[25837] in cryptography@c2.net mail archive
Re: picking a hash function to be encrypted
daemon@ATHENA.MIT.EDU (Eric Rescorla)
Wed May 17 10:04:15 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
To: "Travis H." <solinym@gmail.com>
Cc: Cryptography <cryptography@metzdowd.com>
Reply-To: EKR <ekr@rtfm.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 15 May 2006 20:26:58 -0700
In-Reply-To: <d4f1333a0605141756k7d259b45t5c91bc101bef1dbb@mail.gmail.com> (Travis
H.'s message of "Sun, 14 May 2006 19:56:17 -0500")
"Travis H." <solinym@gmail.com> writes:
> On 5/14/06, Victor Duchovni <Victor.Duchovni@morganstanley.com> wrote:
>> Security is fragile. Deviating from well understood primitives may be
>> good research, but is not good engineering. Especially fragile are:
>
> Point taken. This is not for a production system, it's a research thing.
>
>> TLS (available via OpenSSL) provides integrity and authentication, any
>> reason to re-invent the wheel? It took multiple iterations of design
>> improvements to get TLS right, even though it was designed by experts.
>
> IIUC, protocol design _should_ be easy, you just perform some
> finite-state analysis and verify that, assuming your primitives are
> ideal, no protocol-level operations break it. The 7th Usenix Security
> Symposium has a paper where the authors built up SSL 3.0 to find out
> what attack each datum was meant to prevent. They used mur-phi, which
> has been used for VLSI verification (i.e. large numbers of states).
> AT&T published some code to do it too (called SPIN). It's effective
> if the set of attacks you're protecting against is finite and
> enumerable (for protocol design, I think it should be; reflection,
> replay, reorder, suppress, inject, etc.). I wouldn't consider
> fielding a protocol design without sanity-checking it using such a
> tool. Was there an attack against TLS which got past FSA, or did the
> experts not know about FSA?
There have been a number of attacks on TLS since Mitchell et al's
paper was published in 1998. The most well known are the attacks
on CBC mode described in http://www.openssl.org/~bodo/tls-cbc.txt.
-Ekr
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
