Re: [TLS] Last Call: <draft-kanno-tls-camellia-00.txt> (Additionx

Marsh Ray <marsh@extendedsubset.com> Tue, 08 March 2011 21:14 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 184E23A6407 for <tls@core3.amsl.com>; Tue, 8 Mar 2011 13:14:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.539
X-Spam-Level:
X-Spam-Status: No, score=-2.539 tagged_above=-999 required=5 tests=[AWL=0.060, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rayKC7pHETtO for <tls@core3.amsl.com>; Tue, 8 Mar 2011 13:14:54 -0800 (PST)
Received: from mho-01-ewr.mailhop.org (mho-01-ewr.mailhop.org [204.13.248.71]) by core3.amsl.com (Postfix) with ESMTP id 027713A6359 for <tls@ietf.org>; Tue, 8 Mar 2011 13:14:50 -0800 (PST)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-01-ewr.mailhop.org with esmtpa (Exim 4.72) (envelope-from <marsh@extendedsubset.com>) id 1Px3x9-0004km-Hz for tls@ietf.org; Tue, 08 Mar 2011 20:56:23 +0000
Received: from [192.168.1.15] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 2AA4360CF; Tue, 8 Mar 2011 21:15:44 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX18k6357xsgI5Y7dG13x/DCTpcnsGgLYB74=
Message-ID: <4D769C7D.1000204@extendedsubset.com>
Date: Tue, 08 Mar 2011 15:15:41 -0600
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.14) Gecko/20110223 Thunderbird/3.1.8
MIME-Version: 1.0
To: Hovav Shacham <hovav@cs.ucsd.edu>
References: <AANLkTimW9kC2gsrxnuW47pGjjoaK_mB5QaMbLKS+0aAo@mail.gmail.com> <201103081830.p28IUdtN006451@fs4113.wdf.sap.corp> <AANLkTi=2zMBAKcEOP7rVKUcjU4AorKBDqzNa+3hOR6Co@mail.gmail.com>
In-Reply-To: <AANLkTi=2zMBAKcEOP7rVKUcjU4AorKBDqzNa+3hOR6Co@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] Last Call: <draft-kanno-tls-camellia-00.txt> (Additionx
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Mar 2011 21:14:55 -0000

On 03/08/2011 02:19 PM, Hovav Shacham wrote:
>
> PRFs, unlike collision-resistant hashes, are not subject to birthday
> attacks.  This holds true even when they are constructed using using
> components originating in hash functions, as HMAC is.

Ah but how easily theory is defeated by practice.

The inputs to the PRF _are_ subject to birthday attacks. Note that in 
each case the handshake messages are is bottlenecked through a plain 
hash function rather than an HMAC.

    verify_data (TLS 1.0)
        PRF(master_secret, finished_label, MD5(handshake_messages) +
            SHA-1(handshake_messages)) [0..11];

     verify_data (TLS 1.2)
        PRF(master_secret, finished_label, Hash(handshake_messages))
           [0..verify_data_length-1];

So that gives

    master_secret - 384 bits ought to be enough for anybody.

    TLS 1.0 MD5(handshake_messages) + SHA-1(handshake_messages)
	Little better than the stronger of MD5 or SHA-1.

    TLS 1.2 Hash(handshake_messages) SHA-256
    	Approx 2^128 collisions.

I don't see any real problem there, but the TLS 1.0 case is worth 
keeping an eye on.

- Marsh