[TLS] Finished message hash length/algorithm (was RE: draft-turner-ssl-must-not)
"Brian Smith" <brian@briansmith.org> Tue, 06 July 2010 14:56 UTC
Return-Path: <brian@briansmith.org>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6F4593A695D for <tls@core3.amsl.com>; Tue, 6 Jul 2010 07:56:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.563
X-Spam-Level:
X-Spam-Status: No, score=0.563 tagged_above=-999 required=5 tests=[AWL=-0.562, BAYES_20=-0.74, FRT_LOLITA1=1.865]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4sm-fCBKpiYH for <tls@core3.amsl.com>; Tue, 6 Jul 2010 07:56:57 -0700 (PDT)
Received: from mxout-08.mxes.net (mxout-08.mxes.net [216.86.168.183]) by core3.amsl.com (Postfix) with ESMTP id 66F6C3A696D for <tls@ietf.org>; Tue, 6 Jul 2010 07:56:57 -0700 (PDT)
Received: from T60 (unknown [98.200.197.88]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 093F6509DB; Tue, 6 Jul 2010 10:56:52 -0400 (EDT)
From: Brian Smith <brian@briansmith.org>
To: 'Marsh Ray' <marsh@xs01.extendedsubset.com>, 'Martin Rex' <mrex@sap.com>
Date: Tue, 06 Jul 2010 09:56:55 -0500
Message-ID: <003001cb1d1b$7d279660$7776c320$@briansmith.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJnP8TYmXvLYv5n1dqjv06NbDuaag==
Content-Language: en-us
Cc: tls@ietf.org
Subject: [TLS] Finished message hash length/algorithm (was RE: draft-turner-ssl-must-not)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Jul 2010 14:56:58 -0000
Marsh Ray wrote: > On Tue, Jul 06, 2010 at 04:17:14AM +0200, Martin Rex wrote: > > Personally, I dislike the extreme truncation of the Finished messages > > in TLS to 12 octets. My expectation is that this limits the overall > > strength, and that it spoils the use of SHA-2 in TLSv1.2. > > +1. > > There's no logic to it, or whatever there might be is too clever by half. > > Apparently, someone was convinced that collision resistance was irrelevant. So > convinced that they were willing to bet your data on it and not use another 8 or > so bytes to transmit the full hash that had already been computed. I wonder if > they realized that higher layer protocols were attaching semantic value to the > receipt of the Finished message. > > But since their reasoning didn't make it into the RFCs so we must live without it > when reviewing things like False Start/Snap Start. > It'd be nice to know what other unstated dependencies and assumptions the > security rests on. This is an easy problem to solve, if it is a problem: 1. Define a new extension that allows the client to request a Finished message that is truncated to a different length. 2. Make False Start / Snap Start require this extension be used. Such an extension could even switch the finished hashes and/or the PRF from SHA-256 to a more efficient algorithm like GHASH. This would eliminate the performance penalty of switching from TLS 1.0/1.1 to TLS 1.2 if widely deployed. Regards, Brian