Re: [DNSOP] New Version Notification for draft-muks-dnsop-dns-message-checksums-00.txt

"Paul Hoffman" <paul.hoffman@vpnc.org> Wed, 30 September 2015 15:08 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC8841B5E4F for <dnsop@ietfa.amsl.com>; Wed, 30 Sep 2015 08:08:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.347
X-Spam-Level:
X-Spam-Status: No, score=-1.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FhHzJ_CikzQh for <dnsop@ietfa.amsl.com>; Wed, 30 Sep 2015 08:08:18 -0700 (PDT)
Received: from hoffman.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3351E1B5E55 for <dnsop@ietf.org>; Wed, 30 Sep 2015 08:08:16 -0700 (PDT)
Received: from [10.32.60.140] (142-254-17-123.dsl.dynamic.fusionbroadband.com [142.254.17.123]) (authenticated bits=0) by hoffman.proper.com (8.15.1/8.14.9) with ESMTPSA id t8UF8DtO032140 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 30 Sep 2015 08:08:13 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: hoffman.proper.com: Host 142-254-17-123.dsl.dynamic.fusionbroadband.com [142.254.17.123] claimed to be [10.32.60.140]
From: Paul Hoffman <paul.hoffman@vpnc.org>
To: Joe Abley <jabley@hopcount.ca>
Date: Wed, 30 Sep 2015 08:08:16 -0700
Message-ID: <8D53DD17-95BF-43D2-BFE7-C77D1FF3C301@vpnc.org>
In-Reply-To: <9A059CF2-96EE-4B68-8EF2-370CD8ABFDD8@hopcount.ca>
References: <20150928155157.GB19077@jurassic.l0.malgudi.org> <BB4FDC1E-4FC7-4583-8314-5D3BBCB3531A@hopcount.ca> <20150930023229.GA11615@jurassic.l0.malgudi.org> <9A059CF2-96EE-4B68-8EF2-370CD8ABFDD8@hopcount.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Mailer: MailMate (1.9.2r5141)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/7vmhDbXVhvGV838wCq2TwzRUAD4>
Cc: dnsop@ietf.org, Mukund Sivaraman <muks@isc.org>
Subject: Re: [DNSOP] New Version Notification for draft-muks-dnsop-dns-message-checksums-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Sep 2015 15:08:19 -0000

On 30 Sep 2015, at 5:28, Joe Abley wrote:

> On 29 Sep 2015, at 22:32, Mukund Sivaraman wrote:
>
>>> The Security Considerations section should say more about the
>>> limitations of this approach, e.g. the ability of an off-path 
>>> attacker
>>> to correct for changes that would change a checksum with other 
>>> changes
>>> that will restore it, which is my lazy précis of the no-doubt more
>>> succinct observation that Vixie made somewhere in this thread (or
>>> another thread near it).
>>
>> I didn't understand this part. Candidate checksum algorithms will 
>> have
>> to be one-way cryptographic hash functions, and they will 
>> automatically
>> take care of this.
>
> Any hash function is susceptible to collisions; this is surely a 
> simple truism based on the mapping of an M-bit message to an N-bit 
> digest where usually M >> N.

It is true if M>N, and in practice may be true even if M=N.

> If I can alter a message in such a way that the digest remains the 
> same, I can defeat the checksum.

But now you switched from talking about collisions to talking about 
preimage attacks. Collision attacks are when you find two messages with 
the same hash *before issuing the messages*. SHA-1 (nor even MD5!) is so 
far not susceptible to preimage attacks.

> Surely the threat models here depend on the algorithm. I am no 
> cryptographer, but it seems reasonable to mention the characteristics 
> of the hash function that are important to minimise the risk of this 
> kind of attack, especially when there are other motivations in 
> choosing an algorithm (such as the speed at which it can be 
> calculated) that might weaken the mechanism.

For this type of system, you want a hash or checksum function where 
finding collisions takes more than N attempts, and all of those attempts 
must be based on random guessing, not on some structure of the messages. 
N can be calibrated by the value of an attacker fooling you and the 
amount of time they have to create the collision. N=2^64 is probably 
sufficient for this attack because we still don't have a way to do 2^64 
guesses in a reasonable amount of time, and SHA-1 is still probably 
within that boundary. However, FNV (a non-cryptographic hash) has the 
same amount of collision protection but runs much faster.

> To choose an extreme example, it seems likely that choosing to 
> calculate a parity bit would be much computationally cheaper than 
> calculating a SHA-256 digest. However, a parity bit would not offer 
> much protection against off-path attacks.

Indeed. And this still calls into question whether trying to engineer a 
solution like this is a better idea than just using TCP.

--Paul Hoffman