Re: [TLS] Collisions (Re: Consensus Call: FNV vs SHA1)

Nicolas Williams <Nicolas.Williams@oracle.com> Mon, 10 May 2010 21:47 UTC

Return-Path: <Nicolas.Williams@oracle.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3342F3A6A58 for <tls@core3.amsl.com>; Mon, 10 May 2010 14:47:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.005
X-Spam-Level:
X-Spam-Status: No, score=-4.005 tagged_above=-999 required=5 tests=[AWL=1.104, BAYES_05=-1.11, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G5COWosHAVqe for <tls@core3.amsl.com>; Mon, 10 May 2010 14:47:09 -0700 (PDT)
Received: from rcsinet10.oracle.com (rcsinet10.oracle.com [148.87.113.121]) by core3.amsl.com (Postfix) with ESMTP id 5AB103A69A5 for <tls@ietf.org>; Mon, 10 May 2010 14:47:09 -0700 (PDT)
Received: from rcsinet13.oracle.com (rcsinet13.oracle.com [148.87.113.125]) by rcsinet10.oracle.com (Switch-3.4.2/Switch-3.4.1) with ESMTP id o4ALktCG032296 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 10 May 2010 21:46:57 GMT
Received: from acsmt354.oracle.com (acsmt354.oracle.com [141.146.40.154]) by rcsinet13.oracle.com (Switch-3.4.2/Switch-3.4.1) with ESMTP id o4AKOD96032119; Mon, 10 May 2010 21:46:54 GMT
Received: from abhmt016.oracle.com by acsmt353.oracle.com with ESMTP id 229207801273527921; Mon, 10 May 2010 14:45:21 -0700
Received: from oracle.com (/129.153.128.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 10 May 2010 14:45:21 -0700
Date: Mon, 10 May 2010 16:45:16 -0500
From: Nicolas Williams <Nicolas.Williams@oracle.com>
To: "Blumenthal, Uri - 0668 - MITLL" <uri@ll.mit.edu>
Message-ID: <20100510214516.GZ9429@oracle.com>
References: <20100510213035.GX9429@oracle.com> <C80DF458.A5A4%uri@ll.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <C80DF458.A5A4%uri@ll.mit.edu>
User-Agent: Mutt/1.5.20 (2010-03-02)
X-Auth-Type: Internal IP
X-Source-IP: rcsinet13.oracle.com [148.87.113.125]
X-CT-RefId: str=0001.0A090204.4BE87ED1.0162:SCFMA4539811,ss=1,fgs=0
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Collisions (Re: Consensus Call: FNV vs SHA1)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 May 2010 21:47:10 -0000

On Mon, May 10, 2010 at 05:35:20PM -0400, Blumenthal, Uri - 0668 - MITLL wrote:
> On 5/10/10  17:30 , "Nicolas Williams" <Nicolas.Williams@oracle.com> wrote:
> > ...... Note that I don't see FNV as having a bright future in our
> > protocols, so that I'm not concerned about making it easier to use in
> > the future.
> 
> And you see a bright future for SHA-1???

No, for the same reason I don't for FNV: I think we'll generally[*] need
cryptographic hash functions in our protocols.  The fact that FNV is not
a cryptographic hash functions is actually the red flag that started me
wondering about the design of this protocol.

Aside from that, I think FNV is a great hash function.  Its place will
typically not be in Internet protocols, but in implementations.

[*] I _can_ think of non-cryptographic uses of hash functions in
    Internet protocols, starting with the use we made in GS2.  But in
    general I think we'll want to review such uses carefully.  In the
    case of GS2 it saved us the bother of creating a registry of SASL
    mechanism names for GSS-API mechanisms.  Here the hash is used to
    identify cached items, which seems fine provided that collisions are
    well-handled.  In the GS2 case we decided that collisions were not a
    problem for us (after all, we could always assign new OIDs to GSS
    mechanisms that collide).

Nico
--