ietf
[Top] [All Lists]

Re: [TLS] Last Call: <draft-kanno-tls-camellia-00.txt> (Additionx

2011-03-09 10:58:51
On 03/08/2011 09:59 AM, Martin Rex wrote:

To me, Truncating the output of a SHA-384 PRF to 12 Octets looks like
unreasonable cutdown of the security margin for the Finished messages.

I agree.

Last I looked into it, I came to the conclusion that collisions of any efficient 96 bit hash function are likely within range of today's supercomputers and botnets.

But the logistics of it probably make it impractical for an actual attack. You need the master secret to manipulate the verify_data in any valid way (and if the attacker had that there'd be no security left to attack anyway). Otherwise, a useful attack on the finished message probably has to involve 2^48 or so live network connections to collide among.

- Marsh
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf