Re: [TLS] Last Call: <draft-kanno-tls-camellia-00.txt> (Additionx
Eric Rescorla <ekr@rtfm.com> Tue, 08 March 2011 18:34 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F2F293A68AF; Tue, 8 Mar 2011 10:34:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.917
X-Spam-Level:
X-Spam-Status: No, score=-102.917 tagged_above=-999 required=5 tests=[AWL=0.060, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9ddY9CFiCHC0; Tue, 8 Mar 2011 10:34:12 -0800 (PST)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id B73053A689A; Tue, 8 Mar 2011 10:34:11 -0800 (PST)
Received: by iwl42 with SMTP id 42so6430672iwl.31 for <multiple recipients>; Tue, 08 Mar 2011 10:35:26 -0800 (PST)
MIME-Version: 1.0
Received: by 10.42.189.202 with SMTP id df10mr6109439icb.366.1299609326772; Tue, 08 Mar 2011 10:35:26 -0800 (PST)
Received: by 10.42.234.9 with HTTP; Tue, 8 Mar 2011 10:35:26 -0800 (PST)
In-Reply-To: <201103081830.p28IUdtN006451@fs4113.wdf.sap.corp>
References: <AANLkTimW9kC2gsrxnuW47pGjjoaK_mB5QaMbLKS+0aAo@mail.gmail.com> <201103081830.p28IUdtN006451@fs4113.wdf.sap.corp>
Date: Tue, 08 Mar 2011 10:35:26 -0800
Message-ID: <AANLkTikrdfQKGU_dhyAk8nHS0OmmsFBWTumLGuuONQ-b@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
To: mrex@sap.com
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: ietf@ietf.org, tls@ietf.org
Subject: Re: [TLS] Last Call: <draft-kanno-tls-camellia-00.txt> (Additionx
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Mar 2011 18:34:13 -0000
On Tue, Mar 8, 2011 at 10:30 AM, Martin Rex <mrex@sap.com> wrote: > Eric Rescorla wrote: >> >> On Tue, Mar 8, 2011 at 10:07 AM, Martin Rex <mrex@sap.com> wrote: >> > Eric Rescorla wrote: >> >> >> >> On Tue, Mar 8, 2011 at 9:20 AM, Martin Rex <mrex@sap.com> wrote: >> >> > Eric Rescorla wrote: >> >> >> >> >> >> I don't understand this reasoning. Why does the output size of the >> >> >> pre-truncated PRF >> >> >> influence the desirable length of the verify_data (provided that the >> >> >> output size is > than >> >> >> the length of the verify_data of course). >> >> > >> >> > One of the purposes of a cryptographic hash function is to protect >> >> > from collisions (both random and fabricated collisions). >> >> > >> >> > Cutting down the SHA-384 output from 48 to 12 octets significantly impairs >> >> > its ability to protect from collisions. It's comparable to >> >> > truncating the SHA-1 output from 20 to 5 octets. >> >> >> >> I don't understand this analysis. Consider two ideal PRFs: >> >> >> >> * R-160 with a 160-bit output >> >> * R-256 with a 256-bit output >> >> >> >> Now, consider the function R-256-Reduced, >> >> which takes the first 160 bits of R-256. >> >> Are you arguing that R-256-Reduced is weaker than R-160? If so, why? >> > >> > What we're having are the two cases: >> > >> > 1) R-160 truncated to 96 bits >> > 2) R-256 truncated to 96 bits >> > 3) R-160 with full 160-bits >> > >> > >> > If your primary focus was collision avoidance, then >> > 3) is stronger than 1) and 2) by a huge margin. >> >> Yes, I totally agree. >> >> >> > There may be reasons why you don't want (3), like an attackers ability >> > to verify when he guesses keys correctly that are input to the PRF. >> > >> > When 20/12 is a good truncation ratio for a 160-bit PRF, >> > then 48/12 looks like a poor truncation ratio for a 384-bit PRF >> > (and SHA-384 is already a truncated SHA-512 anyway). >> > Applying the 20/12 tradeoff to R-256 results in approximately (32/20) >> > and to R-384 results in approximately (48/28) -- with (48/32) probably >> > sufficiently close. >> >> I don't understand this analysis at all. Again, are you arguing that >> (1) and (2) have different security properties? > > In case they were both "ideal" - no. > > But in that case, asking anyone for the effort to replace > 1) with 2) would be a complete waste of resources. > > > If we move in a new, stronger crypto-algorithm, then we should not > unreasonably spoil its properties. > > Truncating a SHA-384 based PRF to 12 octets is like using > an sha384WithRsaEncryption signature with a 1024 bit RSA key, > it is an imbalanced pairing of algorithms&keys. Again, I don't understand this: TLS already (as of TLS 1.0) truncated the PRF down to 12 bytes, so we are already producing an output that is substantially shorter than the digest that is the basis of the function. If the security arguments for why that is good are valid (and FWIW I think they are) then as far as I can tell they are equally applicable to SHA-384. -Ekr
- [TLS] Last Call: <draft-kanno-tls-camellia-00.txt… The IESG
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Satoru Kanno
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Sean Turner
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Marsh Ray
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Marsh Ray
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Marsh Ray
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Hovav Shacham
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Marsh Ray
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Marsh Ray
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Hovav Shacham
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Peter Gutmann
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Peter Gutmann
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Peter Gutmann
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Yoav Nir
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Peter Gutmann
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Stephen Kent
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Stephen Kent
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Marsh Ray
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Nikos Mavrogiannopoulos