Re: [TLS] Last Call: <draft-kanno-tls-camellia-00.txt> (Additionx

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,
 I had some discussion with Bart Preneel[0] on the use of a 96-bit
MAC for the Finished messages. His comments were:

"My general advice to IETF was to keep half the bits of the internal
state of the hash function. For HMAC-MD5 this would be 64 bits, for
HMAC-SHA-1 this would be
80 bits and for HMAC-SHA-256 this would be 128 bits.

We now have key recovery attacks on HMAC-MD4 and HMAC-MD5; these
attacks become somewhat harder if the output is truncated (so
I believe that I was right ;-)
NO forgery attacks have been found that exploit the truncation.

In practice, it is better to output the same MAC length for alignment.
64 bits seemed reasonable in 1996.  It turned out that 96 bits gave
better alignment properties than 64 bits.

I believe that a 64-bit MAC is sufficient for most applications, and
a 96-bit MAC is more than enough. I can't see a reason to use a 128-bit MAC."

That said, he suggested against decoupling data authentication from
the security level of the cipher-suites:
"If you are paranoid about security (which you are of you use AES-256)
you should output half the bits of the internal state, so 128 for
SHA-256."

My comments on that is that the discussion on MAC truncation should
apply both to the handshake MAC and the record MAC. If recovering the
master secret was an issue for the handshake MAC, recover of the session
MAC key, should also be an issue, especially since chosen-message
attacks should be considered possible during application data exchange.

To extend it further I think TLS cipher-suites should have a target security
level (e.g. 96 bits, 128 bits) and this should include the TLS Finished
messages MAC as well. Otherwise we end up with combinations of AES-256
and SHA-384 as MAC truncated to 96-bits for the finished messages but
the full 384 bits for the record messages, that IMO does not make much sense.

regards,
Nikos

[0]. http://homes.esat.kuleuven.be/~preneel/

On Mon, Mar 14, 2011 at 11:49 PM, Martin Rex <mrex@xxxxxxx> wrote:
> Nikos Mavrogiannopoulos wrote:
>>
>> On 03/14/2011 06:28 PM, Martin Rex wrote:
>> >
>> > That was, what I assume, the fear, based on the second part of this
>> > message from Dan Simon
>> > Â Âhttp://lists.w3.org/Archives/Public/ietf-tls/1996OctDec/0224.html
>> > and the second part of this message from Hugo Krawczyk
>> > Â Âhttp://lists.w3.org/Archives/Public/ietf-tls/1996OctDec/0231.html
>> >
>> > Since the TLSv1.0 finished message was defined based on the output
>> > of the TLS PRF (a function with indefinite output length),
>> > defining a truncation was inevitable. Â:)
>>
>> Indeed. It seems the messages you list summarize that design decision
>> in a nice way. The concerns for the one-wayness of the MAC used lead
>> to that truncation. That way one-wayness is ensured by discarding data
>> at the cost of having a weaker MAC. I don't know if the current
>> construction can be extended for a longer size without implications.
>
> The concern with the one-wayness of the hashes was about >SSLv3<
> and how it computed its Finished message:
>
> Â Â enum { client(0x434C4E54), server(0x53525652) } Sender;
>
> Â Â struct {
> Â Â Â Â opaque md5_hash[16];
> Â Â Â Â opaque sha_hash[20];
> Â Â } Finished;
>
>   md5_hash    MD5(master_secret + pad2 +
> Â Â Â Â Â Â Â Â Â Â Â ÂMD5(handshake_messages + Sender +
> Â Â Â Â Â Â Â Â Â Â Â Â Â Âmaster_secret + pad1));
>   sha_hash    ÂSHA(master_secret + pad2 +
> Â Â Â Â Â Â Â Â Â Â Â Â SHA(handshake_messages + Sender +
> Â Â Â Â Â Â Â Â Â Â Â Â Â Â master_secret + pad1));
>
>   handshake_messages  ÂAll of the data from all handshake messages
> Â Â Â Â Â Â Â Â Â Â Â Â Â up to but not including this message. ÂThis
> Â Â Â Â Â Â Â Â Â Â Â Â Â is only data visible at the handshake layer
> Â Â Â Â Â Â Â Â Â Â Â Â Â and does not include record layer headers.
>
>
> Personally, I'm having difficulties to see how exactly it would leak the
> master_secret if MD5 was found to be fully invertable.
>
> The MD5 output is 128 bits = 16 bytes, and the input is *MUCH* larger
> than 128 bits. ÂThe master_secret should is 48 bytes alone. ÂEven if one is
> successful at inverting MD5, one can not undo the collisions from
> the Finished computation caused by the compression of a much larger
> input into a 128 bit output value.
>
> Anyhow, I do see the new Finished computation algorithm in TLSv1.0 as a
> sensible change in the TLS design.
>
>
> -Martin
>
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf



[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]