IETF Logo Mail Archive

Re: [TLS] draft-turner-ssl-must-not

Martin Rex <mrex@sap.com> Tue, 06 July 2010 14:25 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9E6443A67F9 for <tls@core3.amsl.com>; Tue, 6 Jul 2010 07:25:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.951
X-Spam-Level:
X-Spam-Status: No, score=-9.951 tagged_above=-999 required=5 tests=[AWL=0.298, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sh05wDDBZGaI for <tls@core3.amsl.com>; Tue, 6 Jul 2010 07:25:12 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 7C7F73A6946 for <tls@ietf.org>; Tue, 6 Jul 2010 07:25:12 -0700 (PDT)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id o66EP3cF005929 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 6 Jul 2010 16:25:08 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201007061425.o66EP2Rc021252@fs4113.wdf.sap.corp>
To: marsh@xs01.extendedsubset.com
Date: Tue, 06 Jul 2010 16:25:02 +0200
In-Reply-To: <20100706064708.GA31209@xs01.extendedsubset.com> from "Marsh Ray" at Jul 6, 10 06:47:08 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal06
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] draft-turner-ssl-must-not
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Jul 2010 14:25:13 -0000

Marsh Ray wrote:
> 
> On Tue, Jul 06, 2010 at 04:17:14AM +0200, Martin Rex wrote:
> > 
> > The base result is that the strength of concatenation of two
> > hash functions improves the result not as much as one might hope.
> > 
> > It always does improve the result, however.
> 
> Putting it another way, if you spend 36 bytes (288 bits) on space
> for your hash and it turns out to have only about 2^75 collision
> resistance, I'm not sure many people would call that an improvement.

It is an improvement because it is harder to find a collision
for both hashes than finding it for only one of them.  And it used
the commonly available cryptographic hashes at that time
(sha-2 was not available back then).

I see it as an improvement, even if it is a small one.


> 
> > Which means that SSLv3 is stronger than TLSv1.0 and TLSv1.1
> > in that respect.
> > 
> > Personally, I dislike the extreme truncation of the Finished
> > messages in TLS to 12 octets. My expectation is that this limits
> > the overall strength, and that it spoils the use of SHA-2 in TLSv1.2.
> 
> +1.
> 
> There's no logic to it, or whatever there might be is too clever by half.

There appears to be a lack of logic by not adjusting the truncation size
when going from a SHA-1 (=160 bits) based PRF to a SHA-256 (=256 bits)
based PRF.  In case a 96 bit truncation is deemed adequate for SHA-1,
then a truncation like 144 or 160 bits appears more appropriate for SHA-2.

-Martin

v2.23.0 | Report a Bug | By Email