- From: Jeff Weinstein <jsw@netscape.com>
- Date: Mon, 29 Apr 1996 23:18:37 -0700
- To: Dan Simon <dansimon@microsoft.com>
- Cc: ietf-tls <ietf-tls@w3.org>
Dan Simon wrote: > In short, I see absolutely no reason for treating the "handshake hash" > any differently from other MACs; both must be secure under the normal > definition of a MAC. And the MAC method used in the SSL v3.0 "handshake > hash" has that property, as long as the underlying hash function > (whether MD5, SHA or a combination thereof) is collision-intractable. > The same can be said of the method used for general message > authentication in PCT. I think you misunderstand the purpose of using both MD5 and SHA for the handshake hash. If SHA were compromised we could just deprecate all cipher suites that included SHA, without having to immediately change the base protocol, since the handshake hash includes MD5 as well. If the handshake hash were just SHA, then we would have to change the protocol if it fell. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.
Received on Tuesday, 30 April 1996 02:22:00 UTC