Re: [TLS] Last Call: <draft-kanno-tls-camellia-00.txt> (Additionx
Eric Rescorla <ekr@rtfm.com> Wed, 09 March 2011 14:50 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D49143A6874 for <tls@core3.amsl.com>; Wed, 9 Mar 2011 06:50:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.92
X-Spam-Level:
X-Spam-Status: No, score=-102.92 tagged_above=-999 required=5 tests=[AWL=0.057, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y0LH17ibz-Pp for <tls@core3.amsl.com>; Wed, 9 Mar 2011 06:50:34 -0800 (PST)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by core3.amsl.com (Postfix) with ESMTP id DA92B3A69FB for <tls@ietf.org>; Wed, 9 Mar 2011 06:50:33 -0800 (PST)
Received: by iyj8 with SMTP id 8so741504iyj.31 for <tls@ietf.org>; Wed, 09 Mar 2011 06:51:50 -0800 (PST)
MIME-Version: 1.0
Received: by 10.42.74.71 with SMTP id v7mr8428206icj.232.1299682310218; Wed, 09 Mar 2011 06:51:50 -0800 (PST)
Received: by 10.42.234.9 with HTTP; Wed, 9 Mar 2011 06:51:50 -0800 (PST)
In-Reply-To: <201103091406.p29E6ABc011887@fs4113.wdf.sap.corp>
References: <197ECCE1-F179-4CF2-BBCE-8FE686A33497@checkpoint.com> <201103091406.p29E6ABc011887@fs4113.wdf.sap.corp>
Date: Wed, 09 Mar 2011 06:51:50 -0800
Message-ID: <AANLkTi=OEs8KF=VbJhrEdRADc_07w5zt462GVovGrfXw@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
To: mrex@sap.com
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: tls@ietf.org
Subject: Re: [TLS] Last Call: <draft-kanno-tls-camellia-00.txt> (Additionx
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Mar 2011 14:50:35 -0000
On Wed, Mar 9, 2011 at 6:06 AM, Martin Rex <mrex@sap.com> wrote: > Yoav Nir wrote: >> >> On Mar 9, 2011, at 2:06 PM, Martin Rex wrote: >> >> > >> > What I'm reading here is that a truncation of an HMAC or an HMAC-like >> > construct to 96 bits cuts the effective security down to 96-bit. >> > >> > You call the use of SHA-384 for the HMAC in such a situation "overkill", >> > I call it cryptographic imbalance. >> >> I've heard the balance argument before, and I don't really find it >> compelling. It implies that if I'm using 1024-bit RSA, then it is >> inherently wrong to use AES-128 or SHA-384. There are other >> considerations in design besides bit-strength. Bit strength should >> be used as a minimum value, depending on the estimated resources >> of your opponent. > > There is a big difference whether a limitation is hardwired into a > protocol, or whether a limitation is a side-effect of configuration > and properties selected by the consumer of the technology. > > For most TLS implementations that I'm aware of, the cipher suites > are user-configurable and the size of the keys in the server > certificates and the hash that is used in the signature of > the certificates are determined by the consumer. > > > The truncation of the finished message hashes to 96-bits is an undue > hard limit in TLSv1.2, and it becomes more aggravating if you're > using a hash with an even larger output size than SHA-256 and the > truncation of the finished messages is not changed to be no less > than half the output size of the hash algorithm. In that case, you'll be glad to know it's not a hard limit: http://tools.ietf.org/html/rfc5246#section-7.4.9 In previous versions of TLS, the verify_data was always 12 octets long. In the current version of TLS, it depends on the cipher suite. Any cipher suite which does not explicitly specify verify_data_length has a verify_data_length equal to 12. This includes all existing cipher suites. Note that this representation has the same encoding as with previous versions. Future cipher suites MAY specify other lengths but such length MUST be at least 12 bytes. > TLSv1.2 was supposed to provide a framework that can deliver TLS > with a strength >128=bits of security. But it failed to deliver > this by (1) not adjusting the truncation of the finished messages > and (2) not documenting that the truncation of the finished messages > MUST be done along with the use of stronger ciphers, stronger hashes > and larger key lengths in order to actually obtain a balanced > security of the desired higher strength. Well, as I've said during this thread, I believe your understanding of what "security level" means in this context is wrong. I.e., a 128-bit security level against offline attack is very different than a 2^{-128} chance of successful guessing exactly once on each connection. However, TLS 1.2 does in fact have the flexibility you are requesting. > Even when facing real non-compliance, like the botched client_version check > on the premaster secret in Windows 7 schannel, I'm more interested > in producing recommendations that avoid interop problems, because > in the IETF interoperability used to be more important than > academic purity in design. Oddly, I think of this balance argument as not much more than academic purity. -Ekr
- [TLS] Last Call: <draft-kanno-tls-camellia-00.txt… The IESG
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Satoru Kanno
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Sean Turner
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Marsh Ray
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Marsh Ray
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Marsh Ray
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Hovav Shacham
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Marsh Ray
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Marsh Ray
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Hovav Shacham
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Peter Gutmann
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Peter Gutmann
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Peter Gutmann
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Yoav Nir
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Peter Gutmann
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Stephen Kent
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Eric Rescorla
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Stephen Kent
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Martin Rex
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Marsh Ray
- Re: [TLS] Last Call: <draft-kanno-tls-camellia-00… Nikos Mavrogiannopoulos