At 8:20 AM +0100 3/11/11, Nikos Mavrogiannopoulos wrote:
> What Peter probably meant to say was that IPsec chose to truncate the
HMAC value to 96 bits because that preserved IPv4 and IPv6
byte-alignment for the payload. Also, as others have noted, the hash
function used here is part of an HMAC calculation, and any collisions
have to be real-time exploitable to be of use to an attacker. Thus
96 buts was viewed as sufficient.
This sounds pretty awkward decision because HMAC per record is full
(e.g. 160-bits on SHA-1), but the MAC on the handshake message
"signature" is truncated to 96-bits. Why wasn't the record MAC
truncated as well? In any case saving few bytes per handshake
is much less of value than saving few bytes per record. Was
there any other rationale for truncation?
I think you lost the context here. I was explaining why IPsec chose
to truncate the hash, not TLS.
Ietf mailing list