IETF Logo Mail Archive

Re: [TLS] Last Call: <draft-kanno-tls-camellia-00.txt> (Additionx

Nikos Mavrogiannopoulos <nmav@gnutls.org> Wed, 09 March 2011 09:09 UTC

Return-Path: <n.mavrogiannopoulos@gmail.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B73FF3A67E2; Wed, 9 Mar 2011 01:09:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hNySRtlgRbmD; Wed, 9 Mar 2011 01:09:01 -0800 (PST)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by core3.amsl.com (Postfix) with ESMTP id 996243A68AA; Wed, 9 Mar 2011 01:09:01 -0800 (PST)
Received: by qwh6 with SMTP id 6so264730qwh.31 for <multiple recipients>; Wed, 09 Mar 2011 01:10:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=u1YJUSG2BuVPmlpq/vov+F4/pDlk7+GRASuZ+1Esc9k=; b=VCNPUpEIWYPc72YpUX/T5upxHQfpEBx+CKr1SWQPMAEN/+CaYfya63LYV5nI6t9ur9 1VGDxTqsVT3RNXxQ1Arowybk3M6kjPaYgnlwFVHSgNXEeLovQz1wDrKeNc6DMXdciMK7 cZMBu53o6dAKEPXDM24dZN+QDaJ+cm5mMV0Yg=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; b=PoUSS1/+GKCPxTnzeCpktH1qlO2j9NkQo8kDCQXLwbnIeSFAm1wwcHPmh8s8L/55ao 52H1B527h/E6TlVZpBMWjs5RaNajfV2Y9J2rft1g7yBsoViplI/WJUPUiaqYmUdAikQ7 Wy1Rm1uFGQ5Hz7YRlUMUvlYCk8O/RdEIAgHtY=
MIME-Version: 1.0
Received: by 10.229.79.196 with SMTP id q4mr4933161qck.132.1299661817309; Wed, 09 Mar 2011 01:10:17 -0800 (PST)
Sender: n.mavrogiannopoulos@gmail.com
Received: by 10.229.20.71 with HTTP; Wed, 9 Mar 2011 01:10:17 -0800 (PST)
In-Reply-To: <AANLkTim=g981ne+Y-ZdgATdimRmgfjyM81YEuPAhyhCV@mail.gmail.com>
References: <AANLkTik07Zte5ERfG_+GHd_ag9o3UguzCE6gEzjnSHKe@mail.gmail.com> <201103081845.p28IjCY0007292@fs4113.wdf.sap.corp> <AANLkTim=g981ne+Y-ZdgATdimRmgfjyM81YEuPAhyhCV@mail.gmail.com>
Date: Wed, 09 Mar 2011 10:10:17 +0100
X-Google-Sender-Auth: ubB3Ve5dc5xJjvtQg1gPbYsz8rE
Message-ID: <AANLkTimJzVoobdBTLEKbBdm2SLMaoRC3XLKQxXDZZ7tQ@mail.gmail.com>
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: text/plain; charset="UTF-8"
Cc: tls@ietf.org, ietf@ietf.org
Subject: Re: [TLS] Last Call: <draft-kanno-tls-camellia-00.txt> (Additionx
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Mar 2011 09:09:03 -0000

On Tue, Mar 8, 2011 at 7:51 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>>> Perhaps, but this isn't a digest but rather a MAC, and so the attack
>>> model is different.
>> You seem to be forgetting that the finished messages have been reused
>> for other purposes already:
> No, I'm not forgetting that. That doesn't change the fact that the
> computation is
> a MAC.

I'm not a specialist in MAC algorithms but by checking
the ECRYPT II[0] report of 2009-2010, I can try making some points.
A MAC has a security level that depends on the size of the MAC
and the size of the key. That is a 12-byte MAC has security level of
MIN(2^{key_size}, 2^{96}) [1], irrespective of the key size used.

As I understand the addition of SHA-384 as PRF was to increase
the security margin of TLS comparing to the SHA-1 PRF. This
is not occuring now because a MAC based on algorithm that
returns 384-bits and truncates it  to 96 can offer nothing more
than an algorithm that outputs 160 bits and are trucated to 96.
Hence there is no significant difference than SHA-1 or SHA-384
in that case, so why define SHA-384 anyway?

For me the ciphersuites defined in TLS should have a uniform
security level. I.E. why use AES-256 with security level of 2^256
but use a MAC for a handshake of 2^96 bits?

regards,
Nikos

[0]. http://www.ecrypt.eu.org/documents/D.SPA.13.pdf

[1]. For an HMAC the square root of
the internal state of the hash algorithm is also affecting the
security level.

v2.23.0 | Report a Bug | By Email