Re: [TLS] Last Call: <draft-kanno-tls-camellia-00.txt> (Additionx

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 03/14/2011 05:49 PM, Martin Rex wrote:

The MD5 output is 128 bits = 16 bytes, and the input is *MUCH* larger
than 128 bits.  The master_secret should is 48 bytes alone.  Even if one is
successful at inverting MD5, one can not undo the collisions from
the Finished computation caused by the compression of a much larger
input into a 128 bit output value.

You could accumulate multiple samples, perhaps even with session resumption where the Finished message is sent by the server without the chance to authenticate the client first.

Normally you even don't get to see the Finished.verify_data without breaking the encryption or downgrading to no encryption. But 40-bit encryption and "integrity only" connections were fully supported use cases back in those days.

If they had really wanted to leverage the 16 or 20 byte bottleneck of MD5 and SHA-1, they should have padded the master_secret from 384 to 512 bits (the input block size) before putting it into the hash function.

- Marsh
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]