IETF Logo Mail Archive

Re: [TLS] TLS1.3

Yoav Nir <ynir@checkpoint.com> Mon, 11 February 2013 10:18 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5359021F86F4 for <tls@ietfa.amsl.com>; Mon, 11 Feb 2013 02:18:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.598
X-Spam-Level:
X-Spam-Status: No, score=-10.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ywD+aTNa9Gbd for <tls@ietfa.amsl.com>; Mon, 11 Feb 2013 02:18:32 -0800 (PST)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 9C7D221F871C for <tls@ietf.org>; Mon, 11 Feb 2013 02:18:31 -0800 (PST)
Received: from DAG-EX10.ad.checkpoint.com ([194.29.34.150]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id r1BAITDZ004921; Mon, 11 Feb 2013 12:18:29 +0200
X-CheckPoint: {5118C175-1-1B221DC2-2FFFF}
Received: from IL-EX10.ad.checkpoint.com ([169.254.2.18]) by DAG-EX10.ad.checkpoint.com ([169.254.3.103]) with mapi id 14.02.0328.009; Mon, 11 Feb 2013 12:18:29 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: "Lewis, Nick" <nick.lewis@usa.g4s.com>
Thread-Topic: [TLS] TLS1.3
Thread-Index: AQHOCDnybhYkpvGYYkWDbn2O0eUKMZh0TAcAgAAEQYA=
Date: Mon, 11 Feb 2013 10:18:29 +0000
Message-ID: <4613980CFC78314ABFD7F85CC3027721119A294D@IL-EX10.ad.checkpoint.com>
References: <AAE0766F5AF36B46BAB7E0EFB9273206194A67DCDC@GBTWK10E001.Technology.local> <B132B06E59C4A540A03C3393F53BC07C408169C0@EXCH-MB01.cc.rhul.local> <AAE0766F5AF36B46BAB7E0EFB9273206194A67DCDE@GBTWK10E001.Technology.local>
In-Reply-To: <AAE0766F5AF36B46BAB7E0EFB9273206194A67DCDE@GBTWK10E001.Technology.local>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [91.90.139.159]
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: multipart/alternative; boundary="_000_4613980CFC78314ABFD7F85CC3027721119A294DILEX10adcheckpo_"
MIME-Version: 1.0
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Feb 2013 10:18:33 -0000

On Feb 11, 2013, at 12:03 PM, "Lewis, Nick" <nick.lewis@usa.g4s.com<mailto:nick.lewis@usa.g4s.com>> wrote:


The reality of TLS though is that there are many MACs in everyday use that are not secure (based on hashes of 80bits or even 64 bits).
These are currently protected from attack by being behind strong (112bit or 128 bit) crypt.
The "usual" MAC algorithms for TLS are HMAC-MD5, HMAC-SHA-1 and HMAC-SHA-256 (HMAC-SHA-384 is also a possibility).
These all have MAC tags of at least 128 bits.

RFC 6066 standardises "truncated" MAC tags for TLS, but these are known to be dangerous when used in combination with TLS's variable length padding
(see the distinguishing attack in my Asiacrypt 2011 paper with Ristenpart and Shrimpton).
However, I was not aware of anyone actually using these truncated MAC tags, or any other short-output MAC algorithms in TLS.
Can you provide specific examples in support of your argument?

Sorry I meant to say "bits of security" (as in a birthday attack) rather than leave an impression of bit length
According to NIST HMAC-MD5 and HMAC-SHA-1 are vulnerable and should not be used hence forth
http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf

That's using SHA-1 as a signature hash.  As for other uses (emphasis theirs):


SHA-1 for non-digital signature applications:

For all other hash function applications, the use of SHA-1 is acceptable. The other applications include HMAC, Key Derivation Functions (KDFs), Random Number Generation (RNGs and RBGs), and hash-only applications (e.g., hashing passwords and using SHA-1 to compute a checksum, such as the approved integrity technique specified in Section 4.6.1 of [FIPS 140-2]).

v2.23.0 | Report a Bug | By Email