RE: [TLS] Truncated HMAC recommendation
"Whyte, William" <WWhyte@ntru.com> Tue, 28 November 2006 00:45 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gor6Y-0007mm-Uv; Mon, 27 Nov 2006 19:45:46 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gor6X-0007mc-HX for tls@ietf.org; Mon, 27 Nov 2006 19:45:45 -0500
Received: from webmail.ntru.com ([64.115.150.147] helo=OHTHREE.jjj-i.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Gor6V-000422-1Z for tls@ietf.org; Mon, 27 Nov 2006 19:45:45 -0500
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [TLS] Truncated HMAC recommendation
Date: Mon, 27 Nov 2006 19:43:55 -0500
Message-ID: <9DC3EBEFB87A97498A7D25F130DE27E49845EC@ohthree.jjj-i.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [TLS] Truncated HMAC recommendation
thread-index: AccSWD6j7rsyhSPVR0S9tZ1Cd5YbAQAANmoAAACe5NAAAD5vMAAKRsqw
From: "Whyte, William" <WWhyte@ntru.com>
To: "Blumenthal, Uri" <uri.blumenthal@intel.com>, tls@ietf.org
X-Spam-Score: 0.1 (/)
X-Scan-Signature: bb8f917bb6b8da28fc948aeffb74aa17
Cc:
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
Okay, so I was foolishly assuming that the key size was equal to the non-truncated MAC length. Even given that the key size might be larger, it'll be rare in TLS to require more than 16 (MAC, message) pairs, so I think the broader point (that truncation doesn't significantly raise the bar for an attacker who can collect messages) still holds. William > -----Original Message----- > From: Blumenthal, Uri [mailto:uri.blumenthal@intel.com] > Sent: Monday, November 27, 2006 3:55 PM > To: tls@ietf.org > Subject: RE: [TLS] Truncated HMAC recommendation > > > But if you truncate it to half-length, two > > MACs are enough to allow verification of a > > guess with high probability. I don't think > > this is a significant gain. > > Cryptologic science disagrees with you. > > If your MAC size is N bits and your key size is K bits, then you need > K/N known pairs of messsage <-> MAC in order to verify your > guess of the > key (I wonder why you think that just two MACs are enough if you leave > only half of the MAC bits). Among other sources, see > <http://www.cosic.esat.kuleuven.be/publications/thesis-16.pdf> (page > 15). > > _______________________________________________ > TLS mailing list > TLS@lists.ietf.org > https://www1.ietf.org/mailman/listinfo/tls > _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] Truncated HMAC recommendation Mike
- Re: [TLS] Truncated HMAC recommendation Eric Rescorla
- RE: [TLS] Truncated HMAC recommendation Blumenthal, Uri
- Re: [TLS] Truncated HMAC recommendation Mike
- RE: [TLS] Truncated HMAC recommendation Blumenthal, Uri
- RE: [TLS] Truncated HMAC recommendation Whyte, William
- RE: [TLS] Truncated HMAC recommendation Blumenthal, Uri
- RE: [TLS] Truncated HMAC recommendation Whyte, William