IETF Logo Mail Archive

Re: Standardize RSA/SHA256 ?

Ólafur Guðmundsson /DNSEXT co-chair <ogud@ogud.com> Fri, 12 May 2006 14:59 UTC

Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FeZ7I-0005gP-O1 for dnsext-archive@lists.ietf.org; Fri, 12 May 2006 10:59:44 -0400
Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FeZ7G-00008a-BM for dnsext-archive@lists.ietf.org; Fri, 12 May 2006 10:59:44 -0400
Received: from majordom by psg.com with local (Exim 4.60 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1FeZ21-0007Du-Mw for namedroppers-data@psg.com; Fri, 12 May 2006 14:54:17 +0000
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on psg.com
X-Spam-Level:
X-Spam-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.1.1
Received: from [66.92.146.160] (helo=ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.60 (FreeBSD)) (envelope-from <ogud@ogud.com>) id 1FeZ20-0007DK-R9 for namedroppers@ops.ietf.org; Fri, 12 May 2006 14:54:17 +0000
Received: from Puki.ogud.com (ns.ogud.com [66.92.146.160]) by ogud.com (8.13.1/8.13.1) with ESMTP id k4CEs77M010645; Fri, 12 May 2006 10:54:07 -0400 (EDT) (envelope-from ogud@ogud.com)
Message-Id: <6.2.5.6.2.20060512101950.031900e0@ogud.com>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.5.6
Date: Fri, 12 May 2006 10:54:07 -0400
To: Jelte Jansen <jelte@NLnetLabs.nl>, namedroppers@ops.ietf.org
From: Ólafur Guðmundsson /DNSEXT co-chair <ogud@ogud.com>
Subject: Re: Standardize RSA/SHA256 ?
In-Reply-To: <44644DBB.3080605@NLnetLabs.nl>
References: <6.2.5.6.2.20060508094001.03182b80@ogud.com> <Pine.LNX.4.44.0605091629550.31070-100000@citation2.av8.net> <87vesecle7.fsf@latte.josefsson.org> <44644DBB.3080605@NLnetLabs.nl>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Scanned-By: MIMEDefang 2.56 on 66.92.146.160
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 4adaf050708fb13be3316a9eee889caa

At 04:56 12/05/2006, Jelte Jansen wrote:
> >
> >> For the above reasons, I think that we have time to consider the
> >> correct course of action. There is no need to rush into more
> >> algorithms which require more code on nameservers and resolvers.
> >
> > Yes, or at least, we need to document a more compelling reason to do
> > RSA-SHA-265.
> >
>
>So why is this an issue for RSA/SHA256, and not for
>draft-ietf-dnsext-ds-sha256-05.txt, which also makes SHA256 mandatory?

<Chair-hat=on>
The issues here are slightly different.

DS digest is the SAME for the lifetime of the DS record.
Digest inside a RRSIG is going to be different each time the signature is
regenerated for that set, thanks to the different signature lifespan timers.
Thus in the case of DS an attacker has much longer to be able to generate
a DNSKEY that has a matching DS digest to an existing one.

The WG was advised by our Security Area Advisor (Russ Housley) that any use
of SHA-1 without HMAC wrapper should be retired. As DS was the most vulnerable
the chairs got that effort stared on the spot and RFC4509 should be published
any day now.

<Chair-hat=off>
A mitigating fact that RRSIG is not as vulnerable as plain text, against the
known SHA1 attacks, is the structured data format of an RRset.
Having said that if attack on RRSIG digest, or other structured formats,
is valuable enough some smart people will figure out a way to design
such an attack.

Following up on Hilarie and Rip's messages:
One part of the security analysis should be how long signature lifetime can be
for the different digest algorithms used as a function of time.
This is similar to what is available for lengths of public keys.

         Olafur 


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email