IETF Logo Mail Archive

Re: [TLS] TLS 1.3 draft-07 sneak peek

William Whyte <wwhyte@securityinnovation.com> Sat, 04 July 2015 13:19 UTC

Return-Path: <wwhyte@securityinnovation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC7DC1ACD48 for <tls@ietfa.amsl.com>; Sat, 4 Jul 2015 06:19:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.922
X-Spam-Level:
X-Spam-Status: No, score=0.922 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, MANGLED_OFF=2.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oGQR548bzq85 for <tls@ietfa.amsl.com>; Sat, 4 Jul 2015 06:19:50 -0700 (PDT)
Received: from mail-qk0-x232.google.com (mail-qk0-x232.google.com [IPv6:2607:f8b0:400d:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF6841ACD47 for <tls@ietf.org>; Sat, 4 Jul 2015 06:19:49 -0700 (PDT)
Received: by qkei195 with SMTP id i195so89055908qke.3 for <tls@ietf.org>; Sat, 04 Jul 2015 06:19:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=securityinnovation.com; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=mKMtLnSnLplMfx3X95XswlKX1dnRrMuRFkPHN89Vxwc=; b=RqKLjPP84Sh7j45fD74iTIdYR3anfJdwCx9h5jYk9qDGvx+6D35SsPLVl47nvoKMp7 jCxejq3ZO5AyE/7pIZRVrXh58aVs7LtQhSxUSe2TOrn3QNm5OS+pYVzvhGbSI/GhqNbk MRpf7FkOGAxpwLRm42mIibBaMIhIXFLUGKLD0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=mKMtLnSnLplMfx3X95XswlKX1dnRrMuRFkPHN89Vxwc=; b=WnBe/mZsIz+igtmBYsGoxFu6ZpUDUm8WLyc9p9TJ3NNtdmyren7esrHndQ/gh3NPge aWGaMbs92QklY3CVe13/b19uWCe1zvqcP+W9vel1xZhJkPPme9tikiQXQIED+fKAV8og kv+7j2EJWeSAxlTUmpZI2NuZgmzn6Rtz9I2qAufXTuYu6aLN3UBlqGswdLqE9aCL15+V 9Stvu+qi74xp/EqH+POp9lP1n76W7jz6taP1CKHLA+iC3oGXaZUdFcPAkUnJBqWDCUmT jeNA9bg/RBkw7ejBhU85hiZpVVQ0yBgFcLCCVqS9gKXIPTELfyNf9SqZkbagidAMx7yi L23A==
X-Gm-Message-State: ALoCoQkMcfQ9AyspHovodoJbDIQrQJzuKPQrA6IAeAMyIwmbHij53qHLxTBjrACZWJ63iMRa/mQc
MIME-Version: 1.0
X-Received: by 10.140.150.198 with SMTP id 189mr61733246qhw.88.1436015989065; Sat, 04 Jul 2015 06:19:49 -0700 (PDT)
Received: by 10.96.80.7 with HTTP; Sat, 4 Jul 2015 06:19:48 -0700 (PDT)
In-Reply-To: <BN1PR09MB124CE159C28C9B617BB2E07F3950@BN1PR09MB124.namprd09.prod.outlook.com>
References: <CAE3-qLREFyP34PkKbospPZGEeXDi33J=B3etN1bG0ncCvX4eZw@mail.gmail.com> <20150704034218.613C41A1B3@ld9781.wdf.sap.corp> <BN1PR09MB124CE159C28C9B617BB2E07F3950@BN1PR09MB124.namprd09.prod.outlook.com>
Date: Sat, 04 Jul 2015 09:19:48 -0400
Message-ID: <CACz1E9pbjLM+jV5cWARxdp2urSt=r+0y0MQ5UQD3Npg+UF82kw@mail.gmail.com>
From: William Whyte <wwhyte@securityinnovation.com>
To: "Dang, Quynh" <quynh.dang@nist.gov>
Content-Type: multipart/alternative; boundary="001a113569e2eba3e1051a0c865b"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/C5l3P0h7q42vieMXrSBsTGQpbP8>
X-Mailman-Approved-At: Sat, 04 Jul 2015 13:33:41 -0700
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS 1.3 draft-07 sneak peek
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Jul 2015 13:19:52 -0000

So it seems this attack applies if the output size and the chaining value
size are the same, but not if they're different. The assumption you're
making is that if F(X) = F(X') then F(X|N) = F(X'|N) but that's not true if
the output of F is truncated.

William

On Sat, Jul 4, 2015 at 8:30 AM, Dang, Quynh <quynh.dang@nist.gov> wrote:

>
> Hi Martin,
>
> I talked about this issue at the interim meeting in Denver last year. A
> lot of people there who were very good at crypto, but were not aware of
> this issue.  In another word, nobody knows all. So, being not aware of
> something is common to everyone.
>
> Let me explain one of your examples and I hope that will help to make the
> issue clear.
>
> "OK, here are my algorithms F and G:
>
>   F= sha-256, truncated to bits 0..95 of the output
>   G= sha-256, truncated to bits 96..256 of the output"
>
> It takes approximately 2^48 operations to find a block X and X' (X and X'
> can be any blocks) as long as their 96-bit hash values ( F) are the same.
>
> It takes approximately 2^80 operations to find a block N (N can be any
> block) so that 160-bit hash values (G) of X|| N and X'|| N are the same.
>
> So, the work required to find a collision for G is  2^80 and the work
> required to find a collision for F || G is 2^48 + 2^80 and 2^48 is like
> nothing when being compared to 2^80.
>
>  Happy the 4th of July!
>
>  Quynh.
>
> ________________________________________
> From: TLS <tls-bounces@ietf.org> on behalf of Martin Rex <mrex@sap.com>
> Sent: Friday, July 3, 2015 11:42 PM
> To: Quynh Dang
> Cc: tls@ietf.org
> Subject: Re: [TLS] TLS 1.3 draft-07 sneak peek
>
>
> Quynh Dang wrote:
> > The ineffectiveness issue of cascading hashes has been widely known for a
> > long time ago.
> >
> > Find block X and block X' which have collided hash for SHA1 which takes
> > around 2^70 operations or possibly less.
> >
> > Finding a block N for which X|| N and X' || N have collided hash for MD5
> > which is expected to have very low complexity (finding collision for
> MD5).
> >
> > Therefore, finding collisions for SHA1 and collisions for SHA1 || MD5
> > require about the same computational complexity.
>
>
> The previously mentioned paper
>
> http://www.iacr.org/cryptodb/archive/2004/CRYPTO/1472/1472.pdf
>
> describes the issue for two arbitrary hash algorithms F and G
> with bit sizes nF and nG and you say this applies to
>
>   F= md5  nF=128 bit
>   G= sha1 nG=160 bit
>
>   and that the security of F||G would be no stronger than the larger
>   of the two (G alone, nG=160).
>
>
> OK, lets take two other hash algorithms F and G, and even use
> a weaker algorithm F with nF=96 and G with nG=160.
> The assertion is, that he security of F||G would still be only 160.
>
> OK, here are my algorithms F and G:
>
>   F= sha-256, truncated to bits 0..95 of the output
>   G= sha-256, truncated to bits 96..256 of the output
>
> Now if your original assertion is true, then the strength of
> F(m)||G(m) which curiously happens to be identical to the output of
> sha256 for the message (m) has a security of only 160 bits?
>
> Or lets look at a concatenation of 8 hashes of 32-bits each.
>
> F=sha-256, truncated to bits 0..31 of the output
> ...
>
>
>
> -Martin
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>

v2.23.0 | Report a Bug | By Email