- From: Phil Karlton <karlton@netscape.com>
- Date: Tue, 17 Dec 1996 11:17:25 -0800
- To: "David P. Kemp" <dpkemp@missi.ncsc.mil>
- CC: ietf-tls@w3.org
Be careful here. The reason SSL used only MD5 for the final phase of the
export case is that we were advised that it might be difficult to get a
CJ for products that used SHA in that step.
> 2) Mixing MD5 and SHA in a single ad-hoc function probably doesn't
> buy anything because it is difficult to imagine a situation in
> which SHA is broken but MD5 remains sound.
I have a pretty good imagination. :-)
Another issue concerns the MAC for the Finished messages. There was MUCH
discussion about whether they should be constructed like HMAC rather
than the ad hoc algorithm that was chosen. The tradeoffs are fairly
simple.
pro) Using HMAC is more secure (probably).
con) The server has to retain the entire handshake until it
can compute the master_secret. The storage requirements
for heavily used secure servers could be prohibitive.
(Some information, e.g. the server's certificate chain
is probably constant across all handshakes; and that
helps a little.)
PK
--
Philip L. Karlton karlton@netscape.com
Principal Curmudgeon http://www.netscape.com/people/karlton
Netscape Communications Corporation
Everything should be made as simple as possible, but not simpler.
-- Albert Einstein
Received on Tuesday, 17 December 1996 14:17:50 UTC