If your question is why did the TLS WG decide to do this back in like
1996 or so?
If so, it would require a real archive search to get a definitive
answer, but my vague
memory is that (a) it was suggested by one of the cryptographers in
the group, e.g.
Hugo Krawczyk or Ran Canetti and (b) it was motivatated by the desire to
limit the amount of information disclosed about the MS (remember that it used to
be 36 bits!). I don't recall why 12 bytes rather than 16 bytes or 20 was chosen.
Best,
-Ekr
On Thu, Mar 10, 2011 at 11:20 PM, Nikos Mavrogiannopoulos
<nmav(_at_)gnutls(_dot_)org> wrote:
On 03/11/2011 12:28 AM, Stephen Kent wrote:
It wasn't any "may have become first popular", there was only
room for 96 bits of MAC data in the IP packet, so MD5 was
truncated to that size.
This is an odd claim, since:
(a) RFC 1828 (http://tools.ietf.org/html/rfc1828) originally
specified not HMAC but a keyed MD5 variant with a 128-bit output.
(b) The document that Martin points to has MACs > 96 bits long.
Can you please point to where in IP there is a limit that requires
a MAC no greater than 96 bits.
-Ekr
What Peter probably meant to say was that IPsec chose to truncate the
HMAC value to 96 bits because that preserved IPv4 and IPv6
byte-alignment for the payload. Also, as others have noted, the hash
function used here is part of an HMAC calculation, and any collisions
have to be real-time exploitable to be of use to an attacker. Thus
96 buts was viewed as sufficient.
This sounds pretty awkward decision because HMAC per record is full
(e.g. 160-bits on SHA-1), but the MAC on the handshake message
"signature" is truncated to 96-bits. Why wasn't the record MAC
truncated as well? In any case saving few bytes per handshake
is much less of value than saving few bytes per record. Was
there any other rationale for truncation?
regards,
Nikos
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf