Re: [dane] I-D Action: draft-ietf-dane-smime-03.txt

Viktor Dukhovni <viktor1dane@dukhovni.org> Fri, 07 February 2014 18:11 UTC

Date: Fri, 7 Feb 2014 18:11:29 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20140207181129.GO278@mournblade.imrryr.org>
References: <41938fd202ba460285b59132c29ac826@BY2PR09MB029.namprd09.prod.outlook.com> <20140206195322.GD278@mournblade.imrryr.org> <11698F58-B554-4CC8-872F-D2A3BF08986C@kirei.se> <20140206215742.GF278@mournblade.imrryr.org> <alpine.LFD.2.10.1402071254350.21252@bofh.nohats.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <alpine.LFD.2.10.1402071254350.21252@bofh.nohats.ca>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] I-D Action: draft-ietf-dane-smime-03.txt
Precedence: list
Reply-To: dane@ietf.org

On Fri, Feb 07, 2014 at 12:57:09PM -0500, Paul Wouters wrote:

> On Thu, 6 Feb 2014, Viktor Dukhovni wrote:
> 
> >I think that HMAC-sha224 would be wiser, since otherwise a single
> >dictionary works for all domains.
> 
> So what, telnet'ing to port 25 and issuing HELO and RCP TO: is cheaper
> already.

There's a difference between online and off-line attacks.  

For an NSEC zone, if the hash does not include the full address,
the attacker can trivially perform a lookup in a pre-computed
domain-indendent dictionary.  Thus the usernames are easily recovered
off-line.  So if you don't do HMAC, you must hash the full address,
not just the localpart.

For an NSEC3 zone, the attacker gets lightly iterated salted hashes
of the query fqdn, and needs to compute the same for each guess of
a plausible user name.

Bottom line, hash the full address, not just the localpart.

-- 
	Viktor.

[dane] I-D Action: draft-ietf-dane-smime-03.txt internet-drafts
Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Scott Rose
Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Paul Hoffman
Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Scott Rose
Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Scott Rose
Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Osterweil, Eric
Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Jakob Schlyter
Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Osterweil, Eric
Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Viktor Dukhovni
[dane] draft-ietf-dane-smime and certificate disc… Paul Hoffman
Re: [dane] draft-ietf-dane-smime and certificate … Osterweil, Eric
Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Osterweil, Eric
Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Viktor Dukhovni
Re: [dane] draft-ietf-dane-smime and certificate … Paul Hoffman
Re: [dane] draft-ietf-dane-smime and certificate … Viktor Dukhovni
Re: [dane] draft-ietf-dane-smime and certificate … Paul Hoffman
Re: [dane] draft-ietf-dane-smime and certificate … Viktor Dukhovni
Re: [dane] draft-ietf-dane-smime and certificate … Paul Hoffman
Re: [dane] draft-ietf-dane-smime and certificate … Osterweil, Eric
Re: [dane] draft-ietf-dane-smime and certificate … Osterweil, Eric
Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Osterweil, Eric
Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Viktor Dukhovni
Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Paul Wouters
Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Andrew Sullivan
Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Viktor Dukhovni
Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Andrew Sullivan
Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Viktor Dukhovni
Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Mark Andrews
Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Mark Andrews
Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Viktor Dukhovni
Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Larsen, Todd
Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Viktor Dukhovni
Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Osterweil, Eric
Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Larsen, Todd
Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Viktor Dukhovni
Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Osterweil, Eric
Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Viktor Dukhovni
Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Jakob Schlyter
Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Viktor Dukhovni
Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Jim Schaad
[dane] Feature creep for draft-ietf-dane-smime Paul Hoffman
Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Viktor Dukhovni
Re: [dane] Feature creep for draft-ietf-dane-smime Viktor Dukhovni
Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Wiley, Glen
Re: [dane] Feature creep for draft-ietf-dane-smime Tom Ritter
Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Paul Wouters
Re: [dane] Feature creep for draft-ietf-dane-smime Paul Wouters
Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Viktor Dukhovni
Re: [dane] Feature creep for draft-ietf-dane-smime Viktor Dukhovni
Re: [dane] Feature creep for draft-ietf-dane-smime Paul Hoffman
Re: [dane] Feature creep for draft-ietf-dane-smime Viktor Dukhovni
Re: [dane] Feature creep for draft-ietf-dane-smime John Levine
Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Paul Wouters
Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Viktor Dukhovni
Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Viktor Dukhovni
Re: [dane] Feature creep for draft-ietf-dane-smime Osterweil, Eric
Re: [dane] Feature creep for draft-ietf-dane-smime Viktor Dukhovni
Re: [dane] Feature creep for draft-ietf-dane-smime Warren Kumari
Re: [dane] draft-ietf-dane-smime and certificate … Wes Hardaker