On Tue, Mar 8, 2011 at 10:45 AM, Martin Rex <mrex(_at_)sap(_dot_)com> wrote:
Eric Rescorla wrote:
Marsh Ray wrote:
I think he's arguing that anything cut down to 96 bits represents a lousy
hash function allowing practical collisions on today's hardware.
Perhaps, but this isn't a digest but rather a MAC, and so the attack
model is different.
You seem to be forgetting that the finished messages have been reused
for other purposes already:
No, I'm not forgetting that. That doesn't change the fact that the
computation is
a MAC.
RFC-5929 TLS Channel Bindings
RFC-5746 TLS extension Renegotiation indication
I'm sorry, but I think it is a bad idea to use a flawed design for
the TLS finished message by subverting the collision resistence
of stronger secure hash functions that are used for the PRF.
Yes, I realize you think that, but until you offer a cryptographic
argument for that
opinion I guess we're just going to have to disagree.
-Ekr
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf