Re: [TLS] SHA-1 vs. FNV-1
Eric Rescorla <ekr@rtfm.com> Mon, 10 May 2010 16:41 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 972EA3A6818 for <tls@core3.amsl.com>; Mon, 10 May 2010 09:41:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.198
X-Spam-Level:
X-Spam-Status: No, score=0.198 tagged_above=-999 required=5 tests=[AWL=-0.425, BAYES_50=0.001, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wk7dLrq2Ghg1 for <tls@core3.amsl.com>; Mon, 10 May 2010 09:41:39 -0700 (PDT)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by core3.amsl.com (Postfix) with ESMTP id A72903A69C6 for <tls@ietf.org>; Mon, 10 May 2010 09:41:39 -0700 (PDT)
Received: by gyh4 with SMTP id 4so2124736gyh.31 for <tls@ietf.org>; Mon, 10 May 2010 09:41:26 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.91.95.15 with SMTP id x15mr2143395agl.104.1273509685970; Mon, 10 May 2010 09:41:25 -0700 (PDT)
Received: by 10.90.25.1 with HTTP; Mon, 10 May 2010 09:41:25 -0700 (PDT)
In-Reply-To: <4BE835C3.9050105@extendedsubset.com>
References: <20100509211958.19EB528C0E8@core3.amsl.com> <4BE835C3.9050105@extendedsubset.com>
Date: Mon, 10 May 2010 09:41:25 -0700
Message-ID: <AANLkTiltmKBHmmRUVdWrghD9DlSk4htVW6QX7P_cDo9C@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
To: Marsh Ray <marsh@extendedsubset.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] SHA-1 vs. FNV-1
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 May 2010 16:41:40 -0000
On Mon, May 10, 2010 at 9:35 AM, Marsh Ray <marsh@extendedsubset.com> wrote: > On 5/9/2010 4:19 PM, Blumenthal, Uri - 0668 - MITLL wrote: >> our current >> practice of using SHA-1 is dying just like the previous practice of >> using MD5 (and MD4 before it) is dead. So justifying continuous use >> of SHA-1 is improper: for security purposes it is broken, and for >> non-security purposes it's rather slow. > > Well said. That is my opinion, too. > > To put it another way: Any argument that could be made in favor of using > SHA-1 could be made in favor of MD5 (or even MD4). In fact, MD5 would be > superior. It's also "in everybody's stack already" right? (Ignoring > those for the moment those who will implement only TLS 1.2 and forward.) > Plus, MD5 is more efficient. So anybody insisting on SHA-1 should > justify the extra CPU usage over MD5, no? No, that's not true. Again, SHA-1 is simply the default hash algorithm people use at this point. Other than that, MD5 would be fine, yes. As for "insisting", I really don't know what you mean. I'm not "insisting" on SHA-1 any more than Stefan is "insisting" on FNV-1. This is an undecided question in the WG and I'm stating my opinion. > Let's not forget where this started: > > Additional protocol elements for dynamically negotiating among a > extensible set of cryptographic hash functions for use where a > cryptographic hash function was not needed anyway. Vendors would be > expected to support some perpetual subset of them or risk > interoperability problems (probably everyone would just end up using > that one everywhere anyway). Servers might have to track multiple hash > values for the same resource. Another set of parameters for attackers to > manipulate imperfect implementations with. I have no brief for those elements. I'm happy to simply mandate SHA-1. > Additional explanation when a > security review legitimately questions the use of deprecated crypto > algorithms. As I noted previously, that exact explanation will need to be present to justify the use of a non-cryptographic hash. -Ekr
- [TLS] SHA-1 vs. FNV-1 Eric Rescorla
- Re: [TLS] SHA-1 vs. FNV-1 Eric Rescorla
- Re: [TLS] SHA-1 vs. FNV-1 Stefan Santesson
- Re: [TLS] SHA-1 vs. FNV-1 Eric Rescorla
- Re: [TLS] SHA-1 vs. FNV-1 Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] SHA-1 vs. FNV-1 Stefan Santesson
- Re: [TLS] SHA-1 vs. FNV-1 Eric Rescorla
- Re: [TLS] SHA-1 vs. FNV-1 Michael D'Errico
- Re: [TLS] SHA-1 vs. FNV-1 Eric Rescorla
- Re: [TLS] SHA-1 vs. FNV-1 Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] SHA-1 vs. FNV-1 Marsh Ray
- Re: [TLS] SHA-1 vs. FNV-1 Eric Rescorla
- Re: [TLS] SHA-1 vs. FNV-1 Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] SHA-1 vs. FNV-1 Simon Josefsson
- Re: [TLS] SHA-1 vs. FNV-1 Eric Rescorla
- Re: [TLS] SHA-1 vs. FNV-1 Eric Rescorla
- Re: [TLS] SHA-1 vs. FNV-1 Stefan Santesson
- Re: [TLS] SHA-1 vs. FNV-1 Eric Rescorla
- Re: [TLS] SHA-1 vs. FNV-1 Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] SHA-1 vs. FNV-1 Eric Rescorla
- Re: [TLS] SHA-1 vs. FNV-1 Stefan Santesson
- Re: [TLS] SHA-1 vs. FNV-1 Marsh Ray
- Re: [TLS] SHA-1 vs. FNV-1 Kemp, David P.
- Re: [TLS] SHA-1 vs. FNV-1 Simon Josefsson
- Re: [TLS] SHA-1 vs. FNV-1 Eric Rescorla
- Re: [TLS] SHA-1 vs. FNV-1 Blumenthal, Uri - 0668 - MITLL