IETF Logo Mail Archive

Re: [TLS] Last Call: <draft-kanno-tls-camellia-00.txt> (Additionx

Eric Rescorla <ekr@rtfm.com> Wed, 09 March 2011 14:45 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8B81E3A69DE for <tls@core3.amsl.com>; Wed, 9 Mar 2011 06:45:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.632
X-Spam-Level:
X-Spam-Status: No, score=-102.632 tagged_above=-999 required=5 tests=[AWL=-0.255, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_31=0.6, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Eeq+pzAO5pQC for <tls@core3.amsl.com>; Wed, 9 Mar 2011 06:45:17 -0800 (PST)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id 9C7093A683E for <tls@ietf.org>; Wed, 9 Mar 2011 06:45:17 -0800 (PST)
Received: by iwl42 with SMTP id 42so738634iwl.31 for <tls@ietf.org>; Wed, 09 Mar 2011 06:46:33 -0800 (PST)
MIME-Version: 1.0
Received: by 10.42.74.71 with SMTP id v7mr8420407icj.232.1299681993886; Wed, 09 Mar 2011 06:46:33 -0800 (PST)
Received: by 10.42.234.9 with HTTP; Wed, 9 Mar 2011 06:46:33 -0800 (PST)
In-Reply-To: <201103091206.p29C61fq005174@fs4113.wdf.sap.corp>
References: <AANLkTi=y4p6hV6jbodt=nxLVwV8AhK+DmL2rwoHfRh8V@mail.gmail.com> <201103091206.p29C61fq005174@fs4113.wdf.sap.corp>
Date: Wed, 09 Mar 2011 06:46:33 -0800
Message-ID: <AANLkTinh63HUL4GREP1wB924Z_pyaJ0vAtTr6eorGEN9@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
To: mrex@sap.com
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: tls@ietf.org
Subject: Re: [TLS] Last Call: <draft-kanno-tls-camellia-00.txt> (Additionx
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Mar 2011 14:45:18 -0000

On Wed, Mar 9, 2011 at 4:06 AM, Martin Rex <mrex@sap.com> wrote:
> Hovav Shacham wrote:
>>
>> Martin Rex <mrex@sap.com> wrote:
>> >
>> > it looks that the recommendation of rfc-2104 section 5 about truncation
>> > should apply here as well.
>>
>> What RFC 2104 is saying is that the security of a k-bit truncation of HMAC
>> when using an underlying n-bit hash is min{k,n/2}.  Setting k to a value
>> less than n/2 means that you k-bit security; setting k to a value equal to
>> or larger than n/2 means you have (n/2)-bit security.
>>
>> Any truncation of HMAC-SHA384 -- the PRF at hand -- to fewer than 384/2
>> = 192 bits means you are in the former regime rather than the latter.
>>  That's fine, provided k-bit security is sufficient, as 96-bit security is
>> here; it just means that having built HMAC using SHA384 was overkill, which
>> it of course was.
>
> What I'm reading here is that a truncation of an HMAC or an HMAC-like
> construct to 96 bits cuts the effective security down to 96-bit.
>
> You call the use of SHA-384 for the HMAC in such a situation "overkill",
> I call it cryptographic imbalance.
>
> A sensibly balanced truncation would truncate to _no_ less than half
> the output size of the underlying hash function, which means at
> least 192 bits in accordance with with the recommendation in
> rfc-2104 (HMAC) section 5.
>
> Is that correct?

As Hovav says, what's imbalanced isn't the truncation, it's the use of SHA-384.

As I said to Nikos, it's useful to remember how we got here, which is
not that the
TLS WG suddenly developed a desire to modernize the hash functions at the core
of TLS. The combination of MD5 and SHA-1 would quite likely have been
fine indefiintely
except that Wang started breaking both MD5 and SHA-1. This left us in
the situation
where we needed new, non-broken hash functions. However, the only such
functions *also* had a longer output size. Sometimes this is useful,
sometimes it's
annoying.

As a simpler example, let's consider the case of the message MAC,
currently untruncated
HMAC-SHA-1 with an output size of 160 bits (20 bytes). The security
level of this
MAC against forgery/tampering is 160 bits under brute force attack. Now consider
a world where HMAC-SHA-1 is really broken [not the current world] and we need
to transition to HMAC-SHA-256. The "balance" argument you're proposing would
have us use accept an extra 12 bytes of MAC output size even though the previous
security level was fine. However, as Hovav suggests, the situation is
that we just
don't have another 160-bit hash function at hand to replace SHA-1, so
instead we're
forced into using one that's really too big. In other words, overkill.

-Ekr

v2.23.0 | Report a Bug | By Email