Re: [TLS] Issue 66: HMAC-256 based ciphersuites

To: "MIURA, Fumiaki" <miura.fumiaki@xxxxxxxxxxxxx>, Florian Weimer <fweimer@xxxxxx>

Subject: Re: [TLS] Issue 66: HMAC-256 based ciphersuites

From: Ken Peirce <thewirelessmacdude@xxxxxxxxx>

Date: Tue, 15 Jan 2008 08:00:07 -0800 (PST)

Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=k0INrP8p0skYWEk3f70SC5fulXqWVAPdCVt6KHNGnxbT3ert29t8MzYncJS7pBRx2P+iiiIbGJ1wF02Pi0qxS+UTPrXQ55EDXcLwEf1Lzr8RpLeeY9QKYHVaEflkUvZq/OR3avQVl+3XRCj93CBR1fO7OfbnnAPBX2VAOjZpslQ=;

In-reply-to: <200801101037.m0AAbe33024267@xxxxxxxxxxxxx>

List-archive: <http://www1.ietf.org/pipermail/tls>

List-help: <mailto:tls-request@lists.ietf.org?subject=help>

List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>

List-post: <mailto:tls@lists.ietf.org>

List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>

List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>

I think that we should provide cipher suites with uniform cryptographic strength. We should use the NIST "bits of security" metric to match the encryption key size and type as well as the hmac type. Use SHA 256 for AES128, etc.

Ken Peirce

"MIURA, Fumiaki" <miura.fumiaki@xxxxxxxxxxxxx> wrote:

At Wed, 09 Jan 2008 10:30:17 +0100, Florian Weimer wrote:
>
> * Fumiaki MIURA:
>
> > At Tue, 8 Jan 2008 12:53:25 +0200, wrote:
> >> TLS_RSA_WITH_AES_256_CBC_SHA256
> >
> > Why not SHA512 for AES256?
> >
> > For example, FIPS 180-2 say that `security (bits)' for SHA-512 is 256
> > in page 3.
>
> Does this estimate also apply when using SHA-512 as a building block
> for an HMAC?

I think yes, theoretically.

"Message authentication using hash functions: The HMAC construction"
says:
| As shown in [12, 2], birthday attacks, that are
| the basis to finding collisions in cryptographic hash
| functions, can be applied to attack also keyed MAC
| schemes based on iterated functions (including also
| CBC-MAC, and other schemes). These attacks ap-
| ply to most (or all) of the proposed hash-based
| constructions of MACs.

But, I don't know any realistic attacks if we properly refresh the
key.

_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

_______________________________________________ TLS mailing list TLS@xxxxxxxxxxxxxx https://www1.ietf.org/mailman/listinfo/tls