Re: [Cfrg] [saag] RFC analyzing IETF use of hash functions [was: Re: Further MD5 breaks: Creating a rogue CA certificate]
Sean Shen <sshen@huawei.com> Tue, 06 January 2009 03:33 UTC
Return-Path: <cfrg-bounces@irtf.org>
X-Original-To: cfrg-archive@megatron.ietf.org
Delivered-To: ietfarch-cfrg-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6A8EC3A6810; Mon, 5 Jan 2009 19:33:51 -0800 (PST)
X-Original-To: cfrg@core3.amsl.com
Delivered-To: cfrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 98DCD3A6810 for <cfrg@core3.amsl.com>; Mon, 5 Jan 2009 19:33:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.948
X-Spam-Level:
X-Spam-Status: No, score=-1.948 tagged_above=-999 required=5 tests=[AWL=0.651, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bRAVRtvfKInn for <cfrg@core3.amsl.com>; Mon, 5 Jan 2009 19:33:49 -0800 (PST)
Received: from szxga04-in.huawei.com (szxga04-in.huawei.com [119.145.14.67]) by core3.amsl.com (Postfix) with ESMTP id 167C23A67D8 for <cfrg@irtf.org>; Mon, 5 Jan 2009 19:33:49 -0800 (PST)
Received: from huawei.com (szxga04-in [172.24.2.12]) by szxga04-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0KD100G975VY5B@szxga04-in.huawei.com> for cfrg@irtf.org; Tue, 06 Jan 2009 11:33:34 +0800 (CST)
Received: from huawei.com ([172.24.1.12]) by szxga04-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0KD1003XW5VYAR@szxga04-in.huawei.com> for cfrg@irtf.org; Tue, 06 Jan 2009 11:33:34 +0800 (CST)
Received: from s00102542 ([10.111.12.128]) by szxml05-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTPA id <0KD100IR75VV1T@szxml05-in.huawei.com> for cfrg@irtf.org; Tue, 06 Jan 2009 11:33:34 +0800 (CST)
Date: Tue, 06 Jan 2009 11:33:31 +0800
From: Sean Shen <sshen@huawei.com>
In-reply-to: <4962CE09.5010007@ieca.com>
To: cfrg@irtf.org, saag@ietf.org
Message-id: <00be01c96faf$8bea0720$800c6f0a@china.huawei.com>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
X-Mailer: Microsoft Office Outlook 11
Thread-index: AclvrcHnT6xNM1OrR8C5J7pd5NPAAQAAK0Ww
Subject: Re: [Cfrg] [saag] RFC analyzing IETF use of hash functions [was: Re: Further MD5 breaks: Creating a rogue CA certificate]
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://www.irtf.org/mailman/private/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: cfrg-bounces@irtf.org
Errors-To: cfrg-bounces@irtf.org
Hi, A draft in CSI work group gives some analysis on hash threats on CGA(RFC3972) and SeND(RFC3971). Hope it also provides valuable info. I will be happy to give review or other possible support for this valuable work. Best, Sean >-----Original Message----- >From: saag-bounces@ietf.org [mailto:saag-bounces@ietf.org] On >Behalf Of Sean Turner >Sent: Tuesday, January 06, 2009 11:21 AM >To: David McGrew >Cc: cfrg@irtf.org; saag@ietf.org >Subject: Re: [saag] RFC analyzing IETF use of hash functions >[was: Re: [Cfrg] Further MD5 breaks: Creating a rogue CA certificate] > >Dave, > >When the S/MIME WG penned >http://tools.ietf.org/html/draft-ietf-smime-multisig-05 we >added an appendix that addresses where hashes are located in >CMS's SignedData and the attacks against those hashes. I'd be >willing to help craft any other wording necessary for S/MIME|CMS. > >spt > >David McGrew wrote: >> Hi Ran, >> >> I think it is a great idea to document the IETF applications/uses of >> hashing, and the attacks against particular uses of hashing. > It would >> make a great CFRG informational RFC, if we can find volunteers to >> contribute to and edit it. I offer to review it. >> >> David >> >> On Dec 31, 2008, at 7:48 AM, RJ Atkinson wrote: >> >>> >>> [Distribution trimmed slightly to reduce cross-posting and >improve SNR.] >>> >>> On 30 Dec 2008, at 20:20, Peter Gutmann wrote: >>>> The current MD5 attack is very cool but there's no need to >worry about >>>> bad guys doing much with it because it's much, much easier to get >>>> legitimate CA-issued certs the normal way, you buy them just like >>>> everyone else does (except that you use someone else's credit card >>>> and identity, obviously). >>> >>> >>> Two thoughts: >>> >>> 1) Protocol Issues >>> >>> The IETF ought to be thinking about a wide range of IETF protools >>> in the same way that Peter thinks about CA security issues above. >>> >>> For some IETF protocols, for example all of the IGP authentication >>> extensions (excepting RFC-2154, AFAICT), active non-cryptographic >>> attacks are feasible (if not yet seen in the deployed world, AFAICT) >>> that are much easier than *any* cryptographic attack. Again, and >>> only by way of example, RFC-4822 discusses some of these that are >>> specific to RIPv2 authentication. >>> >>> For protocols where non-cryptographic attacks are feasible AND >>> are lower cost than a cryptographic attack, really it does not make >>> much difference what cryptographic algorithm gets deployed by a user >>> -- and the IETF's focus should be on improving the underlying >>> authentication mechanism BEFORE worrying about which cryptographic >>> algorithms are being deployed. >>> >>> Attackers are generally both smart and lazy, so they won't waste >>> time on an expensive cryptographic attack when a lower effort >>> non-cryptographic attack exists. >>> >>> >>> 2) Hash algorithm analysis >>> >>> It would be very helpful if a *set* of mathematicians/cryptographers >>> could jointly put together a summary of the known attacks on all >>> the widely used hash algorithms (e.g. MD2, MD4, MD5, SHA-0, SHA-1, >>> SHA-2, others), *including references to the published literature*. >>> >>> Ideally, this analysis would also include discussion of >whether those >>> attacks apply for those same algorithms when used in the >modes employed >>> by various IETF protocols today (e.g. Keyed-Hash as used in >OSPFv2 MD5 >>> or RIPv2 MD5, HMAC-Hash, and so forth). >>> >>> This would be most useful to have as an Informational RFC, >>> and SOON, so that IETF WGs could have some "consensus" document >>> to refer to -- and to cite explicitly -- if any IETF WGs decide >>> to make hash algorithm recommendations or decisions. >>> >>> I don't understand IRTF process details perfectly, but perhaps >>> the CFRG chairs might undertake creating such a document as a >>> near-term official CFRG group project. >>> >>> Yours, >>> >>> Ran >>> rja@extremenetworks.com >>> >>> _______________________________________________ >>> Cfrg mailing list >>> Cfrg@irtf.org >>> https://www.irtf.org/mailman/listinfo/cfrg >> >> _______________________________________________ >> saag mailing list >> saag@ietf.org >> https://www.ietf.org/mailman/listinfo/saag >> >_______________________________________________ >saag mailing list >saag@ietf.org >https://www.ietf.org/mailman/listinfo/saag > _______________________________________________ Cfrg mailing list Cfrg@irtf.org https://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] Further MD5 breaks: Creating a rogue CA ce… Russ Housley
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a … Eric Rescorla
- Re: [Cfrg] Further MD5 breaks: Creating a rogue C… Russ Housley
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a … Paul Hoffman
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a … Eric Rescorla
- Re: [Cfrg] Further MD5 breaks: Creating a rogue C… Russ Housley
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a … Eric Rescorla
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a … Russ Housley
- Re: [Cfrg] Further MD5 breaks: Creating a rogue C… Russ Housley
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a … Eric Rescorla
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a … Nicolas Williams
- Re: [Cfrg] Further MD5 breaks: Creating a rogue C… Hugo Krawczyk
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a … Peter Gutmann
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a … Eric Rescorla
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a … RJ Atkinson
- Re: [Cfrg] Further MD5 breaks: Creating a rogue C… Santosh Chokhani
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a … Richard Graveman
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a … RJ Atkinson
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a … Peter Gutmann
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a … Peter Gutmann
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a … Ben Laurie
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a … Eric Rescorla
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a … Paul Hoffman
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a … Ben Laurie
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a … Ben Laurie
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a … Robert Moskowitz
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a … Sean Shen
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a … Paul Hoffman
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a … Paul Hoffman
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a … Weger, B.M.M. de
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [Cfrg] [saag] RFC analyzing IETF use of hash … David McGrew
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a … RJ Atkinson
- [Cfrg] attacks on keyed-hash constructions [was: … David McGrew
- Re: [Cfrg] attacks on keyed-hash constructions [w… RJ Atkinson
- [Cfrg] RFC analyzing IETF use of hash functions [… David McGrew
- Re: [Cfrg] RFC analyzing IETF use of hash functio… Paul Hoffman
- Re: [Cfrg] [saag] Further MD5 breaks: Creating a … Stephen Kent
- Re: [Cfrg] [saag] RFC analyzing IETF use of hash … Sean Turner
- Re: [Cfrg] [saag] RFC analyzing IETF use of hash … Sean Shen
- Re: [Cfrg] [saag] RFC analyzing IETF use of hash … David McGrew
- [Cfrg] Analyzing IETF use of hash functions -- OR… Robert Moskowitz
- Re: [Cfrg] Analyzing IETF use of hash functions -… Eric Rescorla
- Re: [Cfrg] Analyzing IETF use of hash functions -… Hallam-Baker, Phillip
- Re: [Cfrg] Analyzing IETF use of hash functions -… Santosh Chokhani
- Re: [Cfrg] RFC analyzing IETF use of hash functio… David McGrew
- Re: [Cfrg] [saag] RFC analyzing IETF use of hash … Joseph Salowey (jsalowey)
- Re: [Cfrg] Analyzing IETF use of hash functions -… Hallam-Baker, Phillip
- Re: [Cfrg] Analyzing IETF use of hash functions -… David McGrew
- Re: [Cfrg] Analyzing IETF use of hash functions -… Hallam-Baker, Phillip
- Re: [Cfrg] Analyzing IETF use of hash functions -… David McGrew
- Re: [Cfrg] Analyzing IETF use of hash functions -… Hallam-Baker, Phillip
- [Cfrg] suitability of AES-CMAC (was: Re: Analyzin… David McGrew
- Re: [Cfrg] suitability of AES-CMAC (was: Re: Anal… Hallam-Baker, Phillip
- Re: [Cfrg] suitability of AES-CMAC (was: Re: Anal… Hal Finney
- Re: [Cfrg] suitability of AES-CMAC (was: Re: Anal… Hallam-Baker, Phillip
- Re: [Cfrg] Analyzing IETF use of hash functions -… Hugo Krawczyk
- Re: [Cfrg] suitability of AES-CMAC (was: Re: Anal… Ken Raeburn
- Re: [Cfrg] suitability of AES-CMAC (was: Re: Anal… David McGrew
- Re: [Cfrg] suitability of AES-CMAC (was: Re: Anal… John Wilkinson
- [Cfrg] Analyzing IETF use of hash functions -- OR… David Wagner
- Re: [Cfrg] suitability of AES-CMAC (was: Re: Anal… Hallam-Baker, Phillip
- [Cfrg] suitability of AES-CMAC (was: Re: Analyzin… David Wagner
- Re: [Cfrg] Analyzing IETF use of hash functions -… Hallam-Baker, Phillip
- [Cfrg] Analyzing IETF use of hash functions -- OR… David Wagner
- Re: [Cfrg] Analyzing IETF use of hash functions -… Hallam-Baker, Phillip
- Re: [Cfrg] suitability of AES-CMAC (was: Re: Anal… David McGrew
- Re: [Cfrg] Analyzing IETF use of hash functions -… Hugo Krawczyk
- Re: [Cfrg] suitability of AES-CMAC (was: Re: Anal… Greg Rose