On 03/08/2011 09:59 AM, Martin Rex wrote:
To me, Truncating the output of a SHA-384 PRF to 12 Octets looks like
unreasonable cutdown of the security margin for the Finished messages.
I agree.
Last I looked into it, I came to the conclusion that collisions of any
efficient 96 bit hash function are likely within range of today's
supercomputers and botnets.
But the logistics of it probably make it impractical for an actual
attack. You need the master secret to manipulate the verify_data in any
valid way (and if the attacker had that there'd be no security left to
attack anyway). Otherwise, a useful attack on the finished message
probably has to involve 2^48 or so live network connections to collide
among.
- Marsh
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf