Re: [TLS] Last Call: <draft-kanno-tls-camellia-00.txt> (Additionx

Marsh Ray <> Mon, 14 March 2011 23:52 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C84BC3A6E40; Mon, 14 Mar 2011 16:52:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.549
X-Spam-Status: No, score=-2.549 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ddH-JGl7r2vN; Mon, 14 Mar 2011 16:52:09 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id ECF993A6B8B; Mon, 14 Mar 2011 16:52:08 -0700 (PDT)
Received: from ([]) by with esmtpa (Exim 4.72) (envelope-from <>) id 1PzHGs-00010F-0Q; Mon, 14 Mar 2011 23:33:54 +0000
Received: from [] (localhost []) by (Postfix) with ESMTP id 31AD9606B; Mon, 14 Mar 2011 23:53:14 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Report-Abuse-To: (see for abuse reporting information)
X-MHO-User: U2FsdGVkX18M6nvtk7miJj1ZADN2pkcAhYYpWVJpNTI=
Message-ID: <>
Date: Mon, 14 Mar 2011 18:53:11 -0500
From: Marsh Ray <>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20110223 Thunderbird/3.1.8
MIME-Version: 1.0
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] Last Call: <draft-kanno-tls-camellia-00.txt> (Additionx
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 14 Mar 2011 23:52:09 -0000

On 03/14/2011 05:49 PM, Martin Rex wrote:
> The MD5 output is 128 bits = 16 bytes, and the input is *MUCH* larger
> than 128 bits.  The master_secret should is 48 bytes alone.  Even if one is
> successful at inverting MD5, one can not undo the collisions from
> the Finished computation caused by the compression of a much larger
> input into a 128 bit output value.

You could accumulate multiple samples, perhaps even with session 
resumption where the Finished message is sent by the server without the 
chance to authenticate the client first.

Normally you even don't get to see the Finished.verify_data without 
breaking the encryption or downgrading to no encryption. But 40-bit 
encryption and "integrity only" connections were fully supported use 
cases back in those days.

If they had really wanted to leverage the 16 or 20 byte bottleneck of 
MD5 and SHA-1, they should have padded the master_secret from 384 to 512 
bits (the input block size) before putting it into the hash function.

- Marsh