Re: [TLS] Issue 66: HMAC-256 based ciphersuites

To: Florian Weimer <fweimer at bfk.de>
Subject: Re: [TLS] Issue 66: HMAC-256 based ciphersuites
From: miura.fumiaki at lab.ntt.co.jp (MIURA, Fumiaki)
Date: Thu, 10 Jan 2008 19:37:52 +0900
Cc: tls at ietf.org
In-reply-to: <823at7uz12.fsf@mid.bfk.de>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <20071231224941.3FE235081A@romeo.rtfm.com> <C39F04CF.19B%uri@ll.mit.edu> <B356D8F434D20B40A8CEDAEC305A1F240514E74D@esebe105.NOE.Nokia.com> <200801090444.m094imwl001976@lab.ntt.co.jp> <823at7uz12.fsf@mid.bfk.de>

At Wed, 09 Jan 2008 10:30:17 +0100, Florian Weimer wrote:
> 
> * Fumiaki MIURA:
> 
> > At Tue, 8 Jan 2008 12:53:25 +0200, <Pasi.Eronen at nokia.com> wrote:
> >> TLS_RSA_WITH_AES_256_CBC_SHA256   
> >
> > Why not SHA512 for AES256?
> >
> > For example, FIPS 180-2 say that `security (bits)' for SHA-512 is 256
> > in page 3.
> 
> Does this estimate also apply when using SHA-512 as a building block
> for an HMAC?

I think yes, theoretically.

"Message authentication using hash functions: The HMAC construction"
  <URL: http://www-cse.ucsd.edu/users/mihir/papers/hmac-cb.pdf>  says:
| As shown in [12, 2], birthday attacks, that are
| the basis to finding collisions in cryptographic hash
| functions, can be applied to attack also keyed MAC
| schemes based on iterated functions (including also
| CBC-MAC, and other schemes). These attacks ap-
| ply to most (or all) of the proposed hash-based
| constructions of MACs.

But, I don't know any realistic attacks if we properly refresh the
key.

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] Issue 66: HMAC-256 based ciphersuites
  - From: Bodo Moeller
- Re: [TLS] Issue 66: HMAC-256 based ciphersuites
  - From: Ken Peirce

References:
- [TLS] Issue 66: HMAC-256 based ciphersuites
  - From: Eric Rescorla
- Re: [TLS] Issue 66: HMAC-256 based ciphersuites
  - From: Blumenthal, Uri
- RE: [TLS] Issue 66: HMAC-256 based ciphersuites
  - From: Pasi.Eronen
- Re: [TLS] Issue 66: HMAC-256 based ciphersuites
  - From: MIURA, Fumiaki
- Re: [TLS] Issue 66: HMAC-256 based ciphersuites
  - From: Florian Weimer

Prev by Date: [TLS] Public test servers supporting TLS-PSK
Next by Date: [TLS] SIV as WG item?
Previous by thread: Re: [TLS] Issue 66: HMAC-256 based ciphersuites
Next by thread: Re: [TLS] Issue 66: HMAC-256 based ciphersuites
Index(es):
- Date
- Thread

Re: [TLS] Issue 66: HMAC-256 based ciphersuites

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.