IETF Logo Mail Archive

Re: [TLS] TLS1.3

"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Mon, 11 February 2013 09:26 UTC

Return-Path: <Kenny.Paterson@rhul.ac.uk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BC2921F869B for <tls@ietfa.amsl.com>; Mon, 11 Feb 2013 01:26:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t2t+S1DfyF9H for <tls@ietfa.amsl.com>; Mon, 11 Feb 2013 01:26:43 -0800 (PST)
Received: from tx2outboundpool.messaging.microsoft.com (tx2ehsobe001.messaging.microsoft.com [65.55.88.11]) by ietfa.amsl.com (Postfix) with ESMTP id BE85221F8659 for <tls@ietf.org>; Mon, 11 Feb 2013 01:26:43 -0800 (PST)
Received: from mail195-tx2-R.bigfish.com (10.9.14.252) by TX2EHSOBE002.bigfish.com (10.9.40.22) with Microsoft SMTP Server id 14.1.225.23; Mon, 11 Feb 2013 09:26:43 +0000
Received: from mail195-tx2 (localhost [127.0.0.1]) by mail195-tx2-R.bigfish.com (Postfix) with ESMTP id EC5832601EA for <tls@ietf.org>; Mon, 11 Feb 2013 09:26:42 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:134.219.208.108; KIP:(null); UIP:(null); IPV:NLI; H:EXCH-HUB02.cc.rhul.local; RD:exch-hub02.rhul.ac.uk; EFVD:NLI
X-SpamScore: -1
X-BigFish: VPS-1(zz4015Izz1f42h1ee6h1de0h1d18h1202h1e76h1d1ah1d2ahzzz2dh2a8h668h839h944hd25hf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh15d0h162dh1631h1758h18e1h1946h19b5h19ceh1155h)
Received: from mail195-tx2 (localhost.localdomain [127.0.0.1]) by mail195-tx2 (MessageSwitch) id 1360574800556163_32161; Mon, 11 Feb 2013 09:26:40 +0000 (UTC)
Received: from TX2EHSMHS033.bigfish.com (unknown [10.9.14.251]) by mail195-tx2.bigfish.com (Postfix) with ESMTP id 8253FC004A; Mon, 11 Feb 2013 09:26:40 +0000 (UTC)
Received: from EXCH-HUB02.cc.rhul.local (134.219.208.108) by TX2EHSMHS033.bigfish.com (10.9.99.133) with Microsoft SMTP Server (TLS) id 14.1.225.23; Mon, 11 Feb 2013 09:26:40 +0000
Received: from EXCH-CAS04.cc.rhul.local (134.219.208.162) by EXCH-HUB02.cc.rhul.local (134.219.208.108) with Microsoft SMTP Server (TLS) id 14.2.328.9; Mon, 11 Feb 2013 09:26:39 +0000
Received: from EXCH-MB01.cc.rhul.local ([169.254.3.31]) by EXCH-CAS04.cc.rhul.local ([2002:86db:d0a2::86db:d0a2]) with mapi id 14.02.0328.009; Mon, 11 Feb 2013 09:26:39 +0000
From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: "Lewis, Nick" <nick.lewis@usa.g4s.com>
Thread-Topic: [TLS] TLS1.3
Thread-Index: AQHOCDnkM5Cm91Ib2Ua7186ZEOcKag==
Date: Mon, 11 Feb 2013 09:26:40 +0000
Message-ID: <B132B06E59C4A540A03C3393F53BC07C408169C0@EXCH-MB01.cc.rhul.local>
References: <AAE0766F5AF36B46BAB7E0EFB9273206194A67DCDC@GBTWK10E001.Technology.local>
In-Reply-To: <AAE0766F5AF36B46BAB7E0EFB9273206194A67DCDC@GBTWK10E001.Technology.local>
Accept-Language: en-US, en-GB
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [78.147.250.120]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <A3FEDD35797BE24ABB3C4F63D51A2153@rhul.ac.uk>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: rhul.ac.uk
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Feb 2013 09:26:44 -0000

Nick,

>  The reality of TLS though is that there are many MACs in everyday use that are not secure (based on hashes of 80bits or even 64 bits). These are currently protected from attack by being behind strong (112bit or 128 bit) crypt. 

The "usual" MAC algorithms for TLS are HMAC-MD5, HMAC-SHA-1 and HMAC-SHA-256 (HMAC-SHA-384 is also a possibility). These all have MAC tags of at least 128 bits.

RFC 6066 standardises "truncated" MAC tags for TLS, but these are known to be dangerous when used in combination with TLS's variable length padding (see the distinguishing attack in my Asiacrypt 2011 paper with Ristenpart and Shrimpton).

However, I was not aware of anyone actually using these truncated MAC tags, or any other short-output MAC algorithms in TLS. 

Can you provide specific examples in support of your argument?

Thanks,

Kenny

v2.23.0 | Report a Bug | By Email