IETF Logo Mail Archive

Re: [TLS] Last Call: <draft-kanno-tls-camellia-00.txt> (Additionx

Eric Rescorla <ekr@rtfm.com> Wed, 09 March 2011 14:50 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D49143A6874 for <tls@core3.amsl.com>; Wed, 9 Mar 2011 06:50:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.92
X-Spam-Level:
X-Spam-Status: No, score=-102.92 tagged_above=-999 required=5 tests=[AWL=0.057, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y0LH17ibz-Pp for <tls@core3.amsl.com>; Wed, 9 Mar 2011 06:50:34 -0800 (PST)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by core3.amsl.com (Postfix) with ESMTP id DA92B3A69FB for <tls@ietf.org>; Wed, 9 Mar 2011 06:50:33 -0800 (PST)
Received: by iyj8 with SMTP id 8so741504iyj.31 for <tls@ietf.org>; Wed, 09 Mar 2011 06:51:50 -0800 (PST)
MIME-Version: 1.0
Received: by 10.42.74.71 with SMTP id v7mr8428206icj.232.1299682310218; Wed, 09 Mar 2011 06:51:50 -0800 (PST)
Received: by 10.42.234.9 with HTTP; Wed, 9 Mar 2011 06:51:50 -0800 (PST)
In-Reply-To: <201103091406.p29E6ABc011887@fs4113.wdf.sap.corp>
References: <197ECCE1-F179-4CF2-BBCE-8FE686A33497@checkpoint.com> <201103091406.p29E6ABc011887@fs4113.wdf.sap.corp>
Date: Wed, 09 Mar 2011 06:51:50 -0800
Message-ID: <AANLkTi=OEs8KF=VbJhrEdRADc_07w5zt462GVovGrfXw@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
To: mrex@sap.com
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: tls@ietf.org
Subject: Re: [TLS] Last Call: <draft-kanno-tls-camellia-00.txt> (Additionx
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Mar 2011 14:50:35 -0000

On Wed, Mar 9, 2011 at 6:06 AM, Martin Rex <mrex@sap.com> wrote:
> Yoav Nir wrote:
>>
>> On Mar 9, 2011, at 2:06 PM, Martin Rex wrote:
>>
>> >
>> > What I'm reading here is that a truncation of an HMAC or an HMAC-like
>> > construct to 96 bits cuts the effective security down to 96-bit.
>> >
>> > You call the use of SHA-384 for the HMAC in such a situation "overkill",
>> > I call it cryptographic imbalance.
>>
>> I've heard the balance argument before, and I don't really find it
>> compelling. It implies that if I'm using 1024-bit RSA, then it is
>> inherently wrong to use AES-128 or SHA-384. There are other
>> considerations in design besides bit-strength. Bit strength should
>> be used as a minimum value, depending on the estimated resources
>> of your opponent.
>
> There is a big difference whether a limitation is hardwired into a
> protocol, or whether a limitation is a side-effect of configuration
> and properties selected by the consumer of the technology.
>
> For most TLS implementations that I'm aware of, the cipher suites
> are user-configurable and the size of the keys in the server
> certificates and the hash that is used in the signature of
> the certificates are determined by the consumer.
>
>
> The truncation of the finished message hashes to 96-bits is an undue
> hard limit in TLSv1.2, and it becomes more aggravating if you're
> using a hash with an even larger output size than SHA-256 and the
> truncation of the finished messages is not changed to be no less
> than half the output size of the hash algorithm.

In that case, you'll be glad to know it's not a hard limit:

http://tools.ietf.org/html/rfc5246#section-7.4.9

      In previous versions of TLS, the verify_data was always 12 octets
      long.  In the current version of TLS, it depends on the cipher
      suite.  Any cipher suite which does not explicitly specify
      verify_data_length has a verify_data_length equal to 12.  This
      includes all existing cipher suites.  Note that this
      representation has the same encoding as with previous versions.
      Future cipher suites MAY specify other lengths but such length
      MUST be at least 12 bytes.

> TLSv1.2 was supposed to provide a framework that can deliver TLS
> with a strength >128=bits of security.  But it failed to deliver
> this by (1) not adjusting the truncation of the finished messages
> and (2) not documenting that the truncation of the finished messages
> MUST be done along with the use of stronger ciphers, stronger hashes
> and larger key lengths in order to actually obtain a balanced
> security of the desired higher strength.

Well, as I've said during this thread, I believe your understanding of what
"security level" means in this context is wrong. I.e., a 128-bit security
level against offline attack is very different than a 2^{-128} chance of
successful guessing exactly once on each connection. However, TLS 1.2
does in fact have the flexibility you are requesting.


> Even when facing real non-compliance, like the botched client_version check
> on the premaster secret in Windows 7 schannel, I'm more interested
> in producing recommendations that avoid interop problems, because
> in the IETF interoperability used to be more important than
> academic purity in design.

Oddly, I think of this balance argument as not much more than academic purity.

-Ekr

v2.23.0 | Report a Bug | By Email