IETF Logo Mail Archive

Re: [dane] Start of WGLC for draft-ietf-dane-openpgpkey - *please* review.

Viktor Dukhovni <ietf-dane@dukhovni.org> Sat, 21 February 2015 22:50 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 705E01A0104 for <dane@ietfa.amsl.com>; Sat, 21 Feb 2015 14:50:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.3
X-Spam-Level:
X-Spam-Status: No, score=-1.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_46=0.6] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LA6Ee9qdxa2I for <dane@ietfa.amsl.com>; Sat, 21 Feb 2015 14:50:25 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E146D1A00F9 for <dane@ietf.org>; Sat, 21 Feb 2015 14:50:24 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 8B60D282E4F; Sat, 21 Feb 2015 22:50:23 +0000 (UTC)
Date: Sat, 21 Feb 2015 22:50:23 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20150221225023.GQ1260@mournblade.imrryr.org>
References: <CAHw9_iJPuG23Aok7V_wcAMirua_DPDLHy01tnd+DaUqEeK3NZA@mail.gmail.com> <CAH1iCir+z6QjPQkgjF+jhKM4=ZCXpsQYDWsJqHRJ=20mGHeX9w@mail.gmail.com> <alpine.LFD.2.10.1502211543270.4576@bofh.nohats.ca> <CAH1iCirFVPjM0yyF0jL3V_epkYV3Qz9A_WFTkM5sZ3FNu6sppA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAH1iCirFVPjM0yyF0jL3V_epkYV3Qz9A_WFTkM5sZ3FNu6sppA@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/mIrSMw9zVDdMwfjwJeoYPHMt8zI>
Subject: Re: [dane] Start of WGLC for draft-ietf-dane-openpgpkey - *please* review.
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Feb 2015 22:50:26 -0000

On Sat, Feb 21, 2015 at 02:15:31PM -0800, Brian Dickson wrote:

> If the same NSEC3PARAMs are used, the same input -> same output, i.e. for
> owner FOO, NSEC3 owner is BAR.  Changing the SALT and leaving the alg and
> iterations unchanged, means FOO now hashes to BAR_PRIME.
> 
> If everyone used the same SALT, alg, and iterations, the attacker would
> be able to add to her dictionary by attacking each hashed value once.

This is not the case.  Even with the same salt everywhere, the same
relative names yield different NSEC3 hashes in different domains.

    $ ldns-nsec3-hash -t 10 -s deadbeef  www.example.com
    posh7b8ariqtee5s9bji4jvlhmj5qtbn.

    $ ldns-nsec3-hash -t 10 -s deadbeef  www.example.net
    mj2fbsp4rqaqd2u1d1jhlr3scqeqi11i.

That's because the hash covers the full domain name, not just some
"prefix" labels.  So NSEC3 hashes are already effectively "salted"
with the zone name.  What "salts" do is allow each domain to further
impede off-line dictionary attacks (via per-domain rainbow tables)
by periodically changing the salt.


> However, if everyone used random SALT, even with same alg and iterations,
> the dictionary of hashed values becomes worthless, and the attacker needs
> to maintain a dictionary of unhashed values, and need to hash the entire
> dictionary to find matches on each subsequent zone.

No, it is OK for everyone to use the same salt, because that salt
is combined with their unique domain name.  For high value domains,
what is perhaps useful is to change the salt periodically.

For example, everyone could use the calendar YYYYMM (year + month)
as the salt.  And the attacker would need a new rainbow table for
each domain every month.  The fact that the salt is the same
everywhere would not be helpful to the attacker.  Of course knowing
future values of the salt would make it possible to start computing
the rainbow tables sooner, so the problem with YYYYMM is predictability,
rather than use by multiple domains.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email