Re: [TLS] Finished message hash length/algorithm (was RE: draft-turner-ssl-must-not)
Marsh Ray <marsh@extendedsubset.com> Tue, 06 July 2010 15:39 UTC
Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 60C463A69DA for <tls@core3.amsl.com>; Tue, 6 Jul 2010 08:39:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.217
X-Spam-Level:
X-Spam-Status: No, score=0.217 tagged_above=-999 required=5 tests=[AWL=0.951, BAYES_00=-2.599, FRT_LOLITA1=1.865]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8+I5waAxdR95 for <tls@core3.amsl.com>; Tue, 6 Jul 2010 08:39:41 -0700 (PDT)
Received: from mho-01-ewr.mailhop.org (mho-01-ewr.mailhop.org [204.13.248.71]) by core3.amsl.com (Postfix) with ESMTP id 301F13A69C9 for <tls@ietf.org>; Tue, 6 Jul 2010 08:39:41 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-01-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1OWAFL-000EDu-Aq; Tue, 06 Jul 2010 15:39:43 +0000
Received: from [192.168.1.15] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id C09A76333; Tue, 6 Jul 2010 15:39:40 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX19cG034MRfBx/JXw4daBj5/CPBE3Ia+GYo=
Message-ID: <4C334E3C.3040704@extendedsubset.com>
Date: Tue, 06 Jul 2010 10:39:40 -0500
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9) Gecko/20100423 Thunderbird/3.0.4
MIME-Version: 1.0
To: Brian Smith <brian@briansmith.org>
References: <003001cb1d1b$7d279660$7776c320$@briansmith.org>
In-Reply-To: <003001cb1d1b$7d279660$7776c320$@briansmith.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: 'Marsh Ray' <marsh@xs01.extendedsubset.com>, tls@ietf.org
Subject: Re: [TLS] Finished message hash length/algorithm (was RE: draft-turner-ssl-must-not)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Jul 2010 15:39:42 -0000
On 07/06/2010 09:56 AM, Brian Smith wrote: > > This is an easy problem to solve, if it is a problem: > > 1. Define a new extension that allows the client to request a Finished > message that is truncated to a different length. That may or may not help. Since the Finished message is what provides integrity protection for the handshake, if the attacker can defeat the 96 bit hash he can probably alter the hello messages so the extension isn't negotiated. > 2. Make False Start / Snap Start require this extension be used. > > Such an extension could even switch the finished hashes and/or the PRF from > SHA-256 to a more efficient algorithm like GHASH. This would eliminate the > performance penalty of switching from TLS 1.0/1.1 to TLS 1.2 if widely > deployed. Perhaps there's something to be said for a hash function not living on the bleeding edge of performance? - Marsh