Re: [dane] I-D Action: draft-ietf-dane-smime-03.txt

Paul Wouters <paul@cypherpunks.ca> Sat, 08 February 2014 01:49 UTC

Return-Path: <paul@cypherpunks.ca>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A87C81AD6BF for <dane@ietfa.amsl.com>; Fri, 7 Feb 2014 17:49:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vw48TmZL9WZU for <dane@ietfa.amsl.com>; Fri, 7 Feb 2014 17:49:15 -0800 (PST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) by ietfa.amsl.com (Postfix) with ESMTP id E848E1AD603 for <dane@ietf.org>; Fri, 7 Feb 2014 17:49:14 -0800 (PST)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id CBF6D800AA for <dane@ietf.org>; Fri, 7 Feb 2014 20:49:13 -0500 (EST)
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.14.7/8.14.7/Submit) with ESMTP id s181nDGk006330 for <dane@ietf.org>; Fri, 7 Feb 2014 20:49:13 -0500
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Fri, 7 Feb 2014 20:49:13 -0500 (EST)
From: Paul Wouters <paul@cypherpunks.ca>
X-X-Sender: paul@bofh.nohats.ca
To: dane WG list <dane@ietf.org>
In-Reply-To: <20140207181129.GO278@mournblade.imrryr.org>
Message-ID: <alpine.LFD.2.10.1402072027090.28278@bofh.nohats.ca>
References: <41938fd202ba460285b59132c29ac826@BY2PR09MB029.namprd09.prod.outlook.com> <20140206195322.GD278@mournblade.imrryr.org> <11698F58-B554-4CC8-872F-D2A3BF08986C@kirei.se> <20140206215742.GF278@mournblade.imrryr.org> <alpine.LFD.2.10.1402071254350.21252@bofh.nohats.ca> <20140207181129.GO278@mournblade.imrryr.org>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
Subject: Re: [dane] I-D Action: draft-ietf-dane-smime-03.txt
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Feb 2014 01:49:16 -0000

On Fri, 7 Feb 2014, Viktor Dukhovni wrote:

>>> I think that HMAC-sha224 would be wiser, since otherwise a single
>>> dictionary works for all domains.
>>
>> So what, telnet'ing to port 25 and issuing HELO and RCP TO: is cheaper
>> already.
>
> There's a difference between online and off-line attacks.

$ wc -l /usr/share/dict/words
479828 /usr/share/dict/words

$ head -100000 /usr/share/dict/words > /tmp/10k
$ time (for word in `cat /tmp/10k`; do echo -n "$word.nohats.ca" | sha224sum; done > /dev/null)
real	3m9.064s

And that's using only 1 cpu, and a horrible shell kludge.

I'm sure the spammers have awesome LHS dictionaries gathered over the
years. Your proposal does not actually add any security.

You'd have to also ratelimit DNS queries if you go down the path of the
hash being a security feature.

> For an NSEC zone, if the hash does not include the full address,
> the attacker can trivially perform a lookup in a pre-computed
> domain-indendent dictionary.  Thus the usernames are easily recovered
> off-line.  So if you don't do HMAC, you must hash the full address,
> not just the localpart.
>
> For an NSEC3 zone, the attacker gets lightly iterated salted hashes
> of the query fqdn, and needs to compute the same for each guess of
> a plausible user name.

Why do i need to follow the hashes? I'll just brute force a dictionary
list and sent queries. Whether I sha2-224 that once, or once per domain,
is not that big of a difference. hashing is cheap.

> Bottom line, hash the full address, not just the localpart.

what's next? using scrypt? pbkdf2?

The hashing is not a security feature. Hashing the domain brings in
other problems, such as case sensitivity that changes hashes but not
DNS names.

Also, not using the domain name allows for CNAME/DNAME entries, so for
example I can add the same record in my "libreswan.org" zone that is
used as DNAME for libreswan.{net|com|ca|fi|nl}. Adding the domain into
the hash would break this setup.

Seriously, if spammers use the location of SMIME/OPENPGPKEYs to find
email addreses's WE HAVE WON THE CRYPTO WARS!

Paul