>>> S 4.1. >>> > Given that session IDs are required to be unique, why bother with the >>> > spec-id prefix? >>> >>> Precisely to guarantee this uniqueness. If one spec uses SHA-256 for >>> session IDs and another uses Keccak, no standard cryptographic >>> assumption implies uniqueness without that tag byte. >> >> >> Can you unpack this some? > > Let's say that we can compute two transcripts, A and B, such that > SHA-256(A) == KECCAK-256(B). This doesn't violate any standard > cryptographic assumptions. Yet without the tag byte, it would be > devastating to TCP-ENO's security in the event that different specs use > different hash functions.
To further illustrate: it's not impossible to imagine someone creating a SHA-256-twiddle that transforms the input in some invertible way (perhaps specifically to make one transcript look like another) and then produces as output the SHA-256 of this transformed input. The security of SHA-256 and SHA-256-twiddle are equivalent, but are related in such a way as to make this precise type of attack possible. The tag byte eliminates this entire class of attack. I'll admit that the scenario is far-fetched, and that two different hash functions that reach the standardization stage are very unlikely to be related in a way useful to such an attack. Kyle _______________________________________________ Tcpinc mailing list [email protected] https://www.ietf.org/mailman/listinfo/tcpinc
