Re: [TLS] draft-turner-ssl-must-not
Marsh Ray <marsh@extendedsubset.com> Tue, 06 July 2010 20:42 UTC
Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D10E33A6807 for <tls@core3.amsl.com>; Tue, 6 Jul 2010 13:42:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.017
X-Spam-Level:
X-Spam-Status: No, score=0.017 tagged_above=-999 required=5 tests=[AWL=0.016, BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ijFPoh9F8Qzg for <tls@core3.amsl.com>; Tue, 6 Jul 2010 13:42:53 -0700 (PDT)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by core3.amsl.com (Postfix) with ESMTP id 4079D3A693B for <tls@ietf.org>; Tue, 6 Jul 2010 13:42:52 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1OWEyk-000Na6-B7; Tue, 06 Jul 2010 20:42:54 +0000
Received: from [192.168.1.15] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id CB2626336; Tue, 6 Jul 2010 20:42:52 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX19Od6N10kBoCYcx5MzmapGYTr9SI/ssKfE=
Message-ID: <4C33954B.5070308@extendedsubset.com>
Date: Tue, 06 Jul 2010 15:42:51 -0500
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9) Gecko/20100423 Thunderbird/3.0.4
MIME-Version: 1.0
To: "Blumenthal, Uri - 0668 - MITLL" <uri@ll.mit.edu>
References: <C858DD65.5897%uri@ll.mit.edu>
In-Reply-To: <C858DD65.5897%uri@ll.mit.edu>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] draft-turner-ssl-must-not
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Jul 2010 20:42:59 -0000
On 07/06/2010 12:17 PM, Blumenthal, Uri - 0668 - MITLL wrote: > There are two attacks: (a) finding collisions, and (b) offline > guessing/brute-forcing the key. The fewer bits of the complete hash you have > - the less ability to verify& disambiguate your guess. > > The balance is between outputting enough bits to defeat collision-based > attacks, yet omitting enough bits to prevent disambiguating the key in > offline trials. My impression was that preventing the occurrence of known plaintext was no longer considered an important design principle. Even if the Finished message were made very short, it's probable that there will be plenty of known plaintext in record headers, padding bytes, not to mention the application data itself. Any text based is going to have a zero high bit on a great majority of chars, compression is far from standard and it presumably brings its own known headers. So, from what I hear, modern ciphers are expected to be resistant to known plaintext attacks. > Most of the sources prioritize fending off collision seekers. > > Barring a discovered cryptographic weakness in the underlying hash function, > the likelihood of finding collisions in SHA256 output (say even truncated to > 160 bits) is comparable with the likelihood of guessing a key used for HMAC. > Both currently aren't high on my list of concerns. Even if the hash functions are broken, the PRF is very conservatively designed. The hash functions are doubled-up in the HMAC construct, and HMAC is then performed recursively to generate the output! For TLS 1.0 and 1.1, this is done separately for MD5 and SHA-1 and those results get combined. It's nice that there are some parts of the design with a generous safety margin! - Marsh
- [TLS] draft-turner-ssl-must-not Nikos Mavrogiannopoulos
- Re: [TLS] draft-turner-ssl-must-not Sean Turner
- Re: [TLS] draft-turner-ssl-must-not Nikos Mavrogiannopoulos
- Re: [TLS] draft-turner-ssl-must-not Juho Vähä-Herttua
- Re: [TLS] draft-turner-ssl-must-not Ivan Ristic
- Re: [TLS] draft-turner-ssl-must-not Martin Rex
- Re: [TLS] draft-turner-ssl-must-not Sean Turner
- Re: [TLS] draft-turner-ssl-must-not Yngve Nysaeter Pettersen
- Re: [TLS] draft-turner-ssl-must-not Martin Rex
- Re: [TLS] draft-turner-ssl-must-not Peter Gutmann
- Re: [TLS] draft-turner-ssl-must-not Peter Gutmann
- Re: [TLS] draft-turner-ssl-must-not Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] draft-turner-ssl-must-not Nikos Mavrogiannopoulos
- Re: [TLS] draft-turner-ssl-must-not Juho Vähä-Herttua
- Re: [TLS] draft-turner-ssl-must-not Nikos Mavrogiannopoulos
- Re: [TLS] draft-turner-ssl-must-not Yngve Nysaeter Pettersen
- Re: [TLS] draft-turner-ssl-must-not Yngve Nysaeter Pettersen
- Re: [TLS] draft-turner-ssl-must-not Yngve Nysaeter Pettersen
- Re: [TLS] draft-turner-ssl-must-not Marsh Ray
- Re: [TLS] draft-turner-ssl-must-not Juho Vähä-Herttua
- Re: [TLS] draft-turner-ssl-must-not Nasko Oskov
- Re: [TLS] draft-turner-ssl-must-not Peter Gutmann
- Re: [TLS] draft-turner-ssl-must-not Nelson B Bolyard
- Re: [TLS] draft-turner-ssl-must-not Marsh Ray
- Re: [TLS] draft-turner-ssl-must-not Ben Laurie
- Re: [TLS] draft-turner-ssl-must-not Marsh Ray
- Re: [TLS] draft-turner-ssl-must-not Bodo Moeller
- Re: [TLS] draft-turner-ssl-must-not Marsh Ray
- Re: [TLS] draft-turner-ssl-must-not Bodo Moeller
- Re: [TLS] draft-turner-ssl-must-not Martin Rex
- Re: [TLS] draft-turner-ssl-must-not Martin Rex
- Re: [TLS] draft-turner-ssl-must-not Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] draft-turner-ssl-must-not Martin Rex
- Re: [TLS] draft-turner-ssl-must-not Peter Gutmann
- Re: [TLS] draft-turner-ssl-must-not Marsh Ray
- Re: [TLS] draft-turner-ssl-must-not Peter Gutmann
- Re: [TLS] draft-turner-ssl-must-not Marsh Ray
- Re: [TLS] draft-turner-ssl-must-not Peter Gutmann
- Re: [TLS] draft-turner-ssl-must-not Marsh Ray
- Re: [TLS] draft-turner-ssl-must-not Yoav Nir
- Re: [TLS] draft-turner-ssl-must-not Martin Rex
- Re: [TLS] draft-turner-ssl-must-not Nikos Mavrogiannopoulos
- Re: [TLS] draft-turner-ssl-must-not Marsh Ray
- Re: [TLS] draft-turner-ssl-must-not Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] draft-turner-ssl-must-not Marsh Ray
- Re: [TLS] draft-turner-ssl-must-not Simon Josefsson
- [TLS] Finished verify_data collision (Was Re: dra… Marsh Ray
- Re: [TLS] Finished verify_data collision (Was Re:… Nikos Mavrogiannopoulos
- Re: [TLS] Finished verify_data collision (Was Re:… Marsh Ray