Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fast-Track" draft

Marsh Ray <marsh@extendedsubset.com> Wed, 24 February 2010 21:00 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 241703A8594 for <tls@core3.amsl.com>; Wed, 24 Feb 2010 13:00:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1sPakI6aEFk2 for <tls@core3.amsl.com>; Wed, 24 Feb 2010 13:00:47 -0800 (PST)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by core3.amsl.com (Postfix) with ESMTP id ACCD728C0FA for <tls@ietf.org>; Wed, 24 Feb 2010 13:00:47 -0800 (PST)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1NkONi-000EPY-Fg; Wed, 24 Feb 2010 21:02:55 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 20D636048; Wed, 24 Feb 2010 21:02:53 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX18k5YJUzDpS4wQv8Y5YiYSvO7feFR2VBwg=
Message-ID: <4B8593FF.7030300@extendedsubset.com>
Date: Wed, 24 Feb 2010 15:02:55 -0600
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: "Kemp, David P." <DPKemp@missi.ncsc.mil>
References: <4B8407D7.9040207@briansmith.org> <C7AB19CF.88B9%stefan@aaa-sec.com><201002241753.o1OHrxuK015491@stingray.missi.ncsc.mil> <4B856F19.6080809@extendedsubset.com> <201002241950.o1OJonSH025171@stingray.missi.ncsc.mil>
In-Reply-To: <201002241950.o1OJonSH025171@stingray.missi.ncsc.mil>
X-Enigmail-Version: 0.96.0
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fast-Track" draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2010 21:00:49 -0000

Kemp, David P. wrote:
> Marsh Ray wrote:
>> It will not be so fun to convince reviewers that "yes we're using 
>> SHA-1 but not in a way that really matters."
>> 
>> If all you need is a 64-bit checksum for data-structure-style 
>> hashing and indexing, use any old old-fashioned checksum algorithm.
>> 
>> 
>> This would be simple for everyone to implement and it clearly 
>> communicates your design intent (that the security of the design 
>> does not depend on any properties of this value's calculation).
> 
> +1 in principle.
> 
> But practically speaking, do you have any suggestions for well-known
> non-cryptographic hash algorithms?

Hmm, starting with http://en.wikipedia.org/wiki/List_of_hash_functions

FNV seems like a good candidate.
http://en.wikipedia.org/wiki/Fowler-Noll-Vo_hash_function

Pros:
* Wide existing usage:
http://www.isthe.com/chongo/tech/comp/fnv/index.html#history

* On that page they disclaim patents on it.

* It is defined in power-of-two sizes from 32 to 1024 bits.

* Something of an endorsement:
"We experimetned with several different hash functions and found FNV has
to be the best one."
http://domino.watson.ibm.com/library/cyberdig.nsf/papers/2314E66547EF9CC5852576BE005F1E4F/$File/rc24939.pdf

Cons:

* Uses multiply. Probably not a big deal in practice.

* Not (yet) referenceable in a formal standards doc.

> A quick IANA search turned up
> Kerberos checksums
> http://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml,
> including CRC32 (4 octets), des-mac-k (8 octets), and several 16
> octet algorithms including MD4 and MD5.

CRC64 doesn't seem to be so great with collisions:
http://www.cs.ucl.ac.uk/staff/d.jones/crcnote.pdf
The authors propose a better version.

You could use a pair of (some variant of) CRC32, each preloaded with
different values. This may not be any better than CRC64 though and may
not be terribly efficient.

> A search for other "hash", "mac", or "checksum" registries turned up
> nothing new.
> 
> It doesn't feel quite right to add a non-cryptographic checksum to
> the RFC 5246 registry:
> 
> enum { none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5), 
> sha512(6), (255) } HashAlgorithm;
> 
> so even if there were such an algorithm, permitting both it and
> cryptographic hashes would be painful.

Is it really necessary for this to be a flexible parameter?

A implementation now has a choice: implement them all (including ones
that are never used in practice), or risk not not being compatible
somewhere.

> I don't see an alternative that satisfies both "simple to implement"
> and "clearly communicates intent".  My care-abouts are 1) a common
> interoperable algorithm and 2) bandwidth.  Computation speed is
> unimportant,

There's always code size to consider.

> so if everyone thinks sha256 will be cryptographically
> viable for the foreseeable future and SHA-1 will soon be impossible
> to get "approved", then sha256 truncated to 64 bits could be a
> reasonable MUST-support algorithm.

Now you'll have to explain why you're taking the output of an
industrial-strength hash function and throwing away 3/4 of it. :-) Plus,
it's wasted effort since collisions will be possible to find in any
64-bit hash function.

- Marsh