Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fast-Track" draft

Stefan Santesson <stefan@aaa-sec.com> Thu, 25 February 2010 13:25 UTC

Return-Path: <stefan@aaa-sec.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7636628C101 for <tls@core3.amsl.com>; Thu, 25 Feb 2010 05:25:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.171
X-Spam-Level:
X-Spam-Status: No, score=-2.171 tagged_above=-999 required=5 tests=[AWL=0.078, BAYES_00=-2.599, HELO_EQ_SE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 16dkbF1+Iv22 for <tls@core3.amsl.com>; Thu, 25 Feb 2010 05:25:56 -0800 (PST)
Received: from s87.loopia.se (s87.loopia.se [194.9.95.114]) by core3.amsl.com (Postfix) with ESMTP id C733928C0FB for <tls@ietf.org>; Thu, 25 Feb 2010 05:25:54 -0800 (PST)
Received: from s42.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se (Postfix) with ESMTP id 56413360FF8 for <tls@ietf.org>; Thu, 25 Feb 2010 14:27:51 +0100 (CET)
Received: (qmail 31062 invoked from network); 25 Feb 2010 13:27:46 -0000
Received: from 213-64-142-247-no153.business.telia.com (HELO [192.168.1.16]) (stefan@fiddler.nu@[213.64.142.247]) (envelope-sender <stefan@aaa-sec.com>) by s42.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for <ynir@checkpoint.com>; 25 Feb 2010 13:27:46 -0000
User-Agent: Microsoft-Entourage/12.23.0.091001
Date: Thu, 25 Feb 2010 14:27:39 +0100
From: Stefan Santesson <stefan@aaa-sec.com>
To: Yoav Nir <ynir@checkpoint.com>, Marsh Ray <marsh@extendedsubset.com>
Message-ID: <C7AC395B.892B%stefan@aaa-sec.com>
Thread-Topic: [TLS] draft-ietf-tls-cached-info-02 / New "Fast-Track" draft
Thread-Index: Acq14KaIPT7dp+jVSzy6IrLBfIVHvwAPaZvm
In-Reply-To: <848CABEF-60CE-4CCD-A65C-EA5BB4DB4087@checkpoint.com>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
Cc: "Kemp, David P." <DPKemp@missi.ncsc.mil>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fast-Track" draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Feb 2010 13:25:57 -0000

I think this issue is blown totally out of any reasonable proportions.

This is not the first time a hash is used to provide an identifier where no
strong collision resistance is required. I don't want to break my back to
avoid using a perfectly suitable hash algorithm just for political reasons.


/Stefan


On 10-02-25 7:06 AM, "Yoav Nir" <ynir@checkpoint.com>; wrote:

> Something like this algorithm also has the benefit of side-stepping the whole
> national algorithms issue.
> 
> While "American" crypto algorithms may be unacceptable in Russia, perhaps an
> "American" non-crypto algorithms would be acceptable, and we won't need a GOST
> version.
> 
> (or Camelia)
> 
> On Feb 24, 2010, at 11:02 PM, Marsh Ray wrote:
> 
>> Kemp, David P. wrote:
>>> Marsh Ray wrote:
>>>> It will not be so fun to convince reviewers that "yes we're using
>>>> SHA-1 but not in a way that really matters."
>>>> 
>>>> If all you need is a 64-bit checksum for data-structure-style
>>>> hashing and indexing, use any old old-fashioned checksum algorithm.
>>>> 
>>>> 
>>>> This would be simple for everyone to implement and it clearly
>>>> communicates your design intent (that the security of the design
>>>> does not depend on any properties of this value's calculation).
>>> 
>>> +1 in principle.
>>> 
>>> But practically speaking, do you have any suggestions for well-known
>>> non-cryptographic hash algorithms?
>> 
>> Hmm, starting with http://en.wikipedia.org/wiki/List_of_hash_functions
>> 
>> FNV seems like a good candidate.
>> http://en.wikipedia.org/wiki/Fowler-Noll-Vo_hash_function
>> 
>> Pros:
>> * Wide existing usage:
>> http://www.isthe.com/chongo/tech/comp/fnv/index.html#history
>> 
>> * On that page they disclaim patents on it.
>> 
>> * It is defined in power-of-two sizes from 32 to 1024 bits.
>> 
>> * Something of an endorsement:
>> "We experimetned with several different hash functions and found FNV has
>> to be the best one."
>> http://domino.watson.ibm.com/library/cyberdig.nsf/papers/2314E66547EF9CC58525
>> 76BE005F1E4F/$File/rc24939.pdf
>> 
>> Cons:
>> 
>> * Uses multiply. Probably not a big deal in practice.
>> 
>> * Not (yet) referenceable in a formal standards doc.
>> 
>>> A quick IANA search turned up
>>> Kerberos checksums
>>> http://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtm
>>> l,
>>> including CRC32 (4 octets), des-mac-k (8 octets), and several 16
>>> octet algorithms including MD4 and MD5.
>> 
>> CRC64 doesn't seem to be so great with collisions:
>> http://www.cs.ucl.ac.uk/staff/d.jones/crcnote.pdf
>> The authors propose a better version.
>> 
>> You could use a pair of (some variant of) CRC32, each preloaded with
>> different values. This may not be any better than CRC64 though and may
>> not be terribly efficient.
>> 
>>> A search for other "hash", "mac", or "checksum" registries turned up
>>> nothing new.
>>> 
>>> It doesn't feel quite right to add a non-cryptographic checksum to
>>> the RFC 5246 registry:
>>> 
>>> enum { none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
>>> sha512(6), (255) } HashAlgorithm;
>>> 
>>> so even if there were such an algorithm, permitting both it and
>>> cryptographic hashes would be painful.
>> 
>> Is it really necessary for this to be a flexible parameter?
>> 
>> A implementation now has a choice: implement them all (including ones
>> that are never used in practice), or risk not not being compatible
>> somewhere.
>> 
>>> I don't see an alternative that satisfies both "simple to implement"
>>> and "clearly communicates intent".  My care-abouts are 1) a common
>>> interoperable algorithm and 2) bandwidth.  Computation speed is
>>> unimportant,
>> 
>> There's always code size to consider.
>> 
>>> so if everyone thinks sha256 will be cryptographically
>>> viable for the foreseeable future and SHA-1 will soon be impossible
>>> to get "approved", then sha256 truncated to 64 bits could be a
>>> reasonable MUST-support algorithm.
>> 
>> Now you'll have to explain why you're taking the output of an
>> industrial-strength hash function and throwing away 3/4 of it. :-) Plus,
>> it's wasted effort since collisions will be possible to find in any
>> 64-bit hash function.
>> 
>> - Marsh
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>> 
>> Scanned by Check Point Total Security Gateway.
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls