IETF Logo Mail Archive

Re: [TLS] TLS1.3

"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Mon, 11 February 2013 10:15 UTC

Return-Path: <Kenny.Paterson@rhul.ac.uk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6121221F875C for <tls@ietfa.amsl.com>; Mon, 11 Feb 2013 02:15:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aLg73NTqNM0K for <tls@ietfa.amsl.com>; Mon, 11 Feb 2013 02:15:09 -0800 (PST)
Received: from tx2outboundpool.messaging.microsoft.com (tx2ehsobe004.messaging.microsoft.com [65.55.88.14]) by ietfa.amsl.com (Postfix) with ESMTP id 3E14A21F8751 for <tls@ietf.org>; Mon, 11 Feb 2013 02:15:09 -0800 (PST)
Received: from mail224-tx2-R.bigfish.com (10.9.14.252) by TX2EHSOBE011.bigfish.com (10.9.40.31) with Microsoft SMTP Server id 14.1.225.23; Mon, 11 Feb 2013 10:15:08 +0000
Received: from mail224-tx2 (localhost [127.0.0.1]) by mail224-tx2-R.bigfish.com (Postfix) with ESMTP id B6367940177 for <tls@ietf.org>; Mon, 11 Feb 2013 10:15:08 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:134.219.208.107; KIP:(null); UIP:(null); IPV:NLI; H:EXCH-HUB01.cc.rhul.local; RD:exch-hub01.rhul.ac.uk; EFVD:NLI
X-SpamScore: -7
X-BigFish: VPS-7(zz98dIc89bhc857hzz1f42h1ee6h1de0h1d18h1202h1e76h1d1ah1d2ahzz17326ah30d1K18c673h5eeeKz2dh2a8h668h839hd25hf0ah1288h12a5h12bdh137ah1441h1504h1537h153bh15d0h162dh1631h1758h18e1h1946h19b5h19ceh1155h)
Received: from mail224-tx2 (localhost.localdomain [127.0.0.1]) by mail224-tx2 (MessageSwitch) id 1360577706369902_24065; Mon, 11 Feb 2013 10:15:06 +0000 (UTC)
Received: from TX2EHSMHS006.bigfish.com (unknown [10.9.14.249]) by mail224-tx2.bigfish.com (Postfix) with ESMTP id 5814ECC007D; Mon, 11 Feb 2013 10:15:06 +0000 (UTC)
Received: from EXCH-HUB01.cc.rhul.local (134.219.208.107) by TX2EHSMHS006.bigfish.com (10.9.99.106) with Microsoft SMTP Server (TLS) id 14.1.225.23; Mon, 11 Feb 2013 10:15:05 +0000
Received: from exch-cas01.cc.rhul.local (134.219.208.109) by EXCH-HUB01.cc.rhul.local (134.219.208.107) with Microsoft SMTP Server (TLS) id 14.2.328.9; Mon, 11 Feb 2013 10:15:03 +0000
Received: from EXCH-MB01.cc.rhul.local ([169.254.3.31]) by exch-cas01.cc.rhul.local ([2002:86db:d06d::86db:d06d]) with mapi id 14.02.0328.009; Mon, 11 Feb 2013 10:15:03 +0000
From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: "Lewis, Nick" <nick.lewis@usa.g4s.com>
Thread-Topic: [TLS] TLS1.3
Thread-Index: AQHOCDnkM5Cm91Ib2Ua7186ZEOcKaph0ZRRQgAALxYA=
Date: Mon, 11 Feb 2013 10:15:05 +0000
Message-ID: <B132B06E59C4A540A03C3393F53BC07C40818C02@EXCH-MB01.cc.rhul.local>
References: <AAE0766F5AF36B46BAB7E0EFB9273206194A67DCDC@GBTWK10E001.Technology.local> <B132B06E59C4A540A03C3393F53BC07C408169C0@EXCH-MB01.cc.rhul.local> <AAE0766F5AF36B46BAB7E0EFB9273206194A67DCDE@GBTWK10E001.Technology.local>
In-Reply-To: <AAE0766F5AF36B46BAB7E0EFB9273206194A67DCDE@GBTWK10E001.Technology.local>
Accept-Language: en-US, en-GB
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [78.147.250.120]
Content-Type: multipart/alternative; boundary="_000_B132B06E59C4A540A03C3393F53BC07C40818C02EXCHMB01ccrhull_"
MIME-Version: 1.0
X-OriginatorOrg: rhul.ac.uk
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Feb 2013 10:15:10 -0000

Nick,

I think you've mis-read the NIST document.

SHA-1 is still "acceptable" for applications not related to digital signature generation (see Table 9). That includes MACing - see HMAC entry, Table 10, and the ensuing text:

"HMAC Generation: Any approved hash function may be used.
The use of key lengths ≥ 80 bits, but < 112 bits is acceptable through December 31, 2010.
From January 1, 2011 through December 31, 2013, the use of key lengths ≥ 80 bits, but < 112 bits is deprecated.
After December 31, 2013, key lengths < 112 bits shall not be used.
The use of key lengths ≥ 112 bits is acceptable."

For the definition of acceptable, the document says:

"Acceptable is used to mean that the algorithm and key length is safe to use; no security risk is currently known."

Regards,

Kenny


On 11 Feb 2013, at 10:03, Lewis, Nick wrote:


The reality of TLS though is that there are many MACs in everyday use that are not secure (based on hashes of 80bits or even 64 bits).
These are currently protected from attack by being behind strong (112bit or 128 bit) crypt.
The "usual" MAC algorithms for TLS are HMAC-MD5, HMAC-SHA-1 and HMAC-SHA-256 (HMAC-SHA-384 is also a possibility).
These all have MAC tags of at least 128 bits.

RFC 6066 standardises "truncated" MAC tags for TLS, but these are known to be dangerous when used in combination with TLS's variable length padding
(see the distinguishing attack in my Asiacrypt 2011 paper with Ristenpart and Shrimpton).
However, I was not aware of anyone actually using these truncated MAC tags, or any other short-output MAC algorithms in TLS.
Can you provide specific examples in support of your argument?

Sorry I meant to say "bits of security" (as in a birthday attack) rather than leave an impression of bit length
According to NIST HMAC-MD5 and HMAC-SHA-1 are vulnerable and should not be used hence forth
http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf

-- Nick



The details of this company are as follows:
G4S Technology Limited, Registered Office: Challenge House, International Drive, Tewkesbury, Gloucestershire GL20 8UQ, Registered in England No. 2382338.

This communication may contain information which is confidential, personal and/or privileged.

It is for the exclusive use of the intended recipient(s).
If you are not the intended recipient(s), please note that any distribution, forwarding, copying or use of this communication or the information in it is strictly prohibited.

Any personal views expressed in this e-mail are those of the individual sender and the company does not endorse or accept responsibility for them.

Prior to taking any action based upon this e-mail message, you should seek appropriate confirmation of its authenticity.

This e-mail has been scanned for all viruses by MessageLabs.

v2.23.0 | Report a Bug | By Email