Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fast-Track" draft

Marsh Ray <> Wed, 24 February 2010 21:00 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 241703A8594 for <>; Wed, 24 Feb 2010 13:00:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1sPakI6aEFk2 for <>; Wed, 24 Feb 2010 13:00:47 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id ACCD728C0FA for <>; Wed, 24 Feb 2010 13:00:47 -0800 (PST)
Received: from ([]) by with esmtpa (Exim 4.68) (envelope-from <>) id 1NkONi-000EPY-Fg; Wed, 24 Feb 2010 21:02:55 +0000
Received: from [] (localhost []) by (Postfix) with ESMTP id 20D636048; Wed, 24 Feb 2010 21:02:53 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Report-Abuse-To: (see for abuse reporting information)
X-MHO-User: U2FsdGVkX18k5YJUzDpS4wQv8Y5YiYSvO7feFR2VBwg=
Message-ID: <>
Date: Wed, 24 Feb 2010 15:02:55 -0600
From: Marsh Ray <>
User-Agent: Thunderbird (Windows/20090812)
MIME-Version: 1.0
To: "Kemp, David P." <>
References: <> <><> <> <>
In-Reply-To: <>
X-Enigmail-Version: 0.96.0
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fast-Track" draft
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 24 Feb 2010 21:00:49 -0000

Kemp, David P. wrote:
> Marsh Ray wrote:
>> It will not be so fun to convince reviewers that "yes we're using 
>> SHA-1 but not in a way that really matters."
>> If all you need is a 64-bit checksum for data-structure-style 
>> hashing and indexing, use any old old-fashioned checksum algorithm.
>> This would be simple for everyone to implement and it clearly 
>> communicates your design intent (that the security of the design 
>> does not depend on any properties of this value's calculation).
> +1 in principle.
> But practically speaking, do you have any suggestions for well-known
> non-cryptographic hash algorithms?

Hmm, starting with

FNV seems like a good candidate.

* Wide existing usage:

* On that page they disclaim patents on it.

* It is defined in power-of-two sizes from 32 to 1024 bits.

* Something of an endorsement:
"We experimetned with several different hash functions and found FNV has
to be the best one."$File/rc24939.pdf


* Uses multiply. Probably not a big deal in practice.

* Not (yet) referenceable in a formal standards doc.

> A quick IANA search turned up
> Kerberos checksums
> including CRC32 (4 octets), des-mac-k (8 octets), and several 16
> octet algorithms including MD4 and MD5.

CRC64 doesn't seem to be so great with collisions:
The authors propose a better version.

You could use a pair of (some variant of) CRC32, each preloaded with
different values. This may not be any better than CRC64 though and may
not be terribly efficient.

> A search for other "hash", "mac", or "checksum" registries turned up
> nothing new.
> It doesn't feel quite right to add a non-cryptographic checksum to
> the RFC 5246 registry:
> enum { none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5), 
> sha512(6), (255) } HashAlgorithm;
> so even if there were such an algorithm, permitting both it and
> cryptographic hashes would be painful.

Is it really necessary for this to be a flexible parameter?

A implementation now has a choice: implement them all (including ones
that are never used in practice), or risk not not being compatible

> I don't see an alternative that satisfies both "simple to implement"
> and "clearly communicates intent".  My care-abouts are 1) a common
> interoperable algorithm and 2) bandwidth.  Computation speed is
> unimportant,

There's always code size to consider.

> so if everyone thinks sha256 will be cryptographically
> viable for the foreseeable future and SHA-1 will soon be impossible
> to get "approved", then sha256 truncated to 64 bits could be a
> reasonable MUST-support algorithm.

Now you'll have to explain why you're taking the output of an
industrial-strength hash function and throwing away 3/4 of it. :-) Plus,
it's wasted effort since collisions will be possible to find in any
64-bit hash function.

- Marsh