Re: [hiprg] use of sha-1 in the DHT interface draft
"Henderson, Thomas R" <thomas.r.henderson@boeing.com> Fri, 21 October 2011 15:33 UTC
Return-Path: <thomas.r.henderson@boeing.com>
X-Original-To: hiprg@ietfa.amsl.com
Delivered-To: hiprg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4897F1F0C8B for <hiprg@ietfa.amsl.com>; Fri, 21 Oct 2011 08:33:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0sPFhqTSocS4 for <hiprg@ietfa.amsl.com>; Fri, 21 Oct 2011 08:33:29 -0700 (PDT)
Received: from slb-smtpout-01.boeing.com (slb-smtpout-01.boeing.com [130.76.64.48]) by ietfa.amsl.com (Postfix) with ESMTP id B80001F0C6F for <hiprg@irtf.org>; Fri, 21 Oct 2011 08:33:29 -0700 (PDT)
Received: from stl-av-01.boeing.com (stl-av-01.boeing.com [192.76.190.6]) by slb-smtpout-01.ns.cs.boeing.com (8.14.4/8.14.4/8.14.4/SMTPOUT) with ESMTP id p9LFXSeV014051 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <hiprg@irtf.org>; Fri, 21 Oct 2011 08:33:29 -0700 (PDT)
Received: from stl-av-01.boeing.com (localhost [127.0.0.1]) by stl-av-01.boeing.com (8.14.4/8.14.4/DOWNSTREAM_RELAY) with ESMTP id p9LFXR9w001330 for <hiprg@irtf.org>; Fri, 21 Oct 2011 10:33:27 -0500 (CDT)
Received: from XCH-NWHT-11.nw.nos.boeing.com (xch-nwht-11.nw.nos.boeing.com [130.247.25.114]) by stl-av-01.boeing.com (8.14.4/8.14.4/UPSTREAM_RELAY) with ESMTP id p9LFXRaQ001305 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=OK) for <hiprg@irtf.org>; Fri, 21 Oct 2011 10:33:27 -0500 (CDT)
Received: from XCH-NW-10V.nw.nos.boeing.com ([130.247.25.83]) by XCH-NWHT-11.nw.nos.boeing.com ([130.247.25.114]) with mapi; Fri, 21 Oct 2011 08:33:26 -0700
From: "Henderson, Thomas R" <thomas.r.henderson@boeing.com>
To: "Ahrenholz, Jeffrey M" <jeffrey.m.ahrenholz@boeing.com>, "hiprg@irtf.org" <hiprg@irtf.org>
Date: Fri, 21 Oct 2011 08:33:26 -0700
Thread-Topic: use of sha-1 in the DHT interface draft
Thread-Index: AcyPMhu12S232/FYTZeFIp5WqSol+QAHb2kgAAxGKRAAHo84kAACxTFA
Message-ID: <7CC566635CFE364D87DC5803D4712A6C4CF18DF86B@XCH-NW-10V.nw.nos.boeing.com>
References: <FD98F9C3CBABA74E89B5D4B5DE0263B9379F111483@XCH-NW-12V.nw.nos.boeing.com> <7CC566635CFE364D87DC5803D4712A6C4CF18DF866@XCH-NW-10V.nw.nos.boeing.com> <FD98F9C3CBABA74E89B5D4B5DE0263B9379F1116CA@XCH-NW-12V.nw.nos.boeing.com>
In-Reply-To: <FD98F9C3CBABA74E89B5D4B5DE0263B9379F1116CA@XCH-NW-12V.nw.nos.boeing.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [hiprg] use of sha-1 in the DHT interface draft
X-BeenThere: hiprg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Host Identity Protocol \(HIP\) Research Group" <hiprg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/hiprg>, <mailto:hiprg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/hiprg>
List-Post: <mailto:hiprg@irtf.org>
List-Help: <mailto:hiprg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/hiprg>, <mailto:hiprg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Oct 2011 15:33:30 -0000
> -----Original Message----- > From: Ahrenholz, Jeffrey M > Sent: Friday, October 21, 2011 8:00 AM > To: Henderson, Thomas R; hiprg@irtf.org > Subject: RE: use of sha-1 in the DHT interface draft > > > However, my understanding is that the DHT server does not enforce the > > use of SHA-1; modified clients (that are HIP-aware) could use SHA-256 > > truncated to 160 bits. > > The DHT server does use SHA-1 internally to process removes. If the > client uses another hash function, the secret given in the DHT remove > will not match the SHA-1 hash used in the put. I did not catch that detail since it is not very clear from the API document, but it makes more sense that it operates that way. > > The draft does not currently require a modified OpenDHT/Bamboo server. > It states in sections 3 and 7 that the server MAY/SHOULD be modified > for signature and host ID verification (it looks like the "MAY" in > section 3 should be changed to "SHOULD".) Use of another hash > algorithm would require further server modifications (and specifying an > interface that deviates from OpenDHT.) > > > - keep the draft as is, citing that OpenDHT interface prescribes SHA- > 1, > > and that the other usage of SHA-1 is not trying to obtain any crypto > > properties. However, the implication of this is we will need to add > > more text in the security section and elsewhere to defuse this "red > > flag" > > I would prefer the above option. The security considerations section > can include text about deviating from the OpenDHT interface in order to > support other hash functions. The original intent of the draft was to > re-use the freely-available OpenDHT interface in an interoperable > fashion. > In light of the above, I would lean towards your recommendation as well. - Tom
- [hiprg] use of sha-1 in the DHT interface draft Henderson, Thomas R
- Re: [hiprg] use of sha-1 in the DHT interface dra… Miika Komu
- Re: [hiprg] use of sha-1 in the DHT interface dra… Tobias Heer
- Re: [hiprg] use of sha-1 in the DHT interface dra… Samu Varjonen
- Re: [hiprg] use of sha-1 in the DHT interface dra… Ahrenholz, Jeffrey M
- Re: [hiprg] use of sha-1 in the DHT interface dra… Henderson, Thomas R
- Re: [hiprg] use of sha-1 in the DHT interface dra… Tobias Heer
- Re: [hiprg] use of sha-1 in the DHT interface dra… L.Wood
- Re: [hiprg] use of sha-1 in the DHT interface dra… Miika Komu