Re: [DNSOP] New Version Notification for draft-muks-dnsop-dns-message-checksums-00.txt
"Paul Hoffman" <paul.hoffman@vpnc.org> Wed, 30 September 2015 15:08 UTC
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC8841B5E4F for <dnsop@ietfa.amsl.com>; Wed, 30 Sep 2015 08:08:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.347
X-Spam-Level:
X-Spam-Status: No, score=-1.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FhHzJ_CikzQh for <dnsop@ietfa.amsl.com>; Wed, 30 Sep 2015 08:08:18 -0700 (PDT)
Received: from hoffman.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3351E1B5E55 for <dnsop@ietf.org>; Wed, 30 Sep 2015 08:08:16 -0700 (PDT)
Received: from [10.32.60.140] (142-254-17-123.dsl.dynamic.fusionbroadband.com [142.254.17.123]) (authenticated bits=0) by hoffman.proper.com (8.15.1/8.14.9) with ESMTPSA id t8UF8DtO032140 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 30 Sep 2015 08:08:13 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: hoffman.proper.com: Host 142-254-17-123.dsl.dynamic.fusionbroadband.com [142.254.17.123] claimed to be [10.32.60.140]
From: Paul Hoffman <paul.hoffman@vpnc.org>
To: Joe Abley <jabley@hopcount.ca>
Date: Wed, 30 Sep 2015 08:08:16 -0700
Message-ID: <8D53DD17-95BF-43D2-BFE7-C77D1FF3C301@vpnc.org>
In-Reply-To: <9A059CF2-96EE-4B68-8EF2-370CD8ABFDD8@hopcount.ca>
References: <20150928155157.GB19077@jurassic.l0.malgudi.org> <BB4FDC1E-4FC7-4583-8314-5D3BBCB3531A@hopcount.ca> <20150930023229.GA11615@jurassic.l0.malgudi.org> <9A059CF2-96EE-4B68-8EF2-370CD8ABFDD8@hopcount.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Mailer: MailMate (1.9.2r5141)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/7vmhDbXVhvGV838wCq2TwzRUAD4>
Cc: dnsop@ietf.org, Mukund Sivaraman <muks@isc.org>
Subject: Re: [DNSOP] New Version Notification for draft-muks-dnsop-dns-message-checksums-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Sep 2015 15:08:19 -0000
On 30 Sep 2015, at 5:28, Joe Abley wrote: > On 29 Sep 2015, at 22:32, Mukund Sivaraman wrote: > >>> The Security Considerations section should say more about the >>> limitations of this approach, e.g. the ability of an off-path >>> attacker >>> to correct for changes that would change a checksum with other >>> changes >>> that will restore it, which is my lazy précis of the no-doubt more >>> succinct observation that Vixie made somewhere in this thread (or >>> another thread near it). >> >> I didn't understand this part. Candidate checksum algorithms will >> have >> to be one-way cryptographic hash functions, and they will >> automatically >> take care of this. > > Any hash function is susceptible to collisions; this is surely a > simple truism based on the mapping of an M-bit message to an N-bit > digest where usually M >> N. It is true if M>N, and in practice may be true even if M=N. > If I can alter a message in such a way that the digest remains the > same, I can defeat the checksum. But now you switched from talking about collisions to talking about preimage attacks. Collision attacks are when you find two messages with the same hash *before issuing the messages*. SHA-1 (nor even MD5!) is so far not susceptible to preimage attacks. > Surely the threat models here depend on the algorithm. I am no > cryptographer, but it seems reasonable to mention the characteristics > of the hash function that are important to minimise the risk of this > kind of attack, especially when there are other motivations in > choosing an algorithm (such as the speed at which it can be > calculated) that might weaken the mechanism. For this type of system, you want a hash or checksum function where finding collisions takes more than N attempts, and all of those attempts must be based on random guessing, not on some structure of the messages. N can be calibrated by the value of an attacker fooling you and the amount of time they have to create the collision. N=2^64 is probably sufficient for this attack because we still don't have a way to do 2^64 guesses in a reasonable amount of time, and SHA-1 is still probably within that boundary. However, FNV (a non-cryptographic hash) has the same amount of collision protection but runs much faster. > To choose an extreme example, it seems likely that choosing to > calculate a parity bit would be much computationally cheaper than > calculating a SHA-256 digest. However, a parity bit would not offer > much protection against off-path attacks. Indeed. And this still calls into question whether trying to engineer a solution like this is a better idea than just using TCP. --Paul Hoffman
- [DNSOP] Fwd: New Version Notification for draft-m… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-mu… Joe Abley
- Re: [DNSOP] New Version Notification for draft-mu… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-mu… Tony Finch
- Re: [DNSOP] New Version Notification for draft-mu… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-mu… Joe Abley
- Re: [DNSOP] New Version Notification for draft-mu… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-mu… Paul Hoffman
- Re: [DNSOP] New Version Notification for draft-mu… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-mu… Tony Finch