Re: [DNSOP] on staleness of code points and code (mentions MD5 commentary from IETF98)
"Paul Hoffman" <paul.hoffman@vpnc.org> Tue, 28 March 2017 13:48 UTC
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1254912932A for <dnsop@ietfa.amsl.com>; Tue, 28 Mar 2017 06:48:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OwBoRcrfm1nZ for <dnsop@ietfa.amsl.com>; Tue, 28 Mar 2017 06:48:51 -0700 (PDT)
Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1F351201F8 for <dnsop@ietf.org>; Tue, 28 Mar 2017 06:48:51 -0700 (PDT)
Received: from [10.47.60.106] (dhcp-b95b.meeting.ietf.org [31.133.185.91]) (authenticated bits=0) by mail.proper.com (8.15.2/8.14.9) with ESMTPSA id v2SDmcvp045165 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 28 Mar 2017 06:48:40 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: mail.proper.com: Host dhcp-b95b.meeting.ietf.org [31.133.185.91] claimed to be [10.47.60.106]
From: Paul Hoffman <paul.hoffman@vpnc.org>
To: Evan Hunt <each@isc.org>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>
Date: Tue, 28 Mar 2017 08:48:48 -0500
Message-ID: <8CBD1E47-86A5-4A6E-BDFC-107C55FB78F9@vpnc.org>
In-Reply-To: <20170328024127.GC96991@isc.org>
References: <58D96BC0.9040701@redbarn.org> <20170328024127.GC96991@isc.org>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
X-Mailer: MailMate (1.9.6r5347)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/bWj1dOdT45XCdclEgxyr6S6jnJY>
Subject: Re: [DNSOP] on staleness of code points and code (mentions MD5 commentary from IETF98)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Mar 2017 13:48:53 -0000
On 27 Mar 2017, at 21:41, Evan Hunt wrote: > On Mon, Mar 27, 2017 at 12:45:04PM -0700, Paul Vixie wrote: >> also, a validator that outputs "secure" based on MD5 inputs is making >> a >> promise it can't keep. > > MD5 is known to be breakable Please: let's be careful with our wording here. There are widely-understood and widely-implemented attacks on MD5's collision resistance, reducing it from the design-level of 2^64 to somewhere around 2^30. In other words, it is trivial to create messages that have MD5 collisions. To date, there have been no public papers showing any preimage attacks on MD5 reducing its design-level of 2^128. There may be privately-known attacks, of course, just as there might be for any cryptographic algorithm. A researcher who shows a preimage attack on MD5 would get huge recognition within the cryptographic community, so there is a strong motivation to try. So far, none has been forthcoming. To date, no one has publicly described how a collision attack would help an attacker in DNSSEC. Such an attack would be *very* interesting to this community. If you know of such an attack, please say so here or in a cryptographic forum. It has been over a decade since the collision-based attack on PKIX certificates was described, but since then none has been described for DNSSEC. In specific, because we now know that collision attacks on SHA1 are feasible and will probably get better over time, this community should understand how such an attack could affect us. For more information on cryptographic attacks on hashes, please see RFC 4270. --Paul Hoffman
- [DNSOP] on staleness of code points and code (men… Paul Vixie
- Re: [DNSOP] on staleness of code points and code … Jim Reid
- Re: [DNSOP] on staleness of code points and code … George Michaelson
- Re: [DNSOP] on staleness of code points and code … Evan Hunt
- Re: [DNSOP] on staleness of code points and code … Evan Hunt
- Re: [DNSOP] on staleness of code points and code … Mukund Sivaraman
- Re: [DNSOP] on staleness of code points and code … Tony Finch
- Re: [DNSOP] on staleness of code points and code … Philip Homburg
- Re: [DNSOP] on staleness of code points and code … Jan Včelák
- Re: [DNSOP] on staleness of code points and code … Paul Hoffman
- Re: [DNSOP] on staleness of code points and code … Tony Finch
- Re: [DNSOP] on staleness of code points and code … Evan Hunt
- Re: [DNSOP] on staleness of code points and code … Jim Reid
- Re: [DNSOP] on staleness of code points and code … Petr Špaček
- Re: [DNSOP] on staleness of code points and code … Paul Wouters
- Re: [DNSOP] on staleness of code points and code … Petr Špaček
- Re: [DNSOP] on staleness of code points and code … Peter van Dijk
- Re: [DNSOP] on staleness of code points and code … Evan Hunt
- Re: [DNSOP] on staleness of code points and code … Philip Homburg