IETF Logo Mail Archive

Re: [dane] Start of WGLC for draft-ietf-dane-openpgpkey - *please* review.

Brian Dickson <brian.peter.dickson@gmail.com> Sat, 21 February 2015 22:15 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EDDA1A00F0 for <dane@ietfa.amsl.com>; Sat, 21 Feb 2015 14:15:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_46=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DcarkdOzX18V for <dane@ietfa.amsl.com>; Sat, 21 Feb 2015 14:15:32 -0800 (PST)
Received: from mail-ig0-x22d.google.com (mail-ig0-x22d.google.com [IPv6:2607:f8b0:4001:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB12B1A0092 for <DANE@ietf.org>; Sat, 21 Feb 2015 14:15:31 -0800 (PST)
Received: by mail-ig0-f173.google.com with SMTP id a13so10722892igq.0 for <DANE@ietf.org>; Sat, 21 Feb 2015 14:15:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=BM59tTJVMZ9gHzomApV/V0jt0iYYf5E958YJAu4LeqE=; b=oikwhSNzPPOA2Hkt/3fO59/uP9aLxmQq3VSZ6W9r569aCgo4GqjMDxlgPEGY4q/JEI 5Ak3Y8PZqORV8tFOOQYGC16GxzSS/vI2fQO8QGPtN3ynnXtkTNhr+K/341BDrtq2y/Q+ dUx9HoEqjwjXYcf3RWpx1mffAbd8+84PDfwkZMHhMCrQBkgtOFlGrpLD72IR9/th1g9n tH8lwEN3P7Amwyhi2SRWOe8omf+/P4rj+Citn7BSKpWjQYHg2qbPuZp2k5x1KHSN1El9 n+uAH82RORh6iOpHYIHColEJHjeybluQ2GJOJz6ghrgepZwr8CtsbRTQqJTAKI1BPFXl lEKg==
MIME-Version: 1.0
X-Received: by 10.50.142.38 with SMTP id rt6mr4624915igb.39.1424556931111; Sat, 21 Feb 2015 14:15:31 -0800 (PST)
Received: by 10.64.80.193 with HTTP; Sat, 21 Feb 2015 14:15:31 -0800 (PST)
In-Reply-To: <alpine.LFD.2.10.1502211543270.4576@bofh.nohats.ca>
References: <CAHw9_iJPuG23Aok7V_wcAMirua_DPDLHy01tnd+DaUqEeK3NZA@mail.gmail.com> <CAH1iCir+z6QjPQkgjF+jhKM4=ZCXpsQYDWsJqHRJ=20mGHeX9w@mail.gmail.com> <alpine.LFD.2.10.1502211543270.4576@bofh.nohats.ca>
Date: Sat, 21 Feb 2015 14:15:31 -0800
Message-ID: <CAH1iCirFVPjM0yyF0jL3V_epkYV3Qz9A_WFTkM5sZ3FNu6sppA@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
To: Paul Wouters <paul@nohats.ca>
Content-Type: multipart/alternative; boundary="001a11c3a950d76514050fa081ee"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/QVEgpVhZnynZ97JNBNtASCz4-ss>
Cc: "<dane@ietf.org>" <DANE@ietf.org>
Subject: Re: [dane] Start of WGLC for draft-ietf-dane-openpgpkey - *please* review.
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Feb 2015 22:15:33 -0000

On Sat, Feb 21, 2015 at 12:44 PM, Paul Wouters <paul@nohats.ca> wrote:

> On Fri, 20 Feb 2015, Brian Dickson wrote:
>
>
>  In section 5.1, about email leaks, it may be worth additionally
>> mentioning:
>> Use of distinct SALT values can further limit brute force efforts, even
>> where the same key is used.
>>
>
> How would that help? I would assume the attacker zone walks the zone and
> then brute forces the names offline. Whether the actual live zone
> changes salt wouldnt matter at that point?
>
>
I should have been more clear in my comment.

Enumerating a zone when NSEC3 is used, basically only gives the attacker a
dictionary of NSEC3 owner names.
_Those_ owner names are salted hashes of the original owner names.
The effort to create a mapping from salted hashes to original owner name is
"X", for some X.

If the same NSEC3PARAMs are used, the same input -> same output, i.e. for
owner FOO, NSEC3 owner is BAR.
Changing the SALT and leaving the alg and iterations unchanged, means FOO
now hashes to BAR_PRIME.

If everyone used the same SALT, alg, and iterations, the attacker would be
able to add to her dictionary by attacking each hashed value once.

However, if everyone used random SALT, even with same alg and iterations,
the dictionary of hashed values becomes worthless, and the attacker needs
to maintain a dictionary of unhashed values, and need to hash the entire
dictionary to find matches on each subsequent zone.

It's an order(N) vs order(N) x order(M) thing, where N is the attacks
dictionary size and M is the number of zones the attacker is attempting to
harvest names for. It turns a win (space vs time) into a lose (diminishing
returns).

I think.

Brian

v2.23.0 | Report a Bug | By Email