[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] Serious crypto problem fixed by envelope HMAC method instead of currently used prefix

To: Omirjan Batyrbaev <batyr@xxxxxxxxxxxx>
Subject: Re: [TLS] Serious crypto problem fixed by envelope HMAC method instead of currently used prefix
From: Bodo Moeller <bmoeller@xxxxxxx>
Date: Mon, 20 Nov 2006 16:24:07 +0100
Cc: TLS@xxxxxxxxxxxxxx
In-reply-to: <>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <> <86lkm6rdau.fsf@xxxxxxxxxxxxxx> <>
User-agent: Mutt/1.5.9i

On Mon, Nov 20, 2006 at 10:08:35AM -0500, Omirjan Batyrbaev wrote:

> I agree that the inclusion of the length value has merit. But only if the
> peer checks the length value.
> With the proposed envelope method even if the peer does not check the length
> value the MAC can not be forged.
> Isn't it better to use a more robust envelope method instead? It is a small
> change to the spec and implementations.

TLS uses HMAC, which *is* a "robust envelope method", and is not
subject to the attacks that you mentioned -- so there's no need to
change any of this in TLS.  Your attacks would apply to a plain SHA-1
of the key followed by the message, but that's not what HMAC does:

    http://www-cse.ucsd.edu/~mihir/papers/hmac.html
    http://en.wikipedia.org/wiki/HMAC

Bodo


_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

References:
- [TLS] Serious crypto problem fixed by envelope HMAC method instead of currently used prefix
  - From: Omirjan Batyrbaev
- Re: [TLS] Serious crypto problem fixed by envelope HMAC method instead of currently used prefix
  - From: EKR
- Re: [TLS] Serious crypto problem fixed by envelope HMAC method instead of currently used prefix
  - From: Omirjan Batyrbaev

Prev by Date: Re: [TLS] Serious crypto problem fixed by envelope HMAC method instead of currently used prefix
Next by Date: Re: [TLS] PRF proposal
Previous by thread: Re: [TLS] Serious crypto problem fixed by envelope HMAC method instead of currently used prefix
Next by thread: [TLS] PRF proposal
Index(es):
- Date
- Thread