Re: Regarding Bill's draft... another Bill's open issues with
William Allen Simpson <bsimpson@morningstar.com> Fri, 23 February 1996 23:19 UTC
Received: from ietf.cnri.reston.va.us by IETF.CNRI.Reston.VA.US id aa14307; 23 Feb 96 18:19 EST
Received: from CNRI.Reston.VA.US by IETF.CNRI.Reston.VA.US id aa14303; 23 Feb 96 18:19 EST
Received: from neptune.tis.com by CNRI.Reston.VA.US id aa13211; 23 Feb 96 18:19 EST
Received: from neptune.tis.com by neptune.TIS.COM id aa00222; 23 Feb 96 18:05 EST
Received: from relay.tis.com by neptune.TIS.COM id aa00193; 23 Feb 96 18:02 EST
Received: by relay.tis.com; id SAA02327; Fri, 23 Feb 1996 18:04:27 -0500
Received: from sol.tis.com(192.33.112.100) by relay.tis.com via smap (V3.1) id xma002323; Fri, 23 Feb 96 18:03:59 -0500
Received: from relay.tis.com by tis.com (4.1/SUN-5.64) id AA21404; Fri, 23 Feb 96 18:02:57 EST
Received: by relay.tis.com; id SAA02312; Fri, 23 Feb 1996 18:03:57 -0500
Received: from merit.edu(35.1.1.42) by relay.tis.com via smap (V3.1) id xma002303; Fri, 23 Feb 96 18:03:43 -0500
Received: from Bill.Simpson.DialUp.Mich.Net (pm001-03.dialip.mich.net [35.1.48.52]) by merit.edu (8.7.3/merit-2.0) with SMTP id SAA02466 for <ipsec@TIS.COM>; Fri, 23 Feb 1996 18:04:44 -0500 (EST)
Date: Fri, 23 Feb 1996 21:15:10 +0000
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: William Allen Simpson <bsimpson@morningstar.com>
Message-Id: <4941.bsimpson@morningstar.com>
To: ipsec@tis.com
Subject: Re: Regarding Bill's draft... another Bill's open issues with
X-Orig-Sender: ipsec-request@neptune.tis.com
Precedence: bulk
> From: Bill Sommerfeld <sommerfeld@apollo.hp.com> > More importantly, the attack requires a large number of different > chosen-messages. Since it is not possible for an attacker to "choose" > the parameters being verified, this attack is impossible. > > That's not at all clear to me. In particular, it seems that in a > system using per-user or per-transport-connection SPI's, an active > attacker could easily induce a system to create large numbers of SPI's > with a third party, each having similar, but not identical parameters. > I am not following you; since it's apparently easy, please give a concrete example of such an exchange. > Most importantly, the attack requires an incredibly large number of > known-messages, on the order of 2**65 or more! That makes it utterly > impractical (also stated by the authors). > > That's an upper-bound on the strength of this construction, not a > lower bound. > How true (although the number I gave was the smallest bound in the paper). In fact, it could be guessed on the very first try. It's just not very likely (1:2**65). And there would be no confirmation of success. > As an engineer, not a cryptographer, the existance of this weakness > makes me suspicious of tying photuris so closely to > hash(concat(key,data,key)) instead of a more flexible > keyed_hash(key,data). > Thanks for your opinion. > They already are. That is, a hash over the key. MD5 is used in the > base document, but other hashes are possible for other Exchange-Schemes. > (See Extensions draft for details.) > > I'm sorry, but a keyed hash and a hash over a key and some other data > are *NOT* necessarily the same thing. Hash(concat(key,data,key)) is just one > way to implement a keyed hash -- it's not necessarily the *best* way. > Never-the-less, it is _one_ way, and at this time is the one with field experience and both qualitative and quantitative analysis. > Hugo's work suggests that hash(key1, hash(key2, data)) may be better, > but there's no way to cleanly define photuris extensions which use > that structure in the future if the base draft insists on the > key,data,key form. > Huh? You mean Kaliski and Robshaw. Hugo suggested some other variant for another purpose. And I don't understand your latter assertion, as Photuris has clear and clean extension mechanisms. > > 2) define the key used for validity-method, privacy-method keygen, > > and SPI session keygen as the shared-secret > > > This is a cryptographically unsound idea. > > Why? That's exactly what photuris is doing today! It's doing a keyed > hash using the shared secret as the "key" and other fields as the > "data". > I don't see any "data" or "hash" in your suggestion. If you are suggesting that Photuris use the same method that it does today, then we are in complete agreement. > > 3) define the key used for the identity-choice algorithm as > > the shared secret, concatenated or otherwise combined with the > > authentication secret-key if there was one. > > > Again, an incredibly insecure idea. > > Again, this is exactly what photuris is doing today. It's doing a > keyed hash using the shared secret as the "key" and other fields as > the "data". > Again, ditto. Bill.Simpson@um.cc.umich.edu Key fingerprint = 2E 07 23 03 C5 62 70 D3 59 B1 4F 5E 1D C2 C1 A2
- Re: Regarding Bill's draft... another Bill's open… William Allen Simpson