Re: [P1619-3] SSL limited to 80 bits?
The integrity algorithms for usage at the TLS Record Layer are
negotiated as part of the ciphersuite. Hence, their strength depends on
the chosen ciphersuite as well.
HMAC-MD5 and HMAC-SHA1 are, however, also used in the key derivation
function. These functions are, however, repeately applied.
Ciao
Hannes
Luther Martin wrote:
> I believe that the original comment may have been referring to the fact that integrity checking using SHA-1 HMAC is hardwired into SSL and TLS. But although you might be able to argue that SHA-1 only gives 80 bits of strength (perhaps even less), there's no way that you can argue that SHA-1 HMAC has the same limitation. So I don't see how you can support the claim that SSL and TLS are limited to 80 bits of strength. In particular, I believe that they're fine for transport in P1619.3.
>
>
>> -----Original Message-----
>> From: Hannes Tschofenig [mailto:Hannes.Tschofenig@gmx.net]
>> Sent: Wednesday, April 23, 2008 2:15 PM
>> To: Luther Martin
>> Cc: P1619-3@LISTSERV.IEEE.ORG
>> Subject: Re: [P1619-3] SSL limited to 80 bits?
>>
>> The answer to this question does not depend on SSL or TLS but instead
>> relates to the chosen ciphersuite.
>> There are ciphersuites with pretty short key lenghts (originally because
>> of export regulations).
>>
>> When you use better ciphersuites then you get better security.
>>
>> For example, you might want to take a look at this document that
>> separated a few very weak ciphersuites out of the TLS specification:
>> http://tools.ietf.org/html/draft-ietf-tls-des-idea-01
>>
>> There are obviously ciphersuites with pretty good security, for example:
>> http://tools.ietf.org/html/rfc3268
>>
>> Ciao
>> Hannes
>>
>>
>> Luther Martin wrote:
>>
>>> On the O&O call today I heard the claim that it's not possible to get
>>>
>> more that 80 bits of security with SSL. This is probably too much detail
>> to discuss on the call, so I'm asking this here. What's the basis for this
>> claim? Or did I mis-hear this?
>>