IETF Logo Mail Archive

Re: [DNSOP] New Version Notification for draft-muks-dnsop-dns-message-checksums-00.txt

"Joe Abley" <jabley@hopcount.ca> Wed, 30 September 2015 12:28 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BEE1F1A6F5D for <dnsop@ietfa.amsl.com>; Wed, 30 Sep 2015 05:28:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5H70ApOrlOx2 for <dnsop@ietfa.amsl.com>; Wed, 30 Sep 2015 05:28:24 -0700 (PDT)
Received: from mail-ig0-x22a.google.com (mail-ig0-x22a.google.com [IPv6:2607:f8b0:4001:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 532D71A6F5B for <dnsop@ietf.org>; Wed, 30 Sep 2015 05:28:24 -0700 (PDT)
Received: by igbkq10 with SMTP id kq10so99941040igb.0 for <dnsop@ietf.org>; Wed, 30 Sep 2015 05:28:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-type; bh=Sxw6JuHlf0cJj7HZc5o2B2hXjGYYz9uaDQU1TDIRZxQ=; b=NKJPN5KgKFjXEWUgSRUnddIlP1CNXJwzRgEBSouq2Gk8OgSThHc1NEYNAEi0bpqYS+ Im5F04+uTwKGzhYHyDKrW23JJscqjtE3wvmV6BNCMzoxGntsIxnuIuVUUroaPAosTHnz 1DGYaZl2FlwjDN1TB7V/7yuoHhz4xsd9w6Bu8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-type; bh=Sxw6JuHlf0cJj7HZc5o2B2hXjGYYz9uaDQU1TDIRZxQ=; b=fF94Y1JEzpd6qA+jJ4O1E8qshOFHQNJNuluVndT4phe014xNQmBz0ZwRgHN4LAy8m4 gO8v65e0hbEwb78z77pvB/4cIjiH3AJOVMHjO9cAp84I6ktZsZU5dnAuSQWkv9AMj8hd mIEG8Ln5pH8oDqdj4pXSbyEgEQBR+l8GH7d2Yb2/xd9J0Oue5F0oCInpMU7u6+0xBlUe 4WOmRBx+d2GfQnomx/Jkqhx80/9gy9dFW/r31kdtabJqgDLO0OEPY9/UXv+5wRheNS+J h18YSEod8k5Tj8eEict0t7UF3m4aOW0WqeHEAuYjm/4Aoi5glQRj614I/yQ24Y2/CF8F rcUw==
X-Gm-Message-State: ALoCoQlyj5DGNzkVvoNp2QgCBHOGKizPNhf2wfTfur+aC4dYTL6SiiU9PQML/klZ7mv5UOyy636Y
X-Received: by 10.50.45.10 with SMTP id i10mr4061019igm.70.1443616103647; Wed, 30 Sep 2015 05:28:23 -0700 (PDT)
Received: from [199.212.92.19] (135-23-68-43.cpe.pppoe.ca. [135.23.68.43]) by smtp.gmail.com with ESMTPSA id k21sm171412ioi.10.2015.09.30.05.28.22 (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 30 Sep 2015 05:28:22 -0700 (PDT)
From: Joe Abley <jabley@hopcount.ca>
To: Mukund Sivaraman <muks@isc.org>
Date: Wed, 30 Sep 2015 08:28:21 -0400
Message-ID: <9A059CF2-96EE-4B68-8EF2-370CD8ABFDD8@hopcount.ca>
In-Reply-To: <20150930023229.GA11615@jurassic.l0.malgudi.org>
References: <20150928155157.GB19077@jurassic.l0.malgudi.org> <BB4FDC1E-4FC7-4583-8314-5D3BBCB3531A@hopcount.ca> <20150930023229.GA11615@jurassic.l0.malgudi.org>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=_MailMate_E57951C5-8599-4859-B08C-5503AA6DEF97_="; micalg="pgp-sha1"; protocol="application/pgp-signature"
X-Mailer: MailMate (1.9.2r5141)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/Wvcxjw0EsZx1iNtPhaa-YTp_YSs>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] New Version Notification for draft-muks-dnsop-dns-message-checksums-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Sep 2015 12:28:25 -0000


On 29 Sep 2015, at 22:32, Mukund Sivaraman wrote:

>> The Security Considerations section should say more about the
>> limitations of this approach, e.g. the ability of an off-path attacker
>> to correct for changes that would change a checksum with other changes
>> that will restore it, which is my lazy précis of the no-doubt more
>> succinct observation that Vixie made somewhere in this thread (or
>> another thread near it).
>
> I didn't understand this part. Candidate checksum algorithms will have
> to be one-way cryptographic hash functions, and they will automatically
> take care of this.

Any hash function is susceptible to collisions; this is surely a simple truism based on the mapping of an M-bit message to an N-bit digest where usually M >> N. If I can alter a message in such a way that the digest remains the same, I can defeat the checksum.

Surely the threat models here depend on the algorithm. I am no cryptographer, but it seems reasonable to mention the characteristics of the hash function that are important to minimise the risk of this kind of attack, especially when there are other motivations in choosing an algorithm (such as the speed at which it can be calculated) that might weaken the mechanism.

To choose an extreme example, it seems likely that choosing to calculate a parity bit would be much computationally cheaper than calculating a SHA-256 digest. However, a parity bit would not offer much protection against off-path attacks.


Joe

v2.23.0 | Report a Bug | By Email