Re: [TLS] Issue 49: Finished.verify length

To: Pasi.Eronen at nokia.com
Subject: Re: [TLS] Issue 49: Finished.verify length
From: Bodo Moeller <bmoeller at acm.org>
Date: Fri, 14 Sep 2007 14:13:50 +0200
Cc: tls at ietf.org
In-reply-to: <20070914120310.GA29073@tau.invalid>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <20070914090853.GA20702@tau.invalid> <B356D8F434D20B40A8CEDAEC305A1F2404937712@esebe105.NOE.Nokia.com> <20070914120310.GA29073@tau.invalid>
User-agent: Mutt/1.5.9i

On Fri, Sep 14, 2007 at 02:03:10PM +0200, Bodo Moeller wrote:

>>> But you don't need a very long verify_data.  We also don't need 
>>> very long record-layer MACs.  Both are needed only for real-time
>>> authentication, which cannot be attacked after the fact. 

>> This is true; but reasonable people seem to have different opinions 
>> on what exactly is "sufficiently long". For example, RFC 4106 specifies
>> three different choices for ICV (MAC) length (128/192/256 bits).

> IPsec is a different setting since it is not based on streams (which
> would be aborted in case of a decryption error).  However, this
> reminds me to take DTLS into account, so yes, we possibly might need
> long record-layer MACs (just for consistency for DTLS, not for actual
> TLS security reasons).
> 
> Of course, the Finished message payload (verify_data) still will have
> to be processed just once.  (An incorrect record-layer MAC is just a
> reason to discard this particular packet in DTLS, but if the
> record-layer MAC is correct and the verify_data isn't, then this
> is a very bad sign, and the session should be canceled.)

Oops, I forgot to make explicit what follows from this --:

While longer MACs makes sense for protocols such as IPsec and DTLS,
this doesn't mean that we have a similar reason to use longer
verify_data fields with DTLS.

Bodo


_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

References:
- Re: [TLS] Issue 49: Finished.verify length
  - From: Bodo Moeller
- RE: [TLS] Issue 49: Finished.verify length
  - From: Pasi.Eronen
- Re: [TLS] Issue 49: Finished.verify length
  - From: Bodo Moeller

Prev by Date: Re: [TLS] Issue 49: Finished.verify length
Next by Date: RE: [TLS] Issue 49: Finished.verify length
Previous by thread: Re: [TLS] Issue 49: Finished.verify length
Next by thread: RE: [TLS] Issue 49: Finished.verify length
Index(es):
- Date
- Thread

Re: [TLS] Issue 49: Finished.verify length

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.