Re: [TLS] TLS1.3
Yoav Nir <ynir@checkpoint.com> Mon, 11 February 2013 10:18 UTC
Return-Path: <ynir@checkpoint.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5359021F86F4 for <tls@ietfa.amsl.com>; Mon, 11 Feb 2013 02:18:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.598
X-Spam-Level:
X-Spam-Status: No, score=-10.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ywD+aTNa9Gbd for <tls@ietfa.amsl.com>; Mon, 11 Feb 2013 02:18:32 -0800 (PST)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 9C7D221F871C for <tls@ietf.org>; Mon, 11 Feb 2013 02:18:31 -0800 (PST)
Received: from DAG-EX10.ad.checkpoint.com ([194.29.34.150]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id r1BAITDZ004921; Mon, 11 Feb 2013 12:18:29 +0200
X-CheckPoint: {5118C175-1-1B221DC2-2FFFF}
Received: from IL-EX10.ad.checkpoint.com ([169.254.2.18]) by DAG-EX10.ad.checkpoint.com ([169.254.3.103]) with mapi id 14.02.0328.009; Mon, 11 Feb 2013 12:18:29 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: "Lewis, Nick" <nick.lewis@usa.g4s.com>
Thread-Topic: [TLS] TLS1.3
Thread-Index: AQHOCDnybhYkpvGYYkWDbn2O0eUKMZh0TAcAgAAEQYA=
Date: Mon, 11 Feb 2013 10:18:29 +0000
Message-ID: <4613980CFC78314ABFD7F85CC3027721119A294D@IL-EX10.ad.checkpoint.com>
References: <AAE0766F5AF36B46BAB7E0EFB9273206194A67DCDC@GBTWK10E001.Technology.local> <B132B06E59C4A540A03C3393F53BC07C408169C0@EXCH-MB01.cc.rhul.local> <AAE0766F5AF36B46BAB7E0EFB9273206194A67DCDE@GBTWK10E001.Technology.local>
In-Reply-To: <AAE0766F5AF36B46BAB7E0EFB9273206194A67DCDE@GBTWK10E001.Technology.local>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [91.90.139.159]
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: multipart/alternative; boundary="_000_4613980CFC78314ABFD7F85CC3027721119A294DILEX10adcheckpo_"
MIME-Version: 1.0
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Feb 2013 10:18:33 -0000
On Feb 11, 2013, at 12:03 PM, "Lewis, Nick" <nick.lewis@usa.g4s.com<mailto:nick.lewis@usa.g4s.com>> wrote: The reality of TLS though is that there are many MACs in everyday use that are not secure (based on hashes of 80bits or even 64 bits). These are currently protected from attack by being behind strong (112bit or 128 bit) crypt. The "usual" MAC algorithms for TLS are HMAC-MD5, HMAC-SHA-1 and HMAC-SHA-256 (HMAC-SHA-384 is also a possibility). These all have MAC tags of at least 128 bits. RFC 6066 standardises "truncated" MAC tags for TLS, but these are known to be dangerous when used in combination with TLS's variable length padding (see the distinguishing attack in my Asiacrypt 2011 paper with Ristenpart and Shrimpton). However, I was not aware of anyone actually using these truncated MAC tags, or any other short-output MAC algorithms in TLS. Can you provide specific examples in support of your argument? Sorry I meant to say "bits of security" (as in a birthday attack) rather than leave an impression of bit length According to NIST HMAC-MD5 and HMAC-SHA-1 are vulnerable and should not be used hence forth http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf That's using SHA-1 as a signature hash. As for other uses (emphasis theirs): SHA-1 for non-digital signature applications: For all other hash function applications, the use of SHA-1 is acceptable. The other applications include HMAC, Key Derivation Functions (KDFs), Random Number Generation (RNGs and RBGs), and hash-only applications (e.g., hashing passwords and using SHA-1 to compute a checksum, such as the approved integrity technique specified in Section 4.6.1 of [FIPS 140-2]).
- Re: [TLS] TLS1.3 Peter Gutmann
- [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Nikos Mavrogiannopoulos
- Re: [TLS] TLS1.3 Eric Rescorla
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Nikos Mavrogiannopoulos
- Re: [TLS] TLS1.3 Paterson, Kenny
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Eric Rescorla
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Dan Harkins
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Peter Gutmann
- Re: [TLS] TLS1.3 Peter Gutmann
- Re: [TLS] TLS1.3 Peter Gutmann
- Re: [TLS] TLS1.3 Peter Gutmann
- Re: [TLS] TLS1.3 Yoav Nir
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 David McGrew (mcgrew)
- Re: [TLS] TLS1.3 Nikos Mavrogiannopoulos
- Re: [TLS] TLS1.3 Paterson, Kenny
- Re: [TLS] TLS1.3 Martin Rex
- Re: [TLS] TLS1.3 Nikos Mavrogiannopoulos
- Re: [TLS] TLS1.3 Peter Gutmann
- Re: [TLS] TLS1.3 Martin Rex
- Re: [TLS] TLS1.3 Peter Gutmann
- Re: [TLS] TLS1.3 Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Paterson, Kenny
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Paterson, Kenny
- Re: [TLS] TLS1.3 Yoav Nir
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Yoav Nir
- Re: [TLS] TLS1.3 Nikos Mavrogiannopoulos
- Re: [TLS] TLS1.3 Martin Rex
- Re: [TLS] TLS1.3 Nico Williams
- Re: [TLS] TLS1.3 Martin Rex
- Re: [TLS] TLS1.3 Russ Housley
- Re: [TLS] TLS1.3 Wan-Teh Chang
- Re: [TLS] TLS1.3 Scott Schmit
- Re: [TLS] TLS1.3 Martin Rex
- Re: [TLS] TLS1.3 Scott Schmit
- Re: [TLS] TLS1.3 Peter Gutmann