Re: [TLS] PRF in 1.3

Andrey Jivsov <crypto@brainhub.org> Thu, 07 August 2014 05:37 UTC

Return-Path: <crypto@brainhub.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 995121A0AD1 for <tls@ietfa.amsl.com>; Wed, 6 Aug 2014 22:37:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u7J9z7xjR6aP for <tls@ietfa.amsl.com>; Wed, 6 Aug 2014 22:37:29 -0700 (PDT)
Received: from qmta06.emeryville.ca.mail.comcast.net (qmta06.emeryville.ca.mail.comcast.net [IPv6:2001:558:fe2d:43:76:96:30:56]) by ietfa.amsl.com (Postfix) with ESMTP id 16FD21A0ACE for <tls@ietf.org>; Wed, 6 Aug 2014 22:37:29 -0700 (PDT)
Received: from omta03.emeryville.ca.mail.comcast.net ([76.96.30.27]) by qmta06.emeryville.ca.mail.comcast.net with comcast id bhNB1o0020b6N64A6hdUo1; Thu, 07 Aug 2014 05:37:28 +0000
Received: from [192.168.1.2] ([71.202.164.227]) by omta03.emeryville.ca.mail.comcast.net with comcast id bhdT1o00P4uhcbK8PhdUX0; Thu, 07 Aug 2014 05:37:28 +0000
Message-ID: <53E31097.5030800@brainhub.org>
Date: Wed, 06 Aug 2014 22:37:27 -0700
From: Andrey Jivsov <crypto@brainhub.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.7.0
MIME-Version: 1.0
To: tls@ietf.org
X-Priority: 5 (Lowest)
References: <20140806191122.57BC61ADF5@ld9781.wdf.sap.corp> <53E28BC6.6040208@nthpermutation.com>
In-Reply-To: <53E28BC6.6040208@nthpermutation.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1407389848; bh=aDd7K30T0/ytDbt4hld4sDojA+UVFiqjp1SpekB2JNg=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=EJDyXvjIerkmZ9/XcDJSXAjh0LgxKd7cD8/c7XqzQ5sRhOYfhQhhdmeU83XTwsi7Z Qn4z5zq/SMiSnPewtVakHDCCiRN5MMlo3NrO4Lqlbv+KeqGUiDC6VZPhq7Uk3ZfUNv O/mLtizvvg6cSSc7SUoo6t1IdeAHuAnYkub+VeQWZTU6GMmXfeRrPqqjC7nQbM3tiA /de5iFEq3QcG4MXbT9T7jV3mdkfKP82RW09RX2RBIZVs7UmL3If9jlzU5sBK7nNXnt bQpc77OWI5XeitA44QOhZwe3cxtTtyqFVn3xm6Bc6EazOahzZyTzdgIaX0+gieTZRx LHtvqRy5LfEWw==
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/txpi7RM3_Of32TBANZuj0qEZfUI
Subject: Re: [TLS] PRF in 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Aug 2014 05:37:30 -0000

On 08/06/2014 01:10 PM, Michael StJohns wrote:
> I think you're still missing the point - the PRF *is* used as a
> signature function over a hash.  If the PRF were used as an HMAC
> signature function over the raw handshake data, it would be as secure as
> the HMAC (which is 256 bits for SHA256) unneedsderlying the PRF, but since
> you're signing the hash of the handshake data, you've no more security
> than the collision resistance of the hash which is 128 bites for SHA256.

For the hash function collision over a handshake to be a problem there 
should to be a setting in which a collision of the hash output value 
over *any* two handshakes poses a problem.

Statements about *this* particular handshake still fall under MAC usage. 
This case seems to apply here because each peer is hashing "his" packets 
and that is the hash value that needs to match.