RE: [TLS] PRF in TLS 1.2

["Blumenthal, Uri" <uri.blumenthal@xxxxxxxxx>]

>> "If it ain't broke, don't fix it"?
>
>I would phrase it as "make the most minimal change possible"

:-)

>> Will using SHA-1 only result in a weaker PRF than the TLS 1.1 PRF,
>> which uses both MD5 and SHA-1?
>
>This would be a good question to direct at Dan Simon or Hugo Krawczyk.
>My intuition is that because the secret is split between the two
>hashes in the current PRF, this PRF would be arguably stronger
>than the current PRF if MD5 is badly compromised. In any case,
>this is a general question of whether we want two hashes
>rather than a detailed one abt construction.

A PRF based on one decent hash will be stronger.
Better than PRF based on two (especially including one that's broken).

>> Is it required that the PRF use label and seed only in the form
>> of their concatenation label + seed?
>
>No, I don't think so

It wouldn't be a good idea to force PRF into such use pattern.

_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls