[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] PRF in TLS 1.2

To: "Blumenthal, Uri" <uri.blumenthal@xxxxxxxxx>
Subject: Re: [TLS] PRF in TLS 1.2
From: "Kyle Hamilton" <aerowolf@xxxxxxxxx>
Date: Tue, 26 Sep 2006 21:35:03 -0700
Cc: tls@xxxxxxxx
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=tIte7FubpB8CvIpXksEmY6wFGZ8j4NTyLMSZoY2Q3ch8TPEif4Igii/jnSsgd09Bx0pLalMdLFhYus7CTw+6DzK5+uonLX/mbh8eZOlXyWVjqwVNSrlVV1vU/qo5iC24Tnm0UTAtAz/FXXWZNk38I59EESgEeusyRzK7Kx7TKgc=
In-reply-to: <279DDDAFA85EC74C9300A0598E704056B444B9@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <279DDDAFA85EC74C9300A0598E704056B444B9@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>

My thought is that even if one of the hash algorithms is badly broken,
the fact that more than one hash is being used means that a 'hedge'
exists against that possibility.

MD5 may be able to be broken.  SHA1 may be able to be broken.
However, their outputs both rely on the original input for their
value, such that 1 bit of entropy in the input leads basically to 1
bit of entropy in the output.

As well, I haven't heard of anyone being able to create a bitstring
that will go through both hashes to form an identical bit pattern from
both of them.  So, even if MD5 is broken (such that a valid message
can be created for message injection/session hijack), the fact that
another cipher suite is also in use arguably provides at least as much
security as using that cipher suite alone, and hypothetically more.
(I cannot attest to theory.)  Especially if the outputs are XORed
together -- if SHA1 cannot be predicted but MD5 can, there's still the
entire output space of 160 bits to go through.  If SHA1 can be
predicted but MD5 cannot, then there's still 128 bits of output space
to go through.  (Believing that (SHA1 & MD5) has the same amount of
entropy as (sizeof(SHA1) + sizeof(MD5)) is a fallacy; it has the
amount of entropy that the largest unpredictable one gives.)

-Kyle H

On 9/26/06, Blumenthal, Uri <uri.blumenthal@xxxxxxxxx> wrote:

>> "If it ain't broke, don't fix it"?
>
>I would phrase it as "make the most minimal change possible"

:-)

>> Will using SHA-1 only result in a weaker PRF than the TLS 1.1 PRF,
>> which uses both MD5 and SHA-1?
>
>This would be a good question to direct at Dan Simon or Hugo Krawczyk.
>My intuition is that because the secret is split between the two
>hashes in the current PRF, this PRF would be arguably stronger
>than the current PRF if MD5 is badly compromised. In any case,
>this is a general question of whether we want two hashes
>rather than a detailed one abt construction.

A PRF based on one decent hash will be stronger.
Better than PRF based on two (especially including one that's broken).

>> Is it required that the PRF use label and seed only in the form
>> of their concatenation label + seed?
>
>No, I don't think so

It wouldn't be a good idea to force PRF into such use pattern.

_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls



--

-Kyle H

_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] PRF in TLS 1.2
  - From: Eric Rescorla
- Re: [TLS] PRF in TLS 1.2
  - From: Peter Gutmann

References:
- RE: [TLS] PRF in TLS 1.2
  - From: Blumenthal, Uri

Prev by Date: RE: [TLS] PRF in TLS 1.2
Next by Date: Re: [TLS] PRF in TLS 1.2
Previous by thread: RE: [TLS] PRF in TLS 1.2
Next by thread: Re: [TLS] PRF in TLS 1.2
Index(es):
- Date
- Thread