IETF Logo Mail Archive

Re: [apps-discuss] Indicating hash size in 'ni' URIs

"Manger, James H" <James.H.Manger@team.telstra.com> Wed, 09 May 2012 01:02 UTC

Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E71209E8015 for <apps-discuss@ietfa.amsl.com>; Tue, 8 May 2012 18:02:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.742
X-Spam-Level:
X-Spam-Status: No, score=-0.742 tagged_above=-999 required=5 tests=[AWL=0.159, BAYES_00=-2.599, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, RELAY_IS_203=0.994]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vvMCrSd+oOJT for <apps-discuss@ietfa.amsl.com>; Tue, 8 May 2012 18:02:23 -0700 (PDT)
Received: from ipxcvo.tcif.telstra.com.au (ipxcvo.tcif.telstra.com.au [203.35.135.208]) by ietfa.amsl.com (Postfix) with ESMTP id 09C179E8012 for <apps-discuss@ietf.org>; Tue, 8 May 2012 18:02:18 -0700 (PDT)
X-IronPort-AV: E=Sophos; i="4.75,554,1330866000"; d="scan'208,217"; a="75179327"
Received: from unknown (HELO ipcdvi.tcif.telstra.com.au) ([10.97.217.212]) by ipocvi.tcif.telstra.com.au with ESMTP; 09 May 2012 11:02:17 +1000
X-IronPort-AV: E=McAfee;i="5400,1158,6705"; a="62041089"
Received: from wsmsg3706.srv.dir.telstra.com ([172.49.40.80]) by ipcdvi.tcif.telstra.com.au with ESMTP; 09 May 2012 11:02:15 +1000
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by wsmsg3706.srv.dir.telstra.com ([172.49.40.80]) with mapi; Wed, 9 May 2012 11:02:16 +1000
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Martin Thomson <martin.thomson@gmail.com>
Date: Wed, 09 May 2012 11:02:14 +1000
Thread-Topic: [apps-discuss] Indicating hash size in 'ni' URIs
Thread-Index: Ac0s/zRSPuXpWyz7TtWNUPfKeVGPLwAd0l+Q
Message-ID: <255B9BB34FB7D647A506DC292726F6E114F2A1546E@WSMSG3153V.srv.dir.telstra.com>
References: <255B9BB34FB7D647A506DC292726F6E114F1DD400E@WSMSG3153V.srv.dir.telstra.com> <4F9E8055.1080209@cs.tcd.ie> <255B9BB34FB7D647A506DC292726F6E114F23970AB@WSMSG3153V.srv.dir.telstra.com> <255B9BB34FB7D647A506DC292726F6E114F2853D2C@WSMSG3153V.srv.dir.telstra.com> <4FA68A60.6030207@cs.tcd.ie> <255B9BB34FB7D647A506DC292726F6E114F28540B5@WSMSG3153V.srv.dir.telstra.com> <CABkgnnX6wp=ZFn2n-=O0_spPtZmAvtwYMnrsKM3bLxoAV3kWbw@mail.gmail.com> <4FA8EB06.4020004@cs.tcd.ie>
In-Reply-To: <4FA8EB06.4020004@cs.tcd.ie>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Apps Discuss <apps-discuss@ietf.org>
Subject: Re: [apps-discuss] Indicating hash size in 'ni' URIs
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 May 2012 01:02:24 -0000

>>> I would still rather ditch the truncation length from the alg names.
 
>> I'm with James on this one.
>> ... The example of a truncated stream cipher seems contrived to me.

> Not to me.
>
> I think that omitting the size would mean that anyone using
> these would need to go think about potential truncation attacks,
> and having to do that is bad, since most times they won't do
> it at all and even if they do, those attacks, if they apply,
> will be likely be very subtle. So even if you try figure it
> out, you may not get the analysis right. Avoiding all that
> is just better IMO.

I am trying to understand the truncation attacks you are concerned about. Would an example be an HTTPS web connection that abruptly stops mid stream? All the received TLS records are properly encrypted and have valid MACs. However, only half of the HTML page has been delivered: it might end "<script src='ni://example.com/sha-256;f4OxZX". Somewhere in the receiver's stack it knows truncation has occurred (the TLS and HTTP and layers didn't close properly), but the higher layer ignores that and interprets the content anyway. In this example, a browser (which is very lenient) accepts the incomplete <script> tag and acts on the wrong (truncated) URI.

The fault is not with the 'ni' URI. Solving this situation would require all protocols (not just 'ni' identifiers) to be "prefix-free" (eg no prefix of a protocol can be meaningful). That is not realistic.

An 'ni' URI can have query parameters. Couldn't a truncation attack strip those regardless of whether the hash length is in the alg name? Why isn't that a problem?



> Additionally, if we took out the length then we'd have to
> figure whether or not (or when, yuk) ni:///sha-256;abc is the
> "same" as ni:///sha-256;abcdef and even if we declare that its
> never the same, that's something people are liable to get
> wrong, since sometimes both would actually refer to the same
> thing. Yuk yuk yuk;-)

Implementations are just as likely to consider that the following are the "same":
  ni:///sha-256-32;abcdef
  ni:///sha-256-64;abcdefghijk


If a truncation attack really needs to be defended against, we should specify that the output length (and algorithm) are inputs to the hash. For example, Truncate_to_n(Hash(alg || n || content)).

--
James Manger

v2.23.0 | Report a Bug | By Email