IETF Logo Mail Archive

RE: Standardize RSA/SHA256 ?

"Hallam-Baker, Phillip" <pbaker@verisign.com> Thu, 18 May 2006 03:43 UTC

Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FgZQH-00015X-0A for dnsext-archive@lists.ietf.org; Wed, 17 May 2006 23:43:37 -0400
Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FgZQE-0007sf-KA for dnsext-archive@lists.ietf.org; Wed, 17 May 2006 23:43:36 -0400
Received: from majordom by psg.com with local (Exim 4.60 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1FgZMl-000Ftp-F1 for namedroppers-data@psg.com; Thu, 18 May 2006 03:39:59 +0000
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on psg.com
X-Spam-Level:
X-Spam-Status: No, score=-2.4 required=5.0 tests=AWL,BAYES_00, FORGED_RCVD_HELO,SPF_PASS autolearn=ham version=3.1.1
Received: from [65.205.251.74] (helo=colibri.verisign.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.60 (FreeBSD)) (envelope-from <pbaker@verisign.com>) id 1FgZMk-000Ftc-HW for namedroppers@ops.ietf.org; Thu, 18 May 2006 03:39:58 +0000
Received: from MOU1WNEXCN02.vcorp.ad.vrsn.com (mailer2.verisign.com [65.205.251.35]) by colibri.verisign.com (8.13.6/8.13.4) with ESMTP id k4I3dqQr027740; Wed, 17 May 2006 20:39:52 -0700
Received: from MOU1WNEXMB04.vcorp.ad.vrsn.com ([10.25.13.157]) by MOU1WNEXCN02.vcorp.ad.vrsn.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 17 May 2006 20:39:46 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: RE: Standardize RSA/SHA256 ?
Date: Wed, 17 May 2006 20:39:46 -0700
Message-ID: <198A730C2044DE4A96749D13E167AD37ABA8B9@MOU1WNEXMB04.vcorp.ad.vrsn.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Standardize RSA/SHA256 ?
Thread-Index: AcZ11RG2XwomNvY+SAmqQBoVkgHQWwD51nGQ
From: "Hallam-Baker, Phillip" <pbaker@verisign.com>
To: Ólafur Guðmundsson /DNSEXT co-chair <ogud@ogud.com>, namedroppers@ops.ietf.org
Cc: Russ Housley <housley@vigilsec.com>
X-OriginalArrivalTime: 18 May 2006 03:39:46.0503 (UTC) FILETIME=[B545AD70:01C67A2C]
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
X-Spam-Score: 0.1 (/)
X-Scan-Signature: f66b12316365a3fe519e75911daf28a8

I suspect that what Russ actually said was that Working Groups should plan to transition from SHA-1 because it is unacceptably weak. 

In the security area the minimum key length for RSA that applications must support has been 2048 bits for some time.

DNSSEC is the only application where a transition from RSA1024 to RSA2048 creates real operational difficulties.
 

I don't think that weak crypto is a show stopper for deployment of DNSSEC, it will be a decade or more before breaking a 56 bit key will be the weakest link in any of the crypto systems in use.

But when developers are being told to update their algorithms it seems to me that you want to make sure that the number of transitions is minimized rather than the extent of each transition.

The task of adding a crypto algorithm to existing code is probably the most trivial coding change you can imagine. But you still have a full QA cycle and a full interop cycle and those are never easy or simple.


> -----Original Message-----
> From: owner-namedroppers@ops.ietf.org 
> [mailto:owner-namedroppers@ops.ietf.org] On Behalf Of Ólafur 
> Guðmundsson /DNSEXT co-chair
> Sent: Friday, May 12, 2006 10:54 AM
> To: Jelte Jansen; namedroppers@ops.ietf.org
> Subject: Re: Standardize RSA/SHA256 ?
> 
> At 04:56 12/05/2006, Jelte Jansen wrote:
> > >
> > >> For the above reasons, I think that we have time to consider the 
> > >> correct course of action. There is no need to rush into more 
> > >> algorithms which require more code on nameservers and resolvers.
> > >
> > > Yes, or at least, we need to document a more compelling 
> reason to do 
> > > RSA-SHA-265.
> > >
> >
> >So why is this an issue for RSA/SHA256, and not for 
> >draft-ietf-dnsext-ds-sha256-05.txt, which also makes SHA256 
> mandatory?
> 
> <Chair-hat=on>
> The issues here are slightly different.
> 
> DS digest is the SAME for the lifetime of the DS record.
> Digest inside a RRSIG is going to be different each time the 
> signature is regenerated for that set, thanks to the 
> different signature lifespan timers.
> Thus in the case of DS an attacker has much longer to be able 
> to generate a DNSKEY that has a matching DS digest to an existing one.
> 
> The WG was advised by our Security Area Advisor (Russ 
> Housley) that any use of SHA-1 without HMAC wrapper should be 
> retired. As DS was the most vulnerable the chairs got that 
> effort stared on the spot and RFC4509 should be published any day now.
> 
> <Chair-hat=off>
> A mitigating fact that RRSIG is not as vulnerable as plain 
> text, against the known SHA1 attacks, is the structured data 
> format of an RRset.
> Having said that if attack on RRSIG digest, or other 
> structured formats, is valuable enough some smart people will 
> figure out a way to design such an attack.
> 
> Following up on Hilarie and Rip's messages:
> One part of the security analysis should be how long 
> signature lifetime can be for the different digest algorithms 
> used as a function of time.
> This is similar to what is available for lengths of public keys.
> 
>          Olafur 
> 
> 
> --
> to unsubscribe send a message to 
> namedroppers-request@ops.ietf.org with the word 'unsubscribe' 
> in a single line as the message text body.
> archive: <http://ops.ietf.org/lists/namedroppers/>
> 
> 

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email