IETF Logo Mail Archive

Re: [TLS] TLS 1.3 draft-07 sneak peek

Watson Ladd <watsonbladd@gmail.com> Sat, 04 July 2015 13:31 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C8DF1ACD98 for <tls@ietfa.amsl.com>; Sat, 4 Jul 2015 06:31:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.3
X-Spam-Level:
X-Spam-Status: No, score=0.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MANGLED_OFF=2.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id clZcXpx3CzeD for <tls@ietfa.amsl.com>; Sat, 4 Jul 2015 06:31:16 -0700 (PDT)
Received: from mail-wi0-x229.google.com (mail-wi0-x229.google.com [IPv6:2a00:1450:400c:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8670C1ACD80 for <tls@ietf.org>; Sat, 4 Jul 2015 06:31:16 -0700 (PDT)
Received: by wiga1 with SMTP id a1so195973301wig.0 for <tls@ietf.org>; Sat, 04 Jul 2015 06:31:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=74EW1oP8jqJZgknXWc0EMnt3AK+jPI5DKqutp3bv1f4=; b=e7ARM+KDOHyXmItZtStAAz1kDy3JimI+q1YZUvy8q4e+v1E2SSU+b+n1LcVpVeDp9+ pVuBoyoRQJsnJYJQYsKCoajQGpva2j7d30Bj8sYwYuXYmXmIAzdQCKQToDFswGqOjzMD OOByZ16/Vkm0IokxNF3DNRjC0m4rf884f775S18LkFc+IakWSEhWr1oAoMVfrtQw4wfH wp/LvRo+Ist6QuFaf/MQ3keRZ05rLGUFzNR/eqsJ4d22WiX9PG8xCL4jNjDzOcJkX7Mm gG9Q5Ep3JecXkyN6E7m6snld3+GfZC2ZLBGpqFXRurQ8w8ni3LC9f+vVhXPTt9lfiw31 nMGg==
MIME-Version: 1.0
X-Received: by 10.180.188.48 with SMTP id fx16mr36457596wic.35.1436016675310; Sat, 04 Jul 2015 06:31:15 -0700 (PDT)
Received: by 10.194.20.97 with HTTP; Sat, 4 Jul 2015 06:31:15 -0700 (PDT)
In-Reply-To: <20150704034218.613C41A1B3@ld9781.wdf.sap.corp>
References: <CAE3-qLREFyP34PkKbospPZGEeXDi33J=B3etN1bG0ncCvX4eZw@mail.gmail.com> <20150704034218.613C41A1B3@ld9781.wdf.sap.corp>
Date: Sat, 04 Jul 2015 06:31:15 -0700
Message-ID: <CACsn0cm5z=m4QY5KU_J2vDTxK5Z0FRBHDDj+MOiLSizzjLCb_A@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "mrex@sap.com" <mrex@sap.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/nVAxC6BfOfxomPGHfgj9dTL75VY>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS 1.3 draft-07 sneak peek
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Jul 2015 13:31:18 -0000

But these assertions below are not what the paper actually claims!
It's important to actually read the paper, and see that the claims
apply to hash functions of a particular form, namely iterated ones.
The functions mentioned in your counterexample are not iterated hash
functions in the sense of the paper.

Nor, if you believe that the designers of TLS got ciphersuite
negotiation correct, is the claimed "vulnerability" a vulnerability.
If the security of the scheme used by A and B was the strongest in the
intersection, having MD5 based schemes would be fine so long as
everyone had SHA-256 based ones. But we know now that this result
isn't true. (There is an added wrinkle, where a scheme based on a
sufficiently weak hash function will break the negotiation)

On Fri, Jul 3, 2015 at 8:42 PM, Martin Rex <mrex@sap.com> wrote:
> Quynh Dang wrote:
>> The ineffectiveness issue of cascading hashes has been widely known for a
>> long time ago.
>>
>> Find block X and block X' which have collided hash for SHA1 which takes
>> around 2^70 operations or possibly less.
>>
>> Finding a block N for which X|| N and X' || N have collided hash for MD5
>> which is expected to have very low complexity (finding collision for MD5).
>>
>> Therefore, finding collisions for SHA1 and collisions for SHA1 || MD5
>> require about the same computational complexity.
>
>
> The previously mentioned paper
>
> http://www.iacr.org/cryptodb/archive/2004/CRYPTO/1472/1472.pdf
>
> describes the issue for two arbitrary hash algorithms F and G
> with bit sizes nF and nG and you say this applies to
>
>   F= md5  nF=128 bit
>   G= sha1 nG=160 bit
>
>   and that the security of F||G would be no stronger than the larger
>   of the two (G alone, nG=160).
>
>
> OK, lets take two other hash algorithms F and G, and even use
> a weaker algorithm F with nF=96 and G with nG=160.
> The assertion is, that he security of F||G would still be only 160.
>
> OK, here are my algorithms F and G:
>
>   F= sha-256, truncated to bits 0..95 of the output
>   G= sha-256, truncated to bits 96..256 of the output
>
> Now if your original assertion is true, then the strength of
> F(m)||G(m) which curiously happens to be identical to the output of
> sha256 for the message (m) has a security of only 160 bits?
>
> Or lets look at a concatenation of 8 hashes of 32-bits each.
>
>  F=sha-256, truncated to bits 0..31 of the output
>  ...
>
>
>
> -Martin
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls



-- 
"Man is born free, but everywhere he is in chains".
--Rousseau.

v2.23.0 | Report a Bug | By Email