IETF Logo Mail Archive

Re: [TLS] draft-turner-ssl-must-not

Marsh Ray <marsh@xs01.extendedsubset.com> Tue, 06 July 2010 06:47 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 924B03A68DA for <tls@core3.amsl.com>; Mon, 5 Jul 2010 23:47:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6TCIzVPnsLLK for <tls@core3.amsl.com>; Mon, 5 Jul 2010 23:47:08 -0700 (PDT)
Received: from mho-01-ewr.mailhop.org (mho-01-ewr.mailhop.org [204.13.248.71]) by core3.amsl.com (Postfix) with ESMTP id C5EB83A68C7 for <tls@ietf.org>; Mon, 5 Jul 2010 23:47:08 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-01-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1OW1vy-0006Je-K5; Tue, 06 Jul 2010 06:47:10 +0000
Received: by xs01.extendedsubset.com (Postfix, from userid 2000) id 5DCD56334; Tue, 6 Jul 2010 06:47:08 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX1+Brbl1YIJH/c1RVZjpYLbV3KGApDnsgpc=
Date: Tue, 06 Jul 2010 06:47:08 +0000
From: Marsh Ray <marsh@xs01.extendedsubset.com>
To: Martin Rex <mrex@sap.com>
Message-ID: <20100706064708.GA31209@xs01.extendedsubset.com>
References: <1278203103.4200.14.camel@beta> <201007060217.o662HELO009814@fs4113.wdf.sap.corp>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <201007060217.o662HELO009814@fs4113.wdf.sap.corp>
User-Agent: Mutt/1.5.18 (2008-05-17)
Cc: tls@ietf.org
Subject: Re: [TLS] draft-turner-ssl-must-not
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Jul 2010 06:47:09 -0000

On Tue, Jul 06, 2010 at 04:17:14AM +0200, Martin Rex wrote:
> 
> The base result is that the strength of concatenation of two
> hash functions improves the result not as much as one might hope.
> 
> It always does improve the result, however.

Putting it another way, if you spend 36 bytes (288 bits) on space
for your hash and it turns out to have only about 2^75 collision
resistance, I'm not sure many people would call that an improvement.

> Which means that SSLv3 is stronger than TLSv1.0 and TLSv1.1
> in that respect.
> 
> Personally, I dislike the extreme truncation of the Finished
> messages in TLS to 12 octets. My expectation is that this limits
> the overall strength, and that it spoils the use of SHA-2 in TLSv1.2.

+1.

There's no logic to it, or whatever there might be is too clever by half.

Apparently, someone was convinced that collision resistance was
irrelevant. So convinced that they were willing to bet your data
on it and not use another 8 or so bytes to transmit the full hash
that had already been computed. I wonder if they realized that
higher layer protocols were attaching semantic value to the
receipt of the Finished message.

But since their reasoning didn't make it into the RFCs so we must
live without it when reviewing things like False Start/Snap Start.
It'd be nice to know what other unstated dependencies and assumptions
the security rests on.

- Marsh

v2.23.0 | Report a Bug | By Email