Re: [TLS] New cached-info draft 09 posted

[Marsh Ray <marsh@extendedsubset.com>]

On 07/13/2010 11:07 AM, Stefan Santesson wrote:
> How about MUST use SHA-1 for TLS<1.2 and the proposed solution for =<
> 1.2?

Does it meet the requirements? What were the requirements again?

Does it need collision resistance?
If so, SHA-1 is deprecated:
http://csrc.nist.gov/groups/ST/hash/policy.html
 > Federal agencies should stop using SHA-1 for digital signatures,
 > digital time stamping and other applications that require collision
 > resistance as soon as practical, and must use the SHA-2 family of
 > hash functions for these applications after 2010.

If it doesn't need collision resistance, does it need preimage resistance?
If not, FNV is the way to go.
If so, SHA-1 probably works but it is certainly going out of style. If 
you're going to pick a hash function, SHA-256 might be a better choice.

Sorry to be such a curmudeon, but it seems like if we're going to use 
some bit string as a proxy for an object in the handshake I think the 
default assumption needs be that it must not weaken the Finished 
computation. If it wasn't important, we could have used FNV. But we 
decided it was too security critical for FNV, if not for the object 
types defined now, perhaps for other object types that will be defined 
in the future.

I don't think the "it needs to be secure but not that secure, so we need 
more than X but less than Z how about Y" is a good method of selecting 
the hash. If folks feel this usage doesn't require 24 bytes out of the 
PRF like the Finished messages it would be good for someone to post just 
a little bit of quantitative justification. (E.g., ...therefore it needs 
x bits of resistance to ...)

- Marsh