Re: [TLS] Issue 49: Finished.verify length

Mike <mike-list@pobox.com> Fri, 14 September 2007 00:18 UTC

Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IVyta-0001aq-Aj; Thu, 13 Sep 2007 20:18:54 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IVytY-0001al-KG for tls@ietf.org; Thu, 13 Sep 2007 20:18:52 -0400
Received: from rune.pobox.com ([208.210.124.79]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1IVytY-0008TF-4h for tls@ietf.org; Thu, 13 Sep 2007 20:18:52 -0400
Received: from rune (localhost [127.0.0.1]) by rune.pobox.com (Postfix) with ESMTP id 5215D134754 for <tls@ietf.org>; Thu, 13 Sep 2007 20:19:09 -0400 (EDT)
Received: from [192.168.1.8] (wsip-24-234-114-35.lv.lv.cox.net [24.234.114.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by rune.sasl.smtp.pobox.com (Postfix) with ESMTP id 24DED134752 for <tls@ietf.org>; Thu, 13 Sep 2007 20:19:08 -0400 (EDT)
Message-ID: <46E9D35F.60904@pobox.com>
Date: Thu, 13 Sep 2007 17:18:39 -0700
From: Mike <mike-list@pobox.com>
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: tls@ietf.org
Subject: Re: [TLS] Issue 49: Finished.verify length
References: <20070913183453.D32DD33C21@delta.rtfm.com>
In-Reply-To: <20070913183453.D32DD33C21@delta.rtfm.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: d6b246023072368de71562c0ab503126
Cc:
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

>   Currently Finished.verify_data is always 12 octets. With newer PRFs
>   and hashes, more might be useful. Should this depend on the PRF?
>   
> My take on this is that the 12-octet length is mostly independent
> of the PRF. After all, it's already been truncated from either 
> MD5 or SHA-1. Is there a good security reason to change this?

Since the Finished message is just the output of the PRF itself,
you can specify however much output you want.  In TLS 1.2, the
default PRF is based on HMAC-SHA-256, so 1 iteration of the PRF
generates 32 bytes.  With the Finished message currently using
only 12 bytes of PRF output, we are just throwing away 20 bytes
that could be utilized.  Therefore, the Finished message could
be increased to 32 bytes without impacting performance.

I am not a security expert, but I do know that 32 bytes is a lot
harder to guess than 12.

Mike

_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls