[TLS] HMAC vs HASH

Michael StJohns <msj@nthpermutation.com> Wed, 30 July 2014 21:30 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BAFD1A05C0 for <tls@ietfa.amsl.com>; Wed, 30 Jul 2014 14:30:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TmnEBXYpf9vf for <tls@ietfa.amsl.com>; Wed, 30 Jul 2014 14:30:56 -0700 (PDT)
Received: from mail-ie0-f174.google.com (mail-ie0-f174.google.com [209.85.223.174]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DE951A049F for <tls@ietf.org>; Wed, 30 Jul 2014 14:30:56 -0700 (PDT)
Received: by mail-ie0-f174.google.com with SMTP id rp18so2360811iec.5 for <tls@ietf.org>; Wed, 30 Jul 2014 14:30:56 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:content-type:content-transfer-encoding; bh=xijQeA0YUK2ymm5/hkOMysv3IJq+A12khMBg6BGTNok=; b=X7+/teH6Rb1sMN+PlQFnv2FD675A+zVr7zUtE+ZWQOzt+6mGFZKUZkKb73/WjuE3x2 jtj3wSjmhKfi340B+dDXYNAfsD3XTUfjFT6FYFkS43z3LAPbj/cST8wAbKJDqhTJEJxk TZ96EmFTTdmZvra9RhABoVexO3d2FT1uTgNrc2xOBXvjd/zXDFBwiRBP6BpPIYc72Jto iV/pLXJgAZ/4q0XHWCSuD4wJJjGLRNTKhrmM7OvyaJWKV3NfA+kF+QjUs1lWNJU/y83F /gn9Bkxa3mgqR2AY5CmZ8b8XByXAcBiy8o4a9lSN+mKCLBhs9xDcsstnMbb0UlvogSxK Z/0g==
X-Gm-Message-State: ALoCoQkkg9t8hWd8wv+5frU8hVDkWFl8GZ0MZZBLuez8fqGjOzrp4na4ItSze9O42eqQheAvQYb+
X-Received: by 10.43.149.200 with SMTP id kl8mr9202312icc.52.1406755855893; Wed, 30 Jul 2014 14:30:55 -0700 (PDT)
Received: from [172.27.7.54] (75-104-68-185.mobility.exede.net. [75.104.68.185]) by mx.google.com with ESMTPSA id j5sm52877796ige.12.2014.07.30.14.30.52 for <tls@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 30 Jul 2014 14:30:55 -0700 (PDT)
Message-ID: <53D96408.1060101@nthpermutation.com>
Date: Wed, 30 Jul 2014 17:30:48 -0400
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/IwROhTsF_ZChIU7irlZ97I-6660
Subject: [TLS] HMAC vs HASH
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jul 2014 21:30:58 -0000

Hi -

Slightly different topic from before.

The signature over the finished messages is TLS-PRF(HASH (handshake 
messages)).

My question - assuming the HASH and TLS-PRF both use SHA256 - what is 
the security strength of that signature function?

I note that back in the archive that Marsh Ray from Microsoft took a 
swing at this 
(https://www.ietf.org/mail-archive/web/tls/current/msg10584.html) and 
concluded it wasn't an issue, but he was looking at it from the 
viewpoint of recovery of the HMAC key, but I'm not sure this is the 
worst case viewpoint.

As I read the guidance, HMAC-SHA256 is 256 bit secure, but SHA256 is 
only 128 bit secure with respect to signatures.

If that's the case, is the handshake finished message signature security 
any stronger than the signature strength of the hash function?  E.g. 128 
bits for a SHA256 hash?

Note that I'm not having a discussion about whether or not 128 bits is 
sufficient, but whether or not SHA256 as the summary hash function 
represents the weakest part of the cipher suite for suites with bit 
strengths above 128 bits.

Mike