On 03/14/2011 05:49 PM, Martin Rex wrote:
The MD5 output is 128 bits = 16 bytes, and the input is *MUCH* larger
than 128 bits. The master_secret should is 48 bytes alone. Even if one is
successful at inverting MD5, one can not undo the collisions from
the Finished computation caused by the compression of a much larger
input into a 128 bit output value.
You could accumulate multiple samples, perhaps even with session
resumption where the Finished message is sent by the server without the
chance to authenticate the client first.
Normally you even don't get to see the Finished.verify_data without
breaking the encryption or downgrading to no encryption. But 40-bit
encryption and "integrity only" connections were fully supported use
cases back in those days.
If they had really wanted to leverage the 16 or 20 byte bottleneck of
MD5 and SHA-1, they should have padded the master_secret from 384 to 512
bits (the input block size) before putting it into the hash function.
Ietf mailing list