RE: [Cfrg] Request For Opinions
canetti <canetti@watson.ibm.com> Thu, 08 May 2003 13:04 UTC
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA21600 for <cfrg-archive@odin.ietf.org>; Thu, 8 May 2003 09:04:40 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h48DE8110399 for cfrg-archive@odin.ietf.org; Thu, 8 May 2003 09:14:08 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h48DE8810396 for <cfrg-web-archive@optimus.ietf.org>; Thu, 8 May 2003 09:14:08 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA21591 for <cfrg-web-archive@ietf.org>; Thu, 8 May 2003 09:04:10 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19Dl6D-0002ju-00 for cfrg-web-archive@ietf.org; Thu, 08 May 2003 09:06:13 -0400
Received: from ietf.org ([132.151.1.19] helo=www1.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19Dl6C-0002jr-00 for cfrg-web-archive@ietf.org; Thu, 08 May 2003 09:06:12 -0400
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h48DDN810351; Thu, 8 May 2003 09:13:23 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h48DCE810286 for <cfrg@optimus.ietf.org>; Thu, 8 May 2003 09:12:14 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA21567 for <cfrg@ietf.org>; Thu, 8 May 2003 09:02:16 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19Dl4N-0002jK-00 for cfrg@ietf.org; Thu, 08 May 2003 09:04:19 -0400
Received: from igw2.watson.ibm.com ([129.34.20.6]) by ietf-mx with esmtp (Exim 4.12) id 19Dl4M-0002jB-00 for cfrg@ietf.org; Thu, 08 May 2003 09:04:18 -0400
Received: from sp1n293en1.watson.ibm.com (sp1n293en1.watson.ibm.com [9.2.112.57]) by igw2.watson.ibm.com (8.11.7/8.11.4) with ESMTP id h48D4ST154240; Thu, 8 May 2003 09:04:28 -0400
Received: from ornavella.watson.ibm.com (ornavella.watson.ibm.com [9.2.16.80] (may be forged)) by sp1n293en1.watson.ibm.com (AIX5.1/8.11.0/8.11.4) with ESMTP id h48D4Ti62862; Thu, 8 May 2003 09:04:29 -0400
Received: from localhost (canetti@localhost) by ornavella.watson.ibm.com (AIX4.3/8.9.3/8.9.3/09-18-2002) with ESMTP id JAA44924; Thu, 8 May 2003 09:04:28 -0400
Date: Thu, 08 May 2003 09:04:28 -0400
From: canetti <canetti@watson.ibm.com>
To: "Hallam-Baker, Phillip" <pbaker@verisign.com>
cc: 'David Mcgrew' <mcgrew@cisco.com>, jsjoberg@toplayer.com, cfrg@ietf.org
Subject: RE: [Cfrg] Request For Opinions
In-Reply-To: <CE541259607DE94CA2A23816FB49F4A301AE2462@vhqpostal6.verisign.com>
Message-ID: <Pine.A41.4.10.10305080903310.39352-100000@ornavella.watson.ibm.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: cfrg-admin@ietf.org
Errors-To: cfrg-admin@ietf.org
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Phill, This seems to me reminisent of the Gennaro-Rohatgi stream signatures from Crypto 97. Ran On Thu, 8 May 2003, Hallam-Baker, Phillip wrote: > Is the data stored data or being generated on the fly? > > If the data is stored you could sign the data as follows: > > Divide the stream into n blocks, say 100 blocks of 8K > > Compute H(n) the hash of block n, > Compute H(n-1) the hash of block n-1 + H(n) > and so on > Compute H(1), the hash of block 1 + H(2) > > Then sign H(1) and put it at the START of the stream. > Next send H(1), block 1 > H(2), block 2 etc... > > > This lets you check the integrity of the stream as you read the chunks, with > the ability to verify each chunk as you read. > > You cannot of course sign an infinite stream unless you have a buffer of > infinite length. > > > I have no idea if anyone has thought of this before (probably have it seems > obvious enough) or if it is patented or anything. > > Phill > > > > -----Original Message----- > From: David Mcgrew [mailto:mcgrew@cisco.com] > Sent: Monday, May 05, 2003 2:30 PM > To: jsjoberg@toplayer.com > Cc: cfrg@ietf.org > Subject: Re: [Cfrg] Request For Opinions > > > Jon, > > it seems like you have a viable scheme. You might be interested in the > efficient methods for signing of packet streams that have been discussed in > the IRTF, starting with the Secure Multicast/Group (SMUG) RG ( > http://www.securemulticast.org/smug-index.htm > <http://www.securemulticast.org/smug-index.htm> ), which is now defunct but > has spawned both the IRTF Group Security (GSEC) RG and the IETF MSEC WG. > There are a bunch of methods that amortize the work of digital signatures > across multiple packets. I think the following list covers the main > methods: > > How to Sign Digital Streams, Gennaro and Rohatgi, Crypto '97, online at > http://citeseer.nj.nec.com/gennaro97how.html > <http://citeseer.nj.nec.com/gennaro97how.html> . > > Digital Signatures for Flows and Multicasts, Chung Kei Wong and Simon S. > Lam,Technical Report TR-98-15, May 31, 1998; revised, June 14, 1999, in > IEEE/ACM Transactions on Networking, August 1999. > http://www.cs.utexas.edu/users/lam/Vita/IEEE/WongLam99.pdf > <http://www.cs.utexas.edu/users/lam/Vita/IEEE/WongLam99.pdf> > > Authenticating Streamed Data in the Presence of Random Packet Loss, Golle > and Modadugu, NDSS '00, online at > http://crypto.stanford.edu/~nagendra/projects/StreamAuth/auth.pdf > <http://crypto.stanford.edu/~nagendra/projects/StreamAuth/auth.pdf> > Similar but independent work was done by Perrig, Song and Canetti, IIRC, > though I can't find a link for it at present. > > The Use of RSA Signatures within ESP and AH, Brian Weis, > http://www.ietf.org/internet-drafts/draft-bew-ipsec-signatures-00.txt > <http://www.ietf.org/internet-drafts/draft-bew-ipsec-signatures-00.txt> . > This method could be used with one of the standard methods for accerating > public key signing or verifying, though it's not explicitly discussed in the > document. > > A related but probably not applicable work is "TESLA: Multicast Source > Authentication Transform Specification", Perrig, Canetti, Whillock, > http://www.ietf.org/internet-drafts/draft-ietf-msec-tesla-spec-00.txt > <http://www.ietf.org/internet-drafts/draft-ietf-msec-tesla-spec-00.txt> . > > Which of these solutions is the best for any given application depends on a > bunch of factors, such as the possibility loss and reorder of packets, > whether or not it is acceptable to buffer packets on the sender or on the > receiver, and the amount of data that can safely be added to each packet. > > Hope this help, > > David > > > At 11:52 AM 5/5/2003 -0400, jsjoberg@toplayer.com wrote: > > > Hey all, > > I'm in an ETSI working group and we are trying to find a way to provide > integrity checks along with non-repudiation on a theoretically infinite > amount of data delivered over a network at 10's to 100's Mbps. > Crypto-hardware is not a reasonable expectation and the solution is > extremely cost sensitive. > > The data link will be sending PDU's an an as need basis, with each PDU being > tagged with a sequence number. At some point later in time > (days/weeks/years) we need to be able to prove the integrity of the PDU's as > well as the authenticity. > > The following is what we have come up with and I'm wondering if anyone has > anything to add, remove, or change that would make a better solution. The > idea is to get some of the authentication strength of DSS/DSA without the > full strength or the full cost (in processing time). > > Thanks in advance for any input, > Jon > > Periodically, hashes over the data PDUs will be inserted into the data > stream. A hash will only be created if at least one PDU packet was sent > since the last hash was sent or since startup. > > Every <n1> PDU packets or when <t1> seconds have passed a MD5 hash is > generated over all PDU > packets sent since the last MD5 hash was sent or since startup. The MD5 hash > is sent in a HashPDU, where the HashSequenceNr increments for every hash > sent for this intercept. The array PDUSequenceNrsIncluded contains the > sequence number of every data PDU that was included in the hash. > > NOTE: The values for n1 and t1 are configurable. > > Periodically, a hash over the hashes specified above and a signature of that > hash, will be inserted into the the data stream. The signed hashes allows > authentication of the sender and to verfify the integrity of the recevied > MD5 hashes. > > Every <n2> hashes or when <t2> seconds have passed, a MD5 hash is generated > over all hashes sent since the last signed hash was sent or since startup > and that MD5 hash is signed > using DSS/DSA. The MD5 hash and corresponding DSS/DSA signature are sent > over in a SignedHashPDU, where the SignedHashSequenceNr increments for every > signed hash sent. The array HashSequenceNrsIncluded contains the sequence > number of every HashPDU that > was included in the signed hash. > > NOTE: The values for n2 and t2 are configurable. > > NOTE: The distribution of the DSS/DSA public key is outside the scope of > this specification. > > _______________________________________________ > Cfrg mailing list > Cfrg@ietf.org > https://www1.ietf.org/mailman/listinfo/cfrg > <https://www1.ietf.org/mailman/listinfo/cfrg> > > _______________________________________________ Cfrg mailing list > Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg > > _______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- RE: [Cfrg] Request For Opinions Hallam-Baker, Phillip
- Re: [Cfrg] Request For Opinions Steven M. Bellovin
- RE: [Cfrg] Request For Opinions jsjoberg
- [Cfrg] Request For Opinions jsjoberg
- Re: [Cfrg] Request For Opinions David Wagner
- Re: [Cfrg] Request For Opinions Alfonso De Gregorio
- Re: [Cfrg] Request For Opinions Anton Stiglic
- Re: [Cfrg] Request For Opinions David Mcgrew
- Re: [Cfrg] Request For Opinions Gé Weijers
- Re: [Cfrg] Request For Opinions Alex Alten
- Re: [Cfrg] Request For Opinions bmanning
- RE: [Cfrg] Request For Opinions Hallam-Baker, Phillip
- RE: [Cfrg] Request For Opinions Scott Cadzow
- RE: [Cfrg] Request For Opinions canetti
- RE: [Cfrg] Request For Opinions Hallam-Baker, Phillip
- RE: [Cfrg] Request For Opinions jsjoberg
- RE: [Cfrg] Request For Opinions jsjoberg
- RE: [Cfrg] Request For Opinions David Mcgrew
- RE: [Cfrg] Request For Opinions Alex Alten
- Re: [Cfrg] Request For Opinions David Wagner
- Re: [Cfrg] Request For Opinions David Wagner
- Re: [Cfrg] Request For Opinions Henrick Hellström
- Re: [Cfrg] Request For Opinions Alex Alten
- Re: [Cfrg] Request For Opinions Alex Alten
- Re: [Cfrg] Request For Opinions Henrick Hellström
- Re: [Cfrg] Request For Opinions Steven M. Bellovin
- Re: [Cfrg] Request For Opinions David Wagner
- Re: [Cfrg] Request For Opinions David Wagner
- RE: [Cfrg] Request For Opinions Hallam-Baker, Phillip
- Fwd: Re: [Cfrg] Request For Opinions Alex Alten
- Re: [Cfrg] Request For Opinions Alex Alten
- Re: [Cfrg] Request For Opinions David Wagner
- Re: [Cfrg] Request For Opinions Alex Alten
- Re: [Cfrg] Request For Opinions Anton Stiglic
- Re: [Cfrg] Request For Opinions Alex Alten
- Re: [Cfrg] Request For Opinions Gé Weijers