Re: Merged Transport Layer Protocol Development

Dan Simon wrote:
> In short, I see absolutely no reason for treating the "handshake hash"
> any differently from other MACs; both must be secure under the normal
> definition of a MAC.  And the MAC method used in the SSL v3.0 "handshake
> hash" has that property, as long as the underlying hash function
> (whether MD5, SHA or a combination thereof) is collision-intractable.
> The same can be said of the method used for general message
> authentication in PCT.

  I think you misunderstand the purpose of using both MD5 and SHA for
the handshake hash.  If SHA were compromised we could just deprecate
all cipher suites that included SHA, without having to immediately
change the base protocol, since the handshake hash includes MD5 as
well.  If the handshake hash were just SHA, then we would have to change
the protocol if it fell.


Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation -
Any opinions expressed above are mine.

Received on Tuesday, 30 April 1996 02:22:00 UTC