Re: [TLS] Issue 49: Finished.verify length

[Mike <mike-list at pobox.com>]

>   Currently Finished.verify_data is always 12 octets. With newer PRFs
>   and hashes, more might be useful. Should this depend on the PRF?
>   
> My take on this is that the 12-octet length is mostly independent
> of the PRF. After all, it's already been truncated from either 
> MD5 or SHA-1. Is there a good security reason to change this?

Since the Finished message is just the output of the PRF itself,
you can specify however much output you want.  In TLS 1.2, the
default PRF is based on HMAC-SHA-256, so 1 iteration of the PRF
generates 32 bytes.  With the Finished message currently using
only 12 bytes of PRF output, we are just throwing away 20 bytes
that could be utilized.  Therefore, the Finished message could
be increased to 32 bytes without impacting performance.

I am not a security expert, but I do know that 32 bytes is a lot
harder to guess than 12.

Mike

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls