Re: [TLS] Consensus Call: FNV vs SHA1

Nicolas Williams <Nicolas.Williams@oracle.com> Mon, 10 May 2010 19:25 UTC

Return-Path: <Nicolas.Williams@oracle.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2380C3A6C73 for <tls@core3.amsl.com>; Mon, 10 May 2010 12:25:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.341
X-Spam-Level:
X-Spam-Status: No, score=-3.341 tagged_above=-999 required=5 tests=[AWL=0.657, BAYES_50=0.001, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zsp7JmbNCxiX for <tls@core3.amsl.com>; Mon, 10 May 2010 12:25:54 -0700 (PDT)
Received: from rcsinet10.oracle.com (rcsinet10.oracle.com [148.87.113.121]) by core3.amsl.com (Postfix) with ESMTP id 20FC428C284 for <tls@ietf.org>; Mon, 10 May 2010 12:10:19 -0700 (PDT)
Received: from rcsinet15.oracle.com (rcsinet15.oracle.com [148.87.113.117]) by rcsinet10.oracle.com (Switch-3.4.2/Switch-3.4.1) with ESMTP id o4AJA39I011889 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 10 May 2010 19:10:06 GMT
Received: from acsmt354.oracle.com (acsmt354.oracle.com [141.146.40.154]) by rcsinet15.oracle.com (Switch-3.4.2/Switch-3.4.1) with ESMTP id o4AGibxj027987; Mon, 10 May 2010 19:10:01 GMT
Received: from abhmt013.oracle.com by acsmt355.oracle.com with ESMTP id 228768661273518600; Mon, 10 May 2010 12:10:00 -0700
Received: from oracle.com (/129.153.128.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 10 May 2010 12:09:59 -0700
Date: Mon, 10 May 2010 14:09:55 -0500
From: Nicolas Williams <Nicolas.Williams@oracle.com>
To: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
Message-ID: <20100510190954.GV9429@oracle.com>
References: <AC1CFD94F59A264488DC2BEC3E890DE50A43B479@xmb-sjc-225.amer.cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <AC1CFD94F59A264488DC2BEC3E890DE50A43B479@xmb-sjc-225.amer.cisco.com>
User-Agent: Mutt/1.5.20 (2010-03-02)
X-Auth-Type: Internal IP
X-Source-IP: rcsinet15.oracle.com [148.87.113.117]
X-CT-RefId: str=0001.0A090202.4BE85A0E.0096:SCFMA4539811,ss=1,fgs=0
Cc: tls@ietf.org
Subject: Re: [TLS] Consensus Call: FNV vs SHA1
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 May 2010 19:25:59 -0000

On Mon, May 10, 2010 at 10:39:28AM -0700, Joseph Salowey (jsalowey) wrote:
> I don't see much new being added to this discussion at this point.  I'd
> like to close on this.  If you have an opinion please indicate if:
> 
> a) You favor SHA-1
> b) You favor FNV-1a

I lean towards (a) from a purely political point of view: I don't think
it's a good idea to train auditors to act reflexively.  However, from a
purely technical point of view I have no preference whatsoever at this
time, but I'd like answers to my questions below.

If the consensus is (b) then I think the following changes should be
made:

 - Add an informative reference to FNV (and expand the acronym).

 - Refer to FNV as a checksum (or even hash, or better, non-
   cryptographic hash) rather than as a digest.

   In the context of TLS )RFC5246), "digest" definitely refers to
   cryptographic hash functions.  We should not confuse the terminology.

 - Add a description of what happens if cached object checksums collide.

   No, the current security considerations section doesn't deal with
   this, and rightly so _if_ collisions are not a security problem, but
   what happens when there are collisions?  Do hanshakes fail?

   Also, could caching have been done without reference to hash
   functions?  E.g., by having servers assign IDs to objects for client
   caching?  Is it too late to consider this approach?

Cheers,

Nico
--