On Sun, Sep 21, 2008 at 12:58:26PM +1000, Michael Gray wrote: > > > "Not Exactly"? Both TLS and SSLv3 both use SHA1 and MD5 in the PRF, which > is IMHO very cleaver as it requires both HASH functions to be broken. But, > the TLS PRF is a HMAC for both SHA1 and MD5 whereas SSLv3 is not. The > specific regulation is > http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf > page 61. Several other regulation references exist as well...
I quote footnote 13, on that page: | The problem with SSL 3.0 is the key derivation process that applies | to all SSL 3.0 cipher suites: half of the master key that is set | up during the SSL key exchange depends entirely on the MD5 hash | function. MD5 is not a FIPS approved algorithm, and its collision | resistance property has recently been broken by Antoine Joux. | | TLS also uses MD5 in the key derivation process, but in a different | manner, so that all of the master key depends on both MD5 and SHA-1, | and nothing in TLS actually depends on MD5 for its security. In other words, the construction used in SSLv3 key derivation leaves bits in the resulting key dependant only on the output of MD5, which is not an Approved algorithm; the TLS construction does not. There is no special regulation here, just -- note that the document you quoted is the "implementation guidance" -- careful application of the usual rules. Isn't that pretty much exactly what I said before? Thor ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
