Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-cached-info-02 / New "Fast-Track" draft

"Kemp, David P." <DPKemp@missi.ncsc.mil> Wed, 24 February 2010 19:48 UTC

Return-Path: <DPKemp@missi.ncsc.mil>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8A9B33A857A for <tls@core3.amsl.com>; Wed, 24 Feb 2010 11:48:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.543
X-Spam-Level:
X-Spam-Status: No, score=-6.543 tagged_above=-999 required=5 tests=[AWL=0.056, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wCusQ3FJtDVN for <tls@core3.amsl.com>; Wed, 24 Feb 2010 11:48:44 -0800 (PST)
Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by core3.amsl.com (Postfix) with ESMTP id A61773A8537 for <tls@ietf.org>; Wed, 24 Feb 2010 11:48:44 -0800 (PST)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Date: Wed, 24 Feb 2010 14:50:36 -0500
Message-ID: <201002241950.o1OJonSH025171@stingray.missi.ncsc.mil>
In-Reply-To: <4B856F19.6080809@extendedsubset.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [POSSIBLE SPAM] Re: [TLS] draft-ietf-tls-cached-info-02 / New "Fast-Track" draft
Thread-Index: Acq1fta/+6mZ5urJRLautnu1LirFtwAAMTaA
References: <4B8407D7.9040207@briansmith.org> <C7AB19CF.88B9%stefan@aaa-sec.com><201002241753.o1OHrxuK015491@stingray.missi.ncsc.mil> <4B856F19.6080809@extendedsubset.com>
From: "Kemp, David P." <DPKemp@missi.ncsc.mil>
To: <tls@ietf.org>
X-OriginalArrivalTime: 24 Feb 2010 19:51:36.0812 (UTC) FILETIME=[C6283AC0:01CAB58A]
Subject: Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-cached-info-02 / New "Fast-Track" draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2010 19:48:45 -0000

Marsh Ray wrote:
> It will not be so fun to convince reviewers that "yes we're using
> SHA-1 but not in a way that really matters."
>
> If all you need is a 64-bit checksum for data-structure-style
> hashing and indexing, use any old old-fashioned checksum algorithm.
>
> This would be simple for everyone to implement and it clearly
> communicates your design intent (that the security of the design
> does not depend on any properties of this value's calculation).

+1 in principle.

But practically speaking, do you have any suggestions for well-known non-cryptographic hash algorithms?  A quick IANA search turned up Kerberos checksums http://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml, including CRC32 (4 octets), des-mac-k (8 octets), and several 16 octet algorithms including MD4 and MD5.

A search for other "hash", "mac", or "checksum" registries turned up nothing new.

It doesn't feel quite right to add a non-cryptographic checksum to the RFC 5246 registry:

      enum {
          none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
          sha512(6), (255)
      } HashAlgorithm;

so even if there were such an algorithm, permitting both it and cryptographic hashes would be painful.

I don't see an alternative that satisfies both "simple to implement" and "clearly communicates intent".  My care-abouts are 1) a common interoperable algorithm and 2) bandwidth.  Computation speed is unimportant, so if everyone thinks sha256 will be cryptographically viable for the foreseeable future and SHA-1 will soon be impossible to get "approved", then sha256 truncated to 64 bits could be a reasonable MUST-support algorithm.

Dave