Re: [CGA-EXT] WGLC for draft-ietf-csi-hash-threat-05.txt

Sheng Jiang <shengjiang@huawei.com> Thu, 28 January 2010 09:07 UTC

Return-Path: <shengjiang@huawei.com>
X-Original-To: cga-ext@core3.amsl.com
Delivered-To: cga-ext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C33663A6A30 for <cga-ext@core3.amsl.com>; Thu, 28 Jan 2010 01:07:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_41=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jHcHouNC7sZE for <cga-ext@core3.amsl.com>; Thu, 28 Jan 2010 01:07:34 -0800 (PST)
Received: from szxga03-in.huawei.com (szxga03-in.huawei.com [119.145.14.66]) by core3.amsl.com (Postfix) with ESMTP id 2AE243A6A18 for <cga-ext@ietf.org>; Thu, 28 Jan 2010 01:07:33 -0800 (PST)
Received: from huawei.com (szxga03-in [172.24.2.9]) by szxga03-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0KWY00KXU9BEB0@szxga03-in.huawei.com> for cga-ext@ietf.org; Thu, 28 Jan 2010 17:06:50 +0800 (CST)
Received: from huawei.com ([172.24.2.119]) by szxga03-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0KWY002FT9BE83@szxga03-in.huawei.com> for cga-ext@ietf.org; Thu, 28 Jan 2010 17:06:50 +0800 (CST)
Received: from j66104a ([10.111.12.78]) by szxml06-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTPA id <0KWY0060D9BD6B@szxml06-in.huawei.com> for cga-ext@ietf.org; Thu, 28 Jan 2010 17:06:50 +0800 (CST)
Date: Thu, 28 Jan 2010 17:06:49 +0800
From: Sheng Jiang <shengjiang@huawei.com>
In-reply-to: <729b68be1001261120y3a6f0f82t1c8808622ed7bc8d@mail.gmail.com>
To: 'Jean-Michel Combes' <jeanmichel.combes@gmail.com>
Message-id: <000001ca9ff9$39f26360$4e0c6f0a@china.huawei.com>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
X-Mailer: Microsoft Office Outlook 11
Content-type: text/plain; charset=us-ascii
Content-transfer-encoding: 7BIT
Thread-index: AcqevKVu0k1k9L3YQ6eFrybJv4RH3ABPEhvg
Cc: cga-ext@ietf.org
Subject: Re: [CGA-EXT] WGLC for draft-ietf-csi-hash-threat-05.txt
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jan 2010 09:07:35 -0000

Jean-Michel,

Thanks so much for your comments. We will integrate your comments in a new
version that will be issued after the WGLC is completed.

Regards,

Sheng

> -----Original Message-----
> From: cga-ext-bounces@ietf.org 
> [mailto:cga-ext-bounces@ietf.org] On Behalf Of Jean-Michel Combes
> Sent: Wednesday, January 27, 2010 3:20 AM
> To: marcelo bagnulo braun
> Cc: cga-ext@ietf.org
> Subject: Re: [CGA-EXT] WGLC for draft-ietf-csi-hash-threat-05.txt
> 
> Hi,
> 
> here are my comments regarding this draft:
> 
>                        SeND Hash Threat Analysis
> 
> <JMC>
> To be compliant with RFC 3971 terminology:
> s/SeND/SEND
> <JMC>
> 
>    This document analysis the use of hashes in SeND, possible threats
> 
> <JMC>
> s/SeND/SEND
> <JMC>
> 
>    and the impact of recent attacks on hash functions used by SeND.
> 
> <JMC>
> s/SeND/SEND
> <JMC>
> 
>    Current SeND specification [rfc3971] uses the SHA-1 [sha-1] hash
> 
> <JMC>
> s/SeND/SEND
> <JMC>
> 
>    algorithm and PKIX certificates [rfc5280] and does not provide
> 
> <JMC>
> To cover at the same time PKI (i.e. pkix WG) certificates, 
> actually used for SEND, and RPKI (i.e. sidr WG) certificates, 
> used in the next version of SEND, maybe:
> s/PKIX certificates/X.509 certificates
> <JMC>
> 
>    support for the hash algorithm agility.  The purpose of 
> the document
>    is to provide analysis of possible hash threats and to 
> decide how to
>    encode the hash agility support in SeND.
> 
> <JMC>
> s/SeND/SEND
> <JMC>
> 
> 
> 1.  Introduction
> 
>    SEND [rfc3971] uses the SHA-1 hash algorithm to generate 
> the contents
>    of the Key Hash field and the Digital Signature field of the RSA
>    Signature option.  It also uses a hash algorithm (SHA-1, MD5, etc.)
> 
> <JMC>
> On one side, there is no text on use of SHA-1 to generate a 
> CGA and, OTOH, section 2.1 explains the analysis on the CGA 
> generation. Maybe:
> s/SEND [rfc3971] uses the SHA-1 hash algorithm to generate 
> the contents of the Key Hash field and the Digital Signature 
> field of the RSA Signature option./Secure Neighbor Discovery 
> (SEND) [rfc3971] uses the SHA-1 hash algorithm to generate 
> Cryptographically Generated Addresses (CGA) [rfc3972], the 
> contents of the Key Hash field and the Digital Signature 
> field of the RSA Signature option.
> <JMC>
> 
>    in the PKIX certificates [rfc5280] used for the router 
> authorization
> 
> <JMC>
> Same comment as above.
> To cover at the same time PKI (i.e. pkix WG) certificates, 
> actually used for SEND, and RPKI (i.e. sidr WG) certificates, 
> used in the next version of SEND, maybe:
> s/PKIX certificates/X.509 certificates
> <JMC>
> 
>    in the ADD process.  Recently there have been demonstrated attacks
>    against the collision free property of such hash functions
>    [sha1-coll], and attacks against the PKIX X.509 
> certificates that use
> 
> <JMC>
> Same comment as above.
> To cover at the same time PKI (i.e. pkix WG) certificates, 
> actually used for SEND, and RPKI (i.e. sidr WG) certificates, 
> used in the next version of SEND, maybe:
> s/PKIX X.509 certificates/X.509 certificates <JMC>
> 
>    the MD5 hash algorithm [x509-coll] This document analyzes 
> the effects
>    of those attacks and other possible hash attacks on the SEND
>    protocol.  The document proposes changes to make it 
> resistant to such
>    attacks.
> 
> 2.  Impact of collision attacks on SeND
> 
> <JMC>
> s/SeND/SEND
> <JMC>
> 
>    Due to the hash attacks demonstrated on the aforesaid hash 
> algorithms
>    a study was performed to assess the threat of these attacks on the
>    cryptographic hash usage in internet protocols [rfc4270].  This
>    document analyzes the hash usage in SEND following the approach
>    recommended by [rfc4270] and [new-hashes].
> 
> <JMC>
> Maybe:
> s/This document analyzes the hash usage in SEND following the 
> approach recommended by [rfc4270] and [new-hashes]./This 
> document analyzes the hash usage in SEND following the 
> recommended approach [rfc4270][new-hashes].
> <JMC>
> 
>    The basic cryptographic properties of a hash function are 
> that it is
>    both one-way and collision free.  There are two attacks against the
>    one-way property, the first-preimage attack and the second-preimage
>    attack.  In the first-preimage attack, given a knowledge of a
>    particular value hash(m), an attacker finds an input 
> message m' such
>    that hash(m') yields hash(m).  The second-preimage attack 
> deals with
> 
> <JMC>
> IMHO, for someone not familiar with cryptography, the use of "m" in
> hash(m) may be confusing. Maybe:
> s/In the first-preimage attack, given a knowledge of a 
> particular value hash(m), an attacker finds an input message 
> m' such that
> hash(m') yields hash(m)./In the first-preimage attack, given 
> a knowledge of a particular Hash value h, an attacker finds 
> an input message m such that yields Hash(m)=h.
> <JMC>
> 
>    the fixed messages.  Given a knowledge of a fixed value m 
> used as the
>    input message to the hash function, an attacker finds a different
>    value m' that yields hash(m)=hash(m').  Supposing that the hash
> 
> <JMC>
> Just for the mathematical logic, maybe:
> s/Given a knowledge of a fixed value m used as the input 
> message to the Hash function, an attacker finds a different 
> value m' that yields hash(m)=hash(m')./Given a knowledge of a 
> fixed value m used as the input message to the Hash function, 
> an attacker finds a different value m' that yields Hash(m')=Hash(m).
> <JMC>
> 
>    function produces an n-bit long output, since each output 
> is equally
>    likely, an attack takes an order of 2^n operations to be 
> successful.
>    Due to the birthday attack, if the hash function is supplied with a
>    random input, it returns one of the k equally-likely 
> values, and the
>    number of operations can be reduced to the number of 1.2*2^(n/2)
>    operations.  However, attacks against the one-way property are not
>    feasible yet [rfc4270].  Up to date, all demonstrated attacks are
>    attacks against a collision-free property, in which an attacker
>    produces two different messages m and m' such that 
> hash(m)=hash(m').
>    The rest of the document deals with the collision attacks.
> 
> <JMC>
> As there is text in section 2.1, 2.4 about preimage attack, maybe:
> s/The rest of the document deals with the collision 
> attacks./The rest of the document mainly deals with the 
> collision attacks.
> <JMC>
> 
>    We will analyze the impact of hash attacks on SeND case by case in
> 
> <JMC>
> s/SeND/SEND
> <JMC>
> 
>    this section.  Through our analysis, we also discuss whether we
>    should support the hash agility in SeND.
> 
> <JMC>
> s/SeND/SEND
> <JMC>
> 
> 2.1.  Attacks against CGAs in stateless autoconfiguration
> 
>    Hash functions are used in the stateless autoconfiguration process
>    that is based on CGAs.  Impacts of collision attacks on 
> current uses
>    of CGAs are analyzed in the update of the CGA specification
>    [rfc4982], which also enables CGAs to support the hash 
> agility.  CGAs
>    provide the proof-of-ownership of the private key corresponding to
>    the public key used to generate the CGA.  CGAs do not deal with the
> 
> <JMC>
> "CGAs provide the proof-of-ownership of the private key 
> corresponding to the public key used to generate the CGA."
> IMHO, this sentence is unclear. What do you mean by "CGAs"? 
> Because, AFAIK, only the RSA Signature Option (which is not a 
> part of CGA specification, i.e. RFC 3972) provides the 
> proof-of-ownership of the generated CGA: the public key used 
> to generate the CGA is really owned by the sender because 
> this last one has correctly signed the ND message and so he 
> owns the private key associated to the public key.
> Or did I miss something?
> <JMC>
> 
>    non-repudiation feature, while collision attacks are mainly about
>    affecting the non-repudiation feature, i.e. in the collision attack
>    against the CGA both of the CGA Parameters sets are choosen by an
>    attacker, which is not useful in the real-world scenarios.
> 
> <JMC>
> "which is not useful in the real-world scenarios"
> Out of curiosity, may you explain to me why you have such a 
> conclusion?
> <JMC>
> 
>    Therefore, as [rfc4982] points out CGA based protocols, including
>    SeND, are not affected by the recent collision attacks.  Regarding
> 
> <JMC>
> s/SeND/SEND
> <JMC>
> 
>    the pre-image attacks, if pre-image attacks were feasible, an
>    attacker would manage to find the new CGA Parameters based on the
>    associated, victim's CGA, and produce the Key Hash field and the
>    Digital Signature field afterwards using the new public key.  Since
>    the strength of all hashes in SEND depends on the strength of the
>    CGA, the pre-image attack is potentially dangerous, but it 
> is not yet
>    feasible.
> 
> <JMC>
> s/pre-image/preimage
> <JMC>
> 
> 2.2.  Attacks against PKIX certificates in ADD process
> 
> <JMC>
> s/PKIX certificates/X.509 certificates
> <JMC>
> 
>    The second use of hash functions is for the router authorization in
>    the ADD process.  Router sends to a host a certification 
> path, which
>    is a path between a router and the hosts's trust anchor, consisting
>    of PKIX certificates.  Researchers demonstrated attacks 
> against PKIX
> 
> <JMC>
> s/hosts's/host's
> s/PKIX certificates/X.509 certificates
> <JMC>
> 
>    certificates with MD5 signature, in 2005 [new-hashes] and in 2007
>    [x509-coll].  In 2005 were constructed the original and the false
>    certificate that had the same identity data and the same digital
>    signature, but different public keys [new-hashes].  The problem for
>    the attacker is that two certificates with the same 
> identity are not
>    actually useful in real-world scenarios, because the Certification
>    Authority is not allowed to provide such two certificates.  In
> 
> <JMC>
> "because the Certification Authority is not allowed to 
> provide such two certificates."
> Warning: AFAIK, there are methods, today, to get and to use 
> such a certificate from a CA (e.g. use of the "wildcard" or 
> "null prefix"
> method in the CN). That's already be done for SSL.
> <JMC>
> 
>    addition, attacks against the human-readable fields demand 
> much more
>    effort than the attacks against non human-readable fields, 
> such as a
>    public key field.  In case of the identity field, an attacker is
>    faced with the problem of the prediction and the generation of the
>    false but meaningful identity data, which at the end might be
>    revealed by the Certification Authority.  Thus, in practice,
>    collision attacks do not affect non human-readable parts of the
>    certificate.  In 2007 were demonstrated certificates which 
> differ in
>    the identity data and in the public key, but still result 
> in the same
>    signature value.  In such attack, even if an attacker produced such
>    two certificates in order to claim that he was someone 
> else, he still
>    needs to predict the content of all fields appearing before the
>    public key, e.g. the serial number and validity periods.  
> Although a
>    relying party cannot verify the content of these fields (each
>    certificate by itself is unsuspicious), the Certification Authority
>    keeps track of those fields and it can reveal the false certificate
>    during the fraud analysis.  Regarding certificates in SeND,
> 
> <JMC>
> s/SeND/SEND
> <JMC>
> 
>    potentially dangerous are attacks against the X.509 certificate
>    extensions.  For example, an attack against the IP address 
> extension
>    would enable the router to advertize the changed IP prefix range,
>    although, not broader than the prefix range of the parent 
> certificate
>    in the ADD chain.
> 
>    The public-private key pair associated to the Router Authorization
>    Certificate in the ADD process is used both for the CGA generation
>    and for the message signing.  Since in the future CGAs 
> might be used
> 
> <JMC>
> "both for the CGA generation and for the message signing."
> I assume you mean when the router uses also CGA Option. Correct?
> <JMC>
> 
>    only with certificates, attacks against certificates are even more
>    dangerous.  Generally, the most dangerous are attacks 
> against middle-
>    certificates in the certification path, where for the cost 
> of the one
>    false certificate, an attacker launches an attack on multiple
>    routers.  Regarding the attacks against certificates in SEND, the
>    only attack that SEND is not suspectable to, is an attack 
> against the
>    Trust Anchor's certificate because it is not exchanged in SeND
> 
> <JMC>
> s/SeND/SEND
> <JMC>
> 
>    messages, i.e. it is not the part of the certification path in the
>    ADD process.
> 
> 
> 
> 2.4.  Attacks against the Key Hash field in the RSA Signature option
> 
>    The Key Hash field is a SHA-1 hash of the public key from the CGA
>    Parameters structure in the CGA option.  The pre-image 
> attack against
> 
> <JMC>
> s/pre-image/preimage
> <JMC>
> 
>    the Key Hash field is potentially dangerous, as in the case of all
>    other hashes in SEND, because the Key Hash field contains a non
>    human-readable data.  However the Key Hash field is not suspectable
>    to the collision attack, since in the collision attack an attacker
>    itself chooses both keys, k and k', where hash(k) = hash(k').  The
>    reason for the former is that the associated public key is already
>    authorized through the use of CGAs, and possibly the certification
>    path in the ADD process.
> 
> 
> 
> 3.  Support for the hash agility in SeND
> 
> <JMC>
> s/SeND/SEND
> <JMC>
> 
>    While all of analyzed hash functions in SeND are theoretically
> 
> <JMC>
> s/SeND/SEND
> <JMC>
> 
>    affected by hash attacks, these attacks indicate the possibility of
>    future real-world attacks.  In order to increase the 
> future security
>    of SeND, the following possible approaches can be used.
> 
> <JMC>
> s/SeND/SEND
> <JMC>
> 
>    o  The most effective and secure would be to bind the hash function
>       option with something that can not be changed at all, like
>       [rfc4982] does for CGA - encoding the hash function information
>       into addresses.  But, there is no possibilty to do that in SeND.
> 
> <JMC>
> s/possibilty/possibility
> s/SeND/SEND
> <JMC>
> 
>       We could decide to use by default the same hash function in SeND
> 
> <JMC>
> s/SeND/SEND
> <JMC>
> 
>       as in CGA.  The security of all hashes in SeND depends 
> on CGA, ie.
> 
> <JMC>
> s/SeND/SEND
> <JMC>
> 
>       if an attacker could break CGA, all other hashes are 
> automatically
>       broken.  From the security point of view, at the moment, this
>       solution is more reasonable then defining different 
> hash algorithm
>       for each hash.  Additionally, if using the hash 
> algorithm from the
>       CGA, no bidding down attacks are possible.  On the other hand,
>       this solution introduces the limition for SEND to be used
> 
> <JMC>
> s/limition/limitation
> <JMC>
> 
>       exclusively with CGAs.
> 
>    o  Another solution is to incorporate the Hash algorithm 
> option into
>       the SeND message.  However, if the algorithm is defined in the
> 
> <JMC>
> s/SeND/SEND
> <JMC>
> 
>       Hash algorithm option in the SeND message, it is 
> vulnerable to the
>       bidding down attack.
> 
> <JMC>
> s/SeND/SEND
> <JMC>
> 
> 4.  Security Considerations
> 
>    This document analyzes the impact of hash attacks in SeND 
> and offeres
> 
> <JMC>
> s/SeND/SEND
> s/offeres/offers
> <JMC>
> 
>    a higher security level for SeND by providing solution for the hash
> 
> <JMC>
> s/SeND/SEND
> <JMC>
> 
>    agility support.
> 
>    The negotiation approach for the hash agility in SeND based on the
> 
> <JMC>
> s/SeND/SEND
> <JMC>
> 
>    Supported Signature Algorithms option is vulnerable to bidding-down
>    attacks, which is usual in the case of any negotiation approach.
>    This issue can be mitigated with the appropriate local policies.
> 
> 
> 
> 
> 
> Hope that helps.
> 
> Best regards.
> 
> JMC.> 
> 
> 2010/1/22 marcelo bagnulo braun <marcelo@it.uc3m.es>es>:
> > Hi,
> >
> > This is WGLC for draft-ietf-csi-hash-threat-05.txt.
> > Please read the document and provide comments. The WGLC 
> will close on 
> > the 8th of february.
> >
> > the draft can be found at:
> >
> > http://tools.ietf.org/id/draft-ietf-csi-hash-threat-05.txt
> >
> > Regards, marcelo
> >
> > _______________________________________________
> > CGA-EXT mailing list
> > CGA-EXT@ietf.org
> > https://www.ietf.org/mailman/listinfo/cga-ext
> >
> _______________________________________________
> CGA-EXT mailing list
> CGA-EXT@ietf.org
> https://www.ietf.org/mailman/listinfo/cga-ext