At Sat, 24 Jan 2009 14:55:15 +1300, Peter Gutmann wrote: > >Yes, the changes between TLS 1.1 and TLS 1.2 are about as big as those > >between SSL and TLS. I'm not particularly happy about that either, but it's > >what we felt was necessary to do a principled job. > > It may have been a nicely principled job but what actual problem is the switch > in hash algorithms actually solving? Making changes of such magnitude to a > very, very widely-deployed protocol is always a tradeoff between the necessity > of the change and the pain of doing so. In TLS 1.2 the pain is proportionate > to the scale of the existing deployed base (i.e. very large) and the necessity > of doing so appears to be zero. I don't know of any attack or threat to the > existing dual-hash mechanism that TLS 1.2 addresses, and it may even make > things worse by switching from the redundant dual-hash (a testament to the > original SSL designers) to a single algorithm. This is why I called the > changes "gratuitous", there is no threat that they address - it can even be > argued (no doubt endlessly) that they make the PRF weaker rather than stronger > - but they come at considerable cost.
I agree that given the current set of attacks on SHA-1 and MD5, there was no existing attack on the protocol. However, that doesn't mean that improvements in analysis wouldn't lead to such attacks and so the general feeling of the community was to err on the side of safety. No doubt if we hadn't done so, there would be people screaming about how TLS still used MD5. Indeed, that's how this thread started. So, once again, I don't share your opinions about these changes being gratuitous. Moreover, the bulk of the changes weren't to the PRF. That's actually quite a trivial change to implement, but rather to have accurate signalling about what combinations of hashes and signatures implementations could support--something that was painfully non-orthogonal in SSLv3 and earlier versions of TLS. Again, one could argue that we could have hacked around this and indeed the original Bellovin-Rescorla paper described a number of such hacks, but the general feeling of the TLS WG was that it was more important to get it right. > SSL/TLS is (and has been for many years) part of the Internet infrastructure. > You don't make significant, totally incompatible changes to the infrastructure > without very carefully weighing the advantages and disadvantages. Which we did--including having the very discussion we are having now--and concluded that the course of action we took was the right one. You're of course free to weigh the evidence yourself and come to a different conclusion, and even to hold the opinion that those who agree with you are complete fools, but it's simply not accurate to imply, as you do here, that we didn't think about it. -Ekr --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com