Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fast-Track" draft

Something like this algorithm also has the benefit of side-stepping the whole national algorithms issue.

While "American" crypto algorithms may be unacceptable in Russia, perhaps an "American" non-crypto algorithms would be acceptable, and we won't need a GOST version.

(or Camelia)

On Feb 24, 2010, at 11:02 PM, Marsh Ray wrote:

> Kemp, David P. wrote:
>> Marsh Ray wrote:
>>> It will not be so fun to convince reviewers that "yes we're using 
>>> SHA-1 but not in a way that really matters."
>>> 
>>> If all you need is a 64-bit checksum for data-structure-style 
>>> hashing and indexing, use any old old-fashioned checksum algorithm.
>>> 
>>> 
>>> This would be simple for everyone to implement and it clearly 
>>> communicates your design intent (that the security of the design 
>>> does not depend on any properties of this value's calculation).
>> 
>> +1 in principle.
>> 
>> But practically speaking, do you have any suggestions for well-known
>> non-cryptographic hash algorithms?
> 
> Hmm, starting with http://en.wikipedia.org/wiki/List_of_hash_functions
> 
> FNV seems like a good candidate.
> http://en.wikipedia.org/wiki/Fowler-Noll-Vo_hash_function
> 
> Pros:
> * Wide existing usage:
> http://www.isthe.com/chongo/tech/comp/fnv/index.html#history
> 
> * On that page they disclaim patents on it.
> 
> * It is defined in power-of-two sizes from 32 to 1024 bits.
> 
> * Something of an endorsement:
> "We experimetned with several different hash functions and found FNV has
> to be the best one."
> http://domino.watson.ibm.com/library/cyberdig.nsf/papers/2314E66547EF9CC5852576BE005F1E4F/$File/rc24939.pdf
> 
> Cons:
> 
> * Uses multiply. Probably not a big deal in practice.
> 
> * Not (yet) referenceable in a formal standards doc.
> 
>> A quick IANA search turned up
>> Kerberos checksums
>> http://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml,
>> including CRC32 (4 octets), des-mac-k (8 octets), and several 16
>> octet algorithms including MD4 and MD5.
> 
> CRC64 doesn't seem to be so great with collisions:
> http://www.cs.ucl.ac.uk/staff/d.jones/crcnote.pdf
> The authors propose a better version.
> 
> You could use a pair of (some variant of) CRC32, each preloaded with
> different values. This may not be any better than CRC64 though and may
> not be terribly efficient.
> 
>> A search for other "hash", "mac", or "checksum" registries turned up
>> nothing new.
>> 
>> It doesn't feel quite right to add a non-cryptographic checksum to
>> the RFC 5246 registry:
>> 
>> enum { none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5), 
>> sha512(6), (255) } HashAlgorithm;
>> 
>> so even if there were such an algorithm, permitting both it and
>> cryptographic hashes would be painful.
> 
> Is it really necessary for this to be a flexible parameter?
> 
> A implementation now has a choice: implement them all (including ones
> that are never used in practice), or risk not not being compatible
> somewhere.
> 
>> I don't see an alternative that satisfies both "simple to implement"
>> and "clearly communicates intent".  My care-abouts are 1) a common
>> interoperable algorithm and 2) bandwidth.  Computation speed is
>> unimportant,
> 
> There's always code size to consider.
> 
>> so if everyone thinks sha256 will be cryptographically
>> viable for the foreseeable future and SHA-1 will soon be impossible
>> to get "approved", then sha256 truncated to 64 bits could be a
>> reasonable MUST-support algorithm.
> 
> Now you'll have to explain why you're taking the output of an
> industrial-strength hash function and throwing away 3/4 of it. :-) Plus,
> it's wasted effort since collisions will be possible to find in any
> 64-bit hash function.
> 
> - Marsh
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
> 
> Scanned by Check Point Total Security Gateway.