fine with me. >> >> >> >> > TLSv1.2 was supposed to provide a framework that can deliver TLS >> >> > with a strength >128=bits of security. But it failed to deliver >> >> > this by (1) not adjusting the truncation of the finished messages >> >> > and (2) not documenting that the truncation of the finished messages >> >> > MUST be done along with the use of stronger ciphers, stronger hashes >> >> > and larger key lengths in order to actually obtain a balanced >> >> > security of the desired higher strength. >> >> >> >> Well, as I've said during this thread, I believe your understanding of what >> >> "security level" means in this context is wrong. I.e., a 128-bit security >> >> level against offline attack is very different than a 2^{-128} chance of >> >> successful guessing exactly once on each connection. However, TLS 1.2 >> >> does in fact have the flexibility you are requesting. >> > >> > TLSv1.2 should have used that flexibility itself for a SHA-256 PRF, >> > and should have provided a pointer to rfc-2104 section 5 for selecting >> > an adequate truncation size for TLS cipher suite specs that use this >> > flexibility. >> >> > What seems to have happened is that although there are cipher suite >> > specs that redefine the PRF, they fail to address the truncation >> > because TLSv1.2 fails to address the truncation ("bad precedent"). >> >> As stated above, I disagree with this claim. However, as it's moot >> now, I don't think >> there's a lot of point in discussing it further. >> >> -Ekr >> >> > >
- [TLS] Last Call: <draft-kanno-tls-camellia-00.txt… The IESG
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Satoru Kanno
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Sean Turner
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Marsh Ray
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Marsh Ray
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Marsh Ray
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Hovav Shacham
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Marsh Ray
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Marsh Ray
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Hovav Shacham
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Peter Gutmann
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Peter Gutmann
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Peter Gutmann
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Yoav Nir
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Peter Gutmann
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Stephen Kent
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Stephen Kent
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Marsh Ray
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Nikos Mavrogiannopoulos