Re: [TLS] Truncated HMAC

[Casey Marshall <csm@xxxxxxx>]

On Nov 16, 2006, at 12:31 PM, Mike wrote:

> Casey Marshall wrote:
> > On Nov 15, 2006, at 5:02 PM, Mike wrote:
> > > I have a question regarding the truncated HMAC extension.
> > > When this extension is negotiated, the spec says that
> > > CipherSpec.hash_size is 10 bytes.  So does that mean I
> > > should only generate 10 bytes for each MAC secret?
> >  From RFC 4366, section 3.5:
> > "Note that this extension does not affect the calculation of the  
> > pseudo-random function (PRF) as part of handshaking or key  
> > derivation."
>
> I saw that, but interpreted it to mean that the HMAC used in the
> PRF itself is not truncated.  It is still unclear to me whether
> saying "CipherSpec.hash_size = 10" means that the MAC secrets
> should be 10 bytes.  My implementation currently computes the
> MAC secrets the same whether HMAC truncation is specified or not.
> However, I think the spec. could be clarified to say that the
> secrets are not reduced to 10 bytes (if that's the intention).
> I suggest getting rid of the statement that CipherSpec.hash_size
> changes when the extension is used.

But still, RFC 4346 says the key_block is split as:

> client_write_MAC_secret[SecurityParameters.hash_size]
> server_write_MAC_secret[SecurityParameters.hash_size]

i.e., "CipherSpec.hash_size" isn't used here. I think the intention  
is that only the final MAC value sent in the record is truncated, and  
nothing else. This is certainly how my implementation works.

_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls