IETF Logo Mail Archive

RE: [Cfrg] Request For Opinions

canetti <canetti@watson.ibm.com> Thu, 08 May 2003 13:04 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA21600 for <cfrg-archive@odin.ietf.org>; Thu, 8 May 2003 09:04:40 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h48DE8110399 for cfrg-archive@odin.ietf.org; Thu, 8 May 2003 09:14:08 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h48DE8810396 for <cfrg-web-archive@optimus.ietf.org>; Thu, 8 May 2003 09:14:08 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA21591 for <cfrg-web-archive@ietf.org>; Thu, 8 May 2003 09:04:10 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19Dl6D-0002ju-00 for cfrg-web-archive@ietf.org; Thu, 08 May 2003 09:06:13 -0400
Received: from ietf.org ([132.151.1.19] helo=www1.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19Dl6C-0002jr-00 for cfrg-web-archive@ietf.org; Thu, 08 May 2003 09:06:12 -0400
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h48DDN810351; Thu, 8 May 2003 09:13:23 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h48DCE810286 for <cfrg@optimus.ietf.org>; Thu, 8 May 2003 09:12:14 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA21567 for <cfrg@ietf.org>; Thu, 8 May 2003 09:02:16 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19Dl4N-0002jK-00 for cfrg@ietf.org; Thu, 08 May 2003 09:04:19 -0400
Received: from igw2.watson.ibm.com ([129.34.20.6]) by ietf-mx with esmtp (Exim 4.12) id 19Dl4M-0002jB-00 for cfrg@ietf.org; Thu, 08 May 2003 09:04:18 -0400
Received: from sp1n293en1.watson.ibm.com (sp1n293en1.watson.ibm.com [9.2.112.57]) by igw2.watson.ibm.com (8.11.7/8.11.4) with ESMTP id h48D4ST154240; Thu, 8 May 2003 09:04:28 -0400
Received: from ornavella.watson.ibm.com (ornavella.watson.ibm.com [9.2.16.80] (may be forged)) by sp1n293en1.watson.ibm.com (AIX5.1/8.11.0/8.11.4) with ESMTP id h48D4Ti62862; Thu, 8 May 2003 09:04:29 -0400
Received: from localhost (canetti@localhost) by ornavella.watson.ibm.com (AIX4.3/8.9.3/8.9.3/09-18-2002) with ESMTP id JAA44924; Thu, 8 May 2003 09:04:28 -0400
Date: Thu, 08 May 2003 09:04:28 -0400
From: canetti <canetti@watson.ibm.com>
To: "Hallam-Baker, Phillip" <pbaker@verisign.com>
cc: 'David Mcgrew' <mcgrew@cisco.com>, jsjoberg@toplayer.com, cfrg@ietf.org
Subject: RE: [Cfrg] Request For Opinions
In-Reply-To: <CE541259607DE94CA2A23816FB49F4A301AE2462@vhqpostal6.verisign.com>
Message-ID: <Pine.A41.4.10.10305080903310.39352-100000@ornavella.watson.ibm.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: cfrg-admin@ietf.org
Errors-To: cfrg-admin@ietf.org
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>

Phill,
This seems to me reminisent of the Gennaro-Rohatgi stream signatures from
Crypto 97.

Ran


On Thu, 8 May 2003, Hallam-Baker, Phillip wrote:

> Is the data stored data or being generated on the fly?
>  
> If the data is stored you could sign the data as follows:
>  
> Divide the stream into n blocks, say 100 blocks of 8K
>  
> Compute H(n)  the hash of block n,
> Compute H(n-1) the hash of block n-1 + H(n)
> and so on
> Compute H(1), the hash of block 1 + H(2)
>  
> Then sign H(1) and put it at the START of the stream.
> Next send H(1), block 1
> H(2), block 2 etc...
>  
>  
> This lets you check the integrity of the stream as you read the chunks, with
> the ability to verify each chunk as you read.
>  
> You cannot of course sign an infinite stream unless you have a buffer of
> infinite length.
>  
>  
> I have no idea if anyone has thought of this before (probably have it seems
> obvious enough) or if it is patented or anything.
>  
>         Phill
>  
>  
> 
> -----Original Message-----
> From: David Mcgrew [mailto:mcgrew@cisco.com]
> Sent: Monday, May 05, 2003 2:30 PM
> To: jsjoberg@toplayer.com
> Cc: cfrg@ietf.org
> Subject: Re: [Cfrg] Request For Opinions
> 
> 
> Jon,
> 
> it seems like you have a viable scheme.  You might be interested in the
> efficient methods for signing of packet streams that have been discussed in
> the IRTF, starting with the Secure Multicast/Group (SMUG) RG (
> http://www.securemulticast.org/smug-index.htm
> <http://www.securemulticast.org/smug-index.htm> ), which is now defunct but
> has spawned both the IRTF Group Security (GSEC) RG and the IETF MSEC WG.
> There are a bunch of methods that amortize the work of digital signatures
> across multiple packets.  I think the following list covers the main
> methods:
> 
> How to Sign Digital Streams, Gennaro and Rohatgi, Crypto '97, online at
> http://citeseer.nj.nec.com/gennaro97how.html
> <http://citeseer.nj.nec.com/gennaro97how.html> .
> 
> Digital Signatures for Flows and Multicasts, Chung Kei Wong and Simon S.
> Lam,Technical Report TR-98-15, May 31, 1998; revised, June 14, 1999, in
> IEEE/ACM Transactions on Networking, August 1999.
> http://www.cs.utexas.edu/users/lam/Vita/IEEE/WongLam99.pdf
> <http://www.cs.utexas.edu/users/lam/Vita/IEEE/WongLam99.pdf> 
> 
> Authenticating Streamed Data in the Presence of Random Packet Loss, Golle
> and Modadugu, NDSS '00, online at
> http://crypto.stanford.edu/~nagendra/projects/StreamAuth/auth.pdf
> <http://crypto.stanford.edu/~nagendra/projects/StreamAuth/auth.pdf>
> Similar but independent work was done by Perrig, Song and Canetti, IIRC,
> though I can't find a link for it at present.
> 
> The Use of RSA Signatures within ESP and AH, Brian Weis,
> http://www.ietf.org/internet-drafts/draft-bew-ipsec-signatures-00.txt
> <http://www.ietf.org/internet-drafts/draft-bew-ipsec-signatures-00.txt> .
> This method could be used with one of the standard methods for accerating
> public key signing or verifying, though it's not explicitly discussed in the
> document.
> 
> A related but probably not applicable work is "TESLA: Multicast Source
> Authentication Transform Specification", Perrig, Canetti, Whillock,
> http://www.ietf.org/internet-drafts/draft-ietf-msec-tesla-spec-00.txt
> <http://www.ietf.org/internet-drafts/draft-ietf-msec-tesla-spec-00.txt> .
> 
> Which of these solutions is the best for any given application depends on a
> bunch of factors, such as the possibility loss and reorder of packets,
> whether or not it is acceptable to buffer packets on the sender or on the
> receiver, and the amount of data that can safely be added to each packet. 
> 
> Hope this help,
> 
> David
> 
> 
> At 11:52 AM 5/5/2003 -0400, jsjoberg@toplayer.com wrote:
> 
> 
> Hey all,
> 
> I'm in an ETSI working group and we are trying to find a way to provide
> integrity checks along with non-repudiation on a theoretically infinite
> amount of data delivered over a network at 10's to 100's Mbps.
> Crypto-hardware is not a reasonable expectation and the solution is
> extremely cost sensitive.  
> 
> The data link will be sending PDU's an an as need basis, with each PDU being
> tagged with a sequence number.  At some point later in time
> (days/weeks/years) we need to be able to prove the integrity of the PDU's as
> well as the authenticity.
> 
> The following is what we have come up with and I'm wondering if anyone has
> anything to add, remove, or change that would make a better solution.  The
> idea is to get some of the authentication strength of DSS/DSA without the
> full strength or the full cost (in processing time).
> 
> Thanks in advance for any input,
> Jon
> 
> Periodically, hashes over the data PDUs will be inserted into the data
> stream. A hash will only be created if at least one PDU packet was sent
> since the last hash was sent or since startup.
> 
> Every <n1> PDU packets or when <t1> seconds have passed a MD5 hash is
> generated over all PDU
> packets sent since the last MD5 hash was sent or since startup. The MD5 hash
> is sent in a HashPDU, where the HashSequenceNr increments for every hash
> sent for this intercept. The array PDUSequenceNrsIncluded contains the
> sequence number of every data PDU that was included in the hash.
> 
> NOTE: The values for n1 and t1 are configurable. 
> 
> Periodically, a hash over the hashes specified above and a signature of that
> hash, will be inserted into the  the data stream. The signed hashes allows
> authentication of the sender and to verfify the integrity of the recevied
> MD5 hashes.
> 
> Every <n2> hashes or when <t2> seconds have passed, a MD5 hash is generated
> over all hashes sent since the last signed hash was sent or since startup
> and that MD5 hash is signed
> using DSS/DSA. The MD5 hash and corresponding DSS/DSA signature are sent
> over in a SignedHashPDU, where the SignedHashSequenceNr increments for every
> signed hash sent. The array HashSequenceNrsIncluded contains the sequence
> number of every HashPDU that
> was included in the signed hash.
> 
> NOTE: The values for n2 and t2 are configurable.
> 
> NOTE: The distribution of the DSS/DSA public key is outside the scope of
> this specification.
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@ietf.org
> https://www1.ietf.org/mailman/listinfo/cfrg
> <https://www1.ietf.org/mailman/listinfo/cfrg>  
> 
> _______________________________________________ Cfrg mailing list
> Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
> 
> 

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email