IETF Logo Mail Archive

Re: [TLS] Issue 49: Finished.verify length

Bodo Moeller <bmoeller@acm.org> Fri, 14 September 2007 09:09 UTC

Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IW7Ad-00065u-PO; Fri, 14 Sep 2007 05:09:03 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IW7Ac-0005zl-6Y for tls@ietf.org; Fri, 14 Sep 2007 05:09:02 -0400
Received: from moutng.kundenserver.de ([212.227.126.171]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IW7Aa-0007P7-M0 for tls@ietf.org; Fri, 14 Sep 2007 05:09:02 -0400
Received: from p508EAF34.dip0.t-ipconnect.de [80.142.175.52] (helo=tau.invalid) by mrelayeu.kundenserver.de (node=mrelayeu3) with ESMTP (Nemesis), id 0MKxQS-1IW7AV0Day-0007wa; Fri, 14 Sep 2007 11:08:56 +0200
Received: by tau.invalid (Postfix, from userid 1000) id EBCF51C35A; Fri, 14 Sep 2007 11:08:53 +0200 (CEST)
Date: Fri, 14 Sep 2007 11:08:53 +0200
From: Bodo Moeller <bmoeller@acm.org>
To: Eric Rescorla <ekr@networkresonance.com>
Subject: Re: [TLS] Issue 49: Finished.verify length
Message-ID: <20070914090853.GA20702@tau.invalid>
References: <20070913183453.D32DD33C21@delta.rtfm.com> <46E9D35F.60904@pobox.com> <20070914040741.3473733C3A@delta.rtfm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20070914040741.3473733C3A@delta.rtfm.com>
User-Agent: Mutt/1.5.9i
X-Provags-ID: V01U2FsdGVkX181BaNrryWbeoZ9Lp//8dZ2eaYkOI2SF6sVThI H1MSepQR6e2VsNR5svoFs1q3V/9HFubI2pgY8/O+rcc1Sd61BS Rqs+9ykSZkCgamR3RIWf+2pqYmJVe2w1i/wsccenu89ksmj3Xl IGw==
X-Spam-Score: -0.0 (/)
X-Scan-Signature: f607d15ccc2bc4eaf3ade8ffa8af02a0
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

On Thu, Sep 13, 2007 at 09:07:40PM -0700, Eric Rescorla wrote:
> At Thu, 13 Sep 2007 17:18:39 -0700,

>>>   Currently Finished.verify_data is always 12 octets. With newer PRFs
>>>   and hashes, more might be useful. Should this depend on the PRF?

>> Since the Finished message is just the output of the PRF itself,
>> you can specify however much output you want.  In TLS 1.2, the
>> default PRF is based on HMAC-SHA-256, so 1 iteration of the PRF
>> generates 32 bytes.  With the Finished message currently using
>> only 12 bytes of PRF output, we are just throwing away 20 bytes
>> that could be utilized.  Therefore, the Finished message could
>> be increased to 32 bytes without impacting performance.

Note quite true: Indeed, the additional plaintext of the Finished
message would be there at little cost -- however, this would also give
you more data to encrypt and decrypt at the record layer (e.g., more
cipher blocks, assuming a block size of 16 bytes or less).


> As I recall, the truncation was intended to *increase* security,
> because it leaked less information about the MS to an active
> attacker.

I am not convinced that this is a good reason.  Assume that the
adversary tricks the parties into using weak encryption with some
non-ephemeral key exchange, say.  Then not only the verify_data will
be potentially visible to the adversary, but also the record-layer MAC
will be exposed, which can be a lot of additional data (both depending
on the master secret).

But you don't need a very long verify_data.  We also don't need very
long record-layer MACs.  Both are needed only for real-time
authentication, which cannot be attacked after the fact.  (This
is quite different from symmetric encryption, where we generally want
rather long keys for long-term security.)  The MAC cryptographically
ensures that the data has been sent by someone who knows the keys that
the client and the server have agreed upon.  The verify_data is needed
to check that no-one has disturbed the handshake agreement between
client and server, such as by modifiying the list of ciphersuites
offered by the client.  Here we are already trusting that at least the
MAC is secure, and has been properly keyed.

A 12-byte verify_data means that, if an adversary *has* changed the
handshake, there's a probability around 2^-96 that the server won't
notice this from the client's Finished message.  Thus if you have a
total of 2^64 connections (say) being attacked, then there's a
probabilty around 2^-32 that one of the attacks is not detected by the
server.  But if this ever happens and a connection under attack is
accepted by the server, then still we can expect the *client* to
reject the *server's* Finished message (except with probability around
2^-96).

In conclusion, a 12-byte verify_data means *192-bit* security in total
(2*12*8) for Finished verification, since Finished verification
happens twice!  Thus, I don't see a need to change the specification
in this regard.

Bodo


_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

v2.29.0 | Report a Bug | By Email | System Status