IETF Logo Mail Archive

Re: [Cfrg] RFC 5742 conflict review for draft-dolmatov-kuznyechik

Watson Ladd <watsonbladd@gmail.com> Fri, 05 February 2016 01:56 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E79E1B2C83 for <cfrg@ietfa.amsl.com>; Thu, 4 Feb 2016 17:56:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T2djfRBlcUPr for <cfrg@ietfa.amsl.com>; Thu, 4 Feb 2016 17:56:44 -0800 (PST)
Received: from mail-yw0-x22b.google.com (mail-yw0-x22b.google.com [IPv6:2607:f8b0:4002:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05F171B2C82 for <cfrg@irtf.org>; Thu, 4 Feb 2016 17:56:44 -0800 (PST)
Received: by mail-yw0-x22b.google.com with SMTP id z185so40052066ywf.0 for <cfrg@irtf.org>; Thu, 04 Feb 2016 17:56:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=UyxJQypF0mwVtsB7sX0+r7aLkE/zpElyNi5d6uF5HTw=; b=gmk5EkWige4k+V+qnR8V8lGporSA5BMHZJwPEeeFNGr3WZ5WjUUa5jDb5KqD1zDFaP IzBbOXfJ7a3Op8LcyKnH031d9a/vr8qUE1jqGv9EBL5SlaLfPTX1YZ7C0bv33BMh+BEU e1v5/cuJU0UFBXmli18vXGXllFQ1bwZQ7FH/2YADpu68C35bVBEpxOiBSwdQXuASaQE7 q31szYPiem9H7m/P2AvIiv8dYzey2c6p8HXIA1FDTIriuHi5MbS2dV66iOhDqOmjHbQZ f7jH8rCtSiEtWWHeGagrDioPKj3l2ZJyUd2EPuVRQGNXxGQWijHODZJ7zCB7/RX3YkCQ 8mug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=UyxJQypF0mwVtsB7sX0+r7aLkE/zpElyNi5d6uF5HTw=; b=dwAPoUEAOqHrCWaeQDNV1e/DUlEV9c7E8BQ3YyCEn8B0kpHJgPXAgUB4E/4cesHXA2 a6jiYRjKp1qtJdN5u+H2Ej1gp5ObdTU2gAnLkxpz/+BXT7LXaP1Q8KwrWfoqqRlVcyLr oAPKKJl4cwl+lK4xXJ0QkA5lh7oQ2y/Cdh/CMzfVCd1u9yQZgHw5WMLX7DW1rJUsdS7b Bm5BV7A00lipqbk2E53EppM1T6vhAHiZZZuN+P5LE7bvtcDa+CD3CwpkLxZnIWXUUPt3 nQ40qgsBR1uQdcYXi1XIMh8vhGhzUFUfW/YKf9sKeK1h5BKilISGgwR9omWKJfayuium 0WCg==
X-Gm-Message-State: AG10YOQZI6Saz41MiIlwjeisvvYPQyFfosE+zvWmnd/xxcLWN/2vM+i1PBPbUccoT+DunHnUmHEmzRA9HFyqLA==
MIME-Version: 1.0
X-Received: by 10.129.82.18 with SMTP id g18mr5471521ywb.97.1454637403302; Thu, 04 Feb 2016 17:56:43 -0800 (PST)
Received: by 10.13.216.138 with HTTP; Thu, 4 Feb 2016 17:56:43 -0800 (PST)
In-Reply-To: <D2D942D8.26A82%uri@ll.mit.edu>
References: <4A631584-C0F1-4AFC-A51D-155C34415413@isode.com> <D2D64C5B.61B8F%kenny.paterson@rhul.ac.uk> <CADqLbz+b-YQ10d6d5_GHN+r7ETWobQgq+skPyXQSdUGG1dBDqQ@mail.gmail.com> <CACsn0c=ErkJLja7QUbA06V7vH-KPR_MpTcPhPyrKfyV02bxq-w@mail.gmail.com> <D2D65F65.266E2%uri@ll.mit.edu> <87a8nix2od.fsf@latte.josefsson.org> <D2D68F83.26762%uri@ll.mit.edu> <871t8uw0sb.fsf@latte.josefsson.org> <D2D78DD6.2680E%uri@ll.mit.edu> <b0a5edfea0df3670d5526d488dc731d1.squirrel@www.trepanning.net> <CACsn0c=OcJP6jzne9hHp67U6ZVpBssK1y=4zu1UW8+V=brUF0w@mail.gmail.com> <ff3c1ab0eaa94bc497001720b8dd5351@usma1ex-dag1mb1.msg.corp.akamai.com> <CACsn0cmH5_uWwxS2Bi87nPT=aK4vHnXvrcG7iTM=zcyP8UrZ-A@mail.gmail.com> <D2D942D8.26A82%uri@ll.mit.edu>
Date: Thu, 04 Feb 2016 17:56:43 -0800
Message-ID: <CACsn0ckhS+zBwJ_ZzQwmGdEYoSV4fiQat58Bje_9qqRJgg_94Q@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/jOLRi7ucGJikn6EBstMQZ41sx1U>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] RFC 5742 conflict review for draft-dolmatov-kuznyechik
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Feb 2016 01:56:47 -0000

On Thu, Feb 4, 2016 at 3:21 PM, Blumenthal, Uri - 0553 - MITLL
<uri@ll.mit.edu> wrote:
>> We got good use out of those two [RC4 and MD5] mechanisms.
>
> Both were broken in the same year as their introduction: the initial byte
> bias of RC4 was immediate, and collisions in the MD5 collision function not
> long after.
>
> Pure and unadulterated BS. Accompanied by the usual charming manners, and
> total disregard for practical realities of the industry.

Here's the September 1994 post revealing RC4:
http://web.archive.org/web/20080207125928/http://cypherpunks.venona.com/archive/1994/09/msg00304.html

By September 1995 Andrew Roos has posted the first distinguisher. He's
actually announced it a few months earlier, according to secondary
sources, but I couldn't find any direct link to the Usenet post. Below
shows that it's on what passed for an eprint server at the time. I'd
call that broken within the year.
https://groups.google.com/forum/#!searchin/sci.crypt/andrew$20roos/sci.crypt/xqwP-3NaTdM/4qn28owcFkoJ

Here's the September response from RSA inc.
https://groups.google.com/forum/#!searchin/sci.crypt/andrew$20roos/sci.crypt/5RXjlNthOFI/hkYx2XjAFQkJ

Was 3DES a viable alternative? Of course: it was the MTI cipher in
SSLv3 etc, where RC4 wasn't. Would this have cost more sparse CPU
time? Of course. But as CPU got cheaper, RC4 stayed enabled, even as
attacks mounted up. The practical reality of this industry is that
people don't change configuration and don't change defaults, that
programmers don't know how to write secure code, and everyone assumes
that the standards people are doing their job.

>
> First collision in MD5 was published in 2004: Collisions for Hash Functions
> MD4, MD5, HAVAL-128 and RIPEMD and Hot to Break MD5 and Other Hash
> Functions.
>
> Hans Dobbertin (OBM) published his work that suggested a possibility of
> successful attack The Status of MD5 After a Recent Attack and Cryptanalysis
> of MD5 Compress in 1996. He wrote in 1996 in RSA Laboratories CryptoBytes
> (if you remember what it is):
>
> "The presented attack does not yet threaten practical applications of MD5,
> but it comes rather close… in the future MD5 should no longer be implemented
> … where a collision-resistant hash-function is required."

So what should the response have been according to this very sentence?
Obviously it's to start planning to replace MD5, phase it out across
protocols, start removing it from products, not include it in new
protocols: that's what "no longer should be implemented" means.

Actual IETF response: keep using MD5, insist in 2004 that we can keep
using MD5  despite collisions(https://www.ietf.org/rfc/rfc4270.txt),
do nothing in 2007 in response to Marc Stevens, do nothing in 2008/9
in response to Sotirov, and only in 2011 start depreciating
MD5(https://www.rfc-editor.org/rfc/rfc6151.txt).

Why is this history relevant? Because it shows that if we adopt a
cryptosystem, it will continue to be used for a long time even as
increasingly successful attacks are found against it. Therefore we
should pay careful attention to the security of schemes we do pick.
That's coupled with the susceptibility of many protocols to downgrade
attacks: you are only as secure as the weakest enabled protocol, not
the strongest. Supposedly algorithm agility was supposed to fix this:
in reality it enabled all kinds of attacks while not solving what it
was supposed to solve.

>
>
> Of course everybody remembers that one of the HMAC claims-to-fame was that
> it remains strong even if collisions are found in the underlying hash
> function, which is how most protocols that employ hash for authentication
> used it.

This comment completely ignores the use of hash functions in
signatures and to verify integrity of files. That second usage is one
of the most enduring uses of MD5, and that first usage is one where
any collision is immediately fatal.
>
> Not that I hope to convince anybody of anything, or to be heard by those who
> probably would've benefited the most from it :), but it felt nice to go back
> to those times for a moment.
>
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>



-- 
"Man is born free, but everywhere he is in chains".
--Rousseau.

v2.23.0 | Report a Bug | By Email