IETF Logo Mail Archive

Re: [TLS] FNV versus SHA-1 in cached info

"Blumenthal, Uri - 0668 - MITLL" <uri@ll.mit.edu> Fri, 07 May 2010 17:10 UTC

Return-Path: <prvs=27436d9d74=uri@ll.mit.edu>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 72DC53A67C2 for <tls@core3.amsl.com>; Fri, 7 May 2010 10:10:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.623
X-Spam-Level:
X-Spam-Status: No, score=-3.623 tagged_above=-999 required=5 tests=[AWL=-0.376, BAYES_50=0.001, RCVD_IN_DNSWL_MED=-4, SARE_OBFU_ALL=0.751, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P86isxL0H52R for <tls@core3.amsl.com>; Fri, 7 May 2010 10:10:56 -0700 (PDT)
Received: from mx1.ll.mit.edu (MX1.LL.MIT.EDU [129.55.12.45]) by core3.amsl.com (Postfix) with ESMTP id 3757E3A672E for <tls@ietf.org>; Fri, 7 May 2010 10:10:56 -0700 (PDT)
Received: from LLE2K7-HUB02.mitll.ad.local (LLE2K7-HUB02.mitll.ad.local) by mx1.ll.mit.edu (unknown) with ESMTP id o47HAdmf006182; Fri, 7 May 2010 13:10:43 -0400
From: "Blumenthal, Uri - 0668 - MITLL" <uri@ll.mit.edu>
To: Nicolas Williams <Nicolas.Williams@oracle.com>, Simon Josefsson <simon@josefsson.org>
Date: Fri, 07 May 2010 13:10:40 -0400
Thread-Topic: [TLS] FNV versus SHA-1 in cached info
Thread-Index: AcruAiSWfrTQ/3ZLTQqUr3gZstkRnAABhNnB
Message-ID: <C809C1D0.A4B5%uri@ll.mit.edu>
In-Reply-To: <20100507162620.GD9429@oracle.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-Entourage/13.4.0.100208
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=1.12.8161:2.4.5, 1.2.40, 4.0.166 definitions=2010-05-07_02:2010-02-06, 2010-05-07, 2010-05-07 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx engine=5.0.0-0908210000 definitions=main-1005070103
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] FNV versus SHA-1 in cached info
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 May 2010 17:10:59 -0000

For cryptographic purposes agility is critical, and it's obvious.

For non-cryptographic purposes - who cares. Let the implementers figure what
works best and "codify" it. If it's SHA - fine. If it's FNV - fine. If it's
MD4 - fine. No sense avoiding cryptographically broken algorithms for
non-cryptographic use.


On 5/7/10  12:26 , "Nicolas Williams" <Nicolas.Williams@oracle.com> wrote:

> On Fri, May 07, 2010 at 01:24:18PM +0200, Simon Josefsson wrote:
>> Stefan Santesson <stefan@aaa-sec.com> writes:
>>> I would not have any problem with using SHA-1 if it could be used with no
>>> agility what so ever. But I seriously doubt that this will be accepted and
>>> for that reason I would like to keep FNV.
> 
> It's been accepted elsewhere.  If cryptographic properties are not
> required then algorithm agility is also not required.
> 
>> I also prefer to use FNV here.
> 
> I am of two minds about this issue.
> 
>> Organizations are performing review of how MD5 and eventually SHA-1 are
>> used in their code bases, and this is costly.
> 
> This is true, however, you'd think that we should all also audit our
> code bases and protocols (proprietary and otherwise) to ensure that we
> do use strong cryptographic algorithms where we _need_ them, that we
> have migration plans, and that we execute them.  Just removing uses of
> MD5 and SHA-1 will not do.
> 
> I'm concerned that a blanket "must not use MD5 nor SHA-1" rule will be
> counter-productive for _proprietary_ protocols: developers might resort
> to home-grown non-cryptographic hashes where they need cryptographic
> ones, just to avoid unwelcome auditor attention.  Clearly that won't
> happen for Internet protocols -not much- but there's a bigger world out
> there, and training management to just ban weak algorithms might well
> have unintended and very negative consequences.
> 
> Thus I'm not too sympathetic to arguments that we should refrain from
> using MD5/SHA-1 where cryptographic properties are not needed.  I'd
> rather train auditors to analyze protocols correctly than to apply
> reflexive dicta.
> 
> But I've also seen the pressure to avoid using MD5/SHA-1 altogether, and
> understand that often it's just easier to give.
> 
>>                                                If we know when designing
>> a protocol that the normal cryptographic properties are not essential,
>> and that an algorithm like FNV will suffice, it saves everyone the costs
>> associated with that review.  [...]
> 
> Does it?  We still have to review whether cryptographic properties were
> or were not necessary.
> 
>> I wish we used something like FNV instead of SHA-1 in SASL GS2, the use
>> there also do not require cryptographic properties.
> 
> Quick, we're still in AUTH48!  (Just kidding.)
> 
> Nico

-- 
Regards,
Uri         uri@ll.mit.edu
<Disclaimer>

v2.23.0 | Report a Bug | By Email