[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] PRF in TLS 1.2

To: aerowolf@xxxxxxxxx, uri.blumenthal@xxxxxxxxx
Subject: Re: [TLS] PRF in TLS 1.2
From: pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)
Date: Wed, 27 Sep 2006 19:33:33 +1200
Cc: tls@xxxxxxxx
In-reply-to: <6b9359640609262135q2e60d85dxafedfbfdea4d7232@xxxxxxxxxxxxxx>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>

"Kyle Hamilton" <aerowolf@xxxxxxxxx> writes:

>My thought is that even if one of the hash algorithms is badly broken,
>the fact that more than one hash is being used means that a 'hedge'
>exists against that possibility.
>
>MD5 may be able to be broken.  SHA1 may be able to be broken.
>However, their outputs both rely on the original input for their
>value, such that 1 bit of entropy in the input leads basically to 1
>bit of entropy in the output.
>
>As well, I haven't heard of anyone being able to create a bitstring
>that will go through both hashes to form an identical bit pattern from
>both of them.  So, even if MD5 is broken (such that a valid message
>can be created for message injection/session hijack), the fact that
>another cipher suite is also in use arguably provides at least as much
>security as using that cipher suite alone, and hypothetically more.
>(I cannot attest to theory.)  Especially if the outputs are XORed
>together -- if SHA1 cannot be predicted but MD5 can, there's still the
>entire output space of 160 bits to go through.  If SHA1 can be
>predicted but MD5 cannot, then there's still 128 bits of output space
>to go through.  (Believing that (SHA1 & MD5) has the same amount of
>entropy as (sizeof(SHA1) + sizeof(MD5)) is a fallacy; it has the
>amount of entropy that the largest unpredictable one gives.)

I agree with everything in the above text.  This is a completely
unnecessary change, it gratuitously breaks compatibility with the
existing PRF, it provides no extra security (that anyone knows of), and
by eliminating the current belt-and-suspenders design, it may even reduce
the overall security.  If new research appears showing that (a) there's
a problem in the current design and (b) a new, demonstrably more secure
design, then let's switch.  But changing the design simply because we
haven't changed anything else for awhile and we need to meet some 
quota for new text in the next draft (or whatever's motivating the
current change) is not only pointless, it's counterproductive.

Peter.

_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- RE: [TLS] PRF in TLS 1.2
  - From: Pasi Eronen
- Re: [TLS] PRF in TLS 1.2
  - From: David Hopwood

References:
- Re: [TLS] PRF in TLS 1.2
  - From: Kyle Hamilton

Prev by Date: Re: [TLS] PRF in TLS 1.2
Next by Date: Re: [TLS] PRF in TLS 1.2
Previous by thread: Re: [TLS] PRF in TLS 1.2
Next by thread: Re: [TLS] PRF in TLS 1.2
Index(es):
- Date
- Thread