[TLS] HMAC vs HASH
Michael StJohns <msj@nthpermutation.com> Wed, 30 July 2014 21:30 UTC
Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BAFD1A05C0 for <tls@ietfa.amsl.com>; Wed, 30 Jul 2014 14:30:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TmnEBXYpf9vf for <tls@ietfa.amsl.com>; Wed, 30 Jul 2014 14:30:56 -0700 (PDT)
Received: from mail-ie0-f174.google.com (mail-ie0-f174.google.com [209.85.223.174]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DE951A049F for <tls@ietf.org>; Wed, 30 Jul 2014 14:30:56 -0700 (PDT)
Received: by mail-ie0-f174.google.com with SMTP id rp18so2360811iec.5 for <tls@ietf.org>; Wed, 30 Jul 2014 14:30:56 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:content-type:content-transfer-encoding; bh=xijQeA0YUK2ymm5/hkOMysv3IJq+A12khMBg6BGTNok=; b=X7+/teH6Rb1sMN+PlQFnv2FD675A+zVr7zUtE+ZWQOzt+6mGFZKUZkKb73/WjuE3x2 jtj3wSjmhKfi340B+dDXYNAfsD3XTUfjFT6FYFkS43z3LAPbj/cST8wAbKJDqhTJEJxk TZ96EmFTTdmZvra9RhABoVexO3d2FT1uTgNrc2xOBXvjd/zXDFBwiRBP6BpPIYc72Jto iV/pLXJgAZ/4q0XHWCSuD4wJJjGLRNTKhrmM7OvyaJWKV3NfA+kF+QjUs1lWNJU/y83F /gn9Bkxa3mgqR2AY5CmZ8b8XByXAcBiy8o4a9lSN+mKCLBhs9xDcsstnMbb0UlvogSxK Z/0g==
X-Gm-Message-State: ALoCoQkkg9t8hWd8wv+5frU8hVDkWFl8GZ0MZZBLuez8fqGjOzrp4na4ItSze9O42eqQheAvQYb+
X-Received: by 10.43.149.200 with SMTP id kl8mr9202312icc.52.1406755855893; Wed, 30 Jul 2014 14:30:55 -0700 (PDT)
Received: from [172.27.7.54] (75-104-68-185.mobility.exede.net. [75.104.68.185]) by mx.google.com with ESMTPSA id j5sm52877796ige.12.2014.07.30.14.30.52 for <tls@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 30 Jul 2014 14:30:55 -0700 (PDT)
Message-ID: <53D96408.1060101@nthpermutation.com>
Date: Wed, 30 Jul 2014 17:30:48 -0400
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/IwROhTsF_ZChIU7irlZ97I-6660
Subject: [TLS] HMAC vs HASH
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jul 2014 21:30:58 -0000
Hi - Slightly different topic from before. The signature over the finished messages is TLS-PRF(HASH (handshake messages)). My question - assuming the HASH and TLS-PRF both use SHA256 - what is the security strength of that signature function? I note that back in the archive that Marsh Ray from Microsoft took a swing at this (https://www.ietf.org/mail-archive/web/tls/current/msg10584.html) and concluded it wasn't an issue, but he was looking at it from the viewpoint of recovery of the HMAC key, but I'm not sure this is the worst case viewpoint. As I read the guidance, HMAC-SHA256 is 256 bit secure, but SHA256 is only 128 bit secure with respect to signatures. If that's the case, is the handshake finished message signature security any stronger than the signature strength of the hash function? E.g. 128 bits for a SHA256 hash? Note that I'm not having a discussion about whether or not 128 bits is sufficient, but whether or not SHA256 as the summary hash function represents the weakest part of the cipher suite for suites with bit strengths above 128 bits. Mike
- [TLS] HMAC vs HASH Michael StJohns