IETF Logo Mail Archive

Re: [TLS] Last Call: <draft-kanno-tls-camellia-00.txt> (Additionx

Marsh Ray <marsh@extendedsubset.com> Tue, 08 March 2011 16:51 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 734C93A68F1; Tue, 8 Mar 2011 08:51:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8m4N2G23ZZoY; Tue, 8 Mar 2011 08:51:36 -0800 (PST)
Received: from mho-01-ewr.mailhop.org (mho-01-ewr.mailhop.org [204.13.248.71]) by core3.amsl.com (Postfix) with ESMTP id 44D343A68B1; Tue, 8 Mar 2011 08:51:36 -0800 (PST)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-01-ewr.mailhop.org with esmtpa (Exim 4.72) (envelope-from <marsh@extendedsubset.com>) id 1PwzqP-000Jm6-CF; Tue, 08 Mar 2011 16:33:09 +0000
Received: from [192.168.1.15] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 949C260CC; Tue, 8 Mar 2011 16:52:30 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX184tgt1NESkOO8LqptfCcs87kHmVwCKZno=
Message-ID: <4D765ECD.105@extendedsubset.com>
Date: Tue, 08 Mar 2011 10:52:29 -0600
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.14) Gecko/20110223 Thunderbird/3.1.8
MIME-Version: 1.0
To: mrex@sap.com
References: <201103081559.p28Fxl3p027770@fs4113.wdf.sap.corp>
In-Reply-To: <201103081559.p28Fxl3p027770@fs4113.wdf.sap.corp>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: ietf@ietf.org, tls@ietf.org
Subject: Re: [TLS] Last Call: <draft-kanno-tls-camellia-00.txt> (Additionx
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Mar 2011 16:51:37 -0000

On 03/08/2011 09:59 AM, Martin Rex wrote:
>
> To me, Truncating the output of a SHA-384 PRF to 12 Octets looks like
> unreasonable cutdown of the security margin for the Finished messages.

I agree.

Last I looked into it, I came to the conclusion that collisions of any 
efficient 96 bit hash function are likely within range of today's 
supercomputers and botnets.

But the logistics of it probably make it impractical for an actual 
attack. You need the master secret to manipulate the verify_data in any 
valid way (and if the attacker had that there'd be no security left to 
attack anyway). Otherwise, a useful attack on the finished message 
probably has to involve 2^48 or so live network connections to collide 
among.

- Marsh

v2.23.0 | Report a Bug | By Email