[TLS] rfc4366-bis-03 Discuss #3: Applicability of MAC Truncation

To: tls at ietf.org
Subject: [TLS] rfc4366-bis-03 Discuss #3: Applicability of MAC Truncation
From: Alfred Hönes <ah at tr-sys.de>
Date: Tue, 21 Oct 2008 22:25:04 +0200 (MESZ)
Delivered-to: ietfarch-tls-archive at core3.amsl.com
Delivered-to: tls at core3.amsl.com
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Sender: tls-bounces at ietf.org

Section 7 of the rfc4366-bis-03 draft states:

---------------------------snip----------------------
!  Currently defined TLS cipher suites use the MAC construction HMAC
!  with either MD5 or SHA-1 [RFC2104] to authenticate record layer
   communications. In TLS, the entire output of the hash function is
   used as the MAC tag. However, it may be desirable in constrained
   environments to save bandwidth by truncating the output of the hash
   function to 80 bits when forming MAC tags.

   ...

!  Note that if new cipher suites are added that do not use HMAC, and
!  the session negotiates one of these cipher suites, this extension
   will have no effect. It is strongly recommended that any new cipher
   suites using other MACs consider the MAC size an integral part of the
   cipher suite definition, taking into account both security and
   bandwidth considerations.
---------------------------snip----------------------

Obviously, the first statement (taken over from RFC 4366) is
outdated by TLS v1.2 and the cipher suites defined in RFC 5246
and more recent documents, which have introduced the SHA-2
family of hashes into the HMACs for TLS.

The first sentence of the latter paragraph already applies to the
combined (AEAD) algorithms like GCM.

The utility of truncating SHA-2 hashes to 80 bits is questionable.

Thus, a couple of questions arises:

-  Do we need MAC truncation for the SHA-2 family based HMACs?

-  If yes, is truncation to 80 bits appropriate?

-  Or should the extension be expanded to allow specification of
   the truncation lenght?
   (Compatibility issues?)

-  Or do we need a complementary extension that allows the
   explicit specification of the truncation lenght?

-  Should the applicability of the Truncated (H)MAC extension be
   restricted to cipher suites using HMAC-MD5 od HMAC-SHA1 ?

-  Should the applicability be clearly restricted to cipher
   suites using HMAC, excluding all AEAD cipher suites and/or
   future cipher suites using other MACs (e.g., SIV) ?


Any opinions?  Further considerations?


Kind regards,
  Alfred.

-- 

+------------------------+--------------------------------------------+
| TR-Sys Alfred Hoenes   |  Alfred Hoenes   Dipl.-Math., Dipl.-Phys.  |
| Gerlinger Strasse 12   |  Phone: (+49)7156/9635-0, Fax: -18         |
| D-71254  Ditzingen     |  E-Mail:  ah at TR-Sys.de                     |
+------------------------+--------------------------------------------+

_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] rfc4366-bis-03 Discuss #3: Applicability of MAC Truncation
  - From: Pasi.Eronen

Prev by Date: [TLS] rfc4366-bis-03 Discuss #2: hash alg. agility for TrustedCA?
Next by Date: Re: [TLS] rfc4366-bis-03 Discuss #2: hash alg. agility for TrustedCA?
Previous by thread: [TLS] rfc4366-bis-03 Discuss #2: hash alg. agility for TrustedCA?
Next by thread: Re: [TLS] rfc4366-bis-03 Discuss #3: Applicability of MAC Truncation
Index(es):
- Date
- Thread

[TLS] rfc4366-bis-03 Discuss #3: Applicability of MAC Truncation

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.