[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [TLS] PRF in TLS 1.2

To: <david.hopwood@xxxxxxxxxxxxxxxx>, <tls@xxxxxxxx>
Subject: RE: [TLS] PRF in TLS 1.2
From: <Pasi.Eronen@xxxxxxxxx>
Date: Thu, 28 Sep 2006 18:40:34 +0300
Cc:
In-reply-to: <451A678D.7000505@xxxxxxxxxxxxxxxx>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
Thread-index: AcbiMoNlf7S2sf4OTx+A8lnUy04AtwA4UHOA
Thread-topic: [TLS] PRF in TLS 1.2

David Hopwood wrote:
> I also agree. Note that for the foreseeable future, because
> implementations would support versions with both new and old PRFs,
> the attacker has a choice which one to try and break. So even if,
> for the sake of argument, there were a security problem with the old
> PRF, changing it still would not increase security; it can only
> potentially decrease it.

This is a problem in many transitions; however, our WG charter
explicitly lists removing dependency on MD5 and SHA-1 as our primary
goal. So, at least it must be somehow possible to configure two TLS 1.2
endpoints in a mode that doesn't use MD5 or SHA-1 at all.

This is not a configuration you'd want to use for your web browser 
or server in 2006 (or even 2010 probably), but hopefully eventually. 
We are starting to get rid of SSL2 and 40-bit ciphersuites, after all.

There are quite many ways of how we could achieve that functionality
in TLS 1.2 though; how would you modify Eric's proposal to avoid
the problems you mention?

> (Note that if you can break the PRF, you can also break any
> protection against version rollback -- not that that protection was
> particularly robust to start with.)

Wouldn't breaking the rollback protection require breaking the PRF
essentially in real-time? 

Best regards,
Pasi 

_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

References:
- Re: [TLS] PRF in TLS 1.2
  - From: David Hopwood

Prev by Date: RE: [TLS] PRF in TLS 1.2
Next by Date: Re: [TLS] PRF in TLS 1.2
Previous by thread: Re: [TLS] PRF in TLS 1.2
Next by thread: RE: [TLS] PRF in TLS 1.2
Index(es):
- Date
- Thread