RE: FW: 6MAN Adoption call on draft-rafiee-6man-ssas-07
"Hosnieh Rafiee" <ietf@rozanak.com> Mon, 25 November 2013 22:33 UTC
Return-Path: <ietf@rozanak.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D57FA1AE071 for <ipv6@ietfa.amsl.com>; Mon, 25 Nov 2013 14:33:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.301
X-Spam-Level:
X-Spam-Status: No, score=-1.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_31=0.6, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mKZA0JLAeF0g for <ipv6@ietfa.amsl.com>; Mon, 25 Nov 2013 14:33:47 -0800 (PST)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.195]) by ietfa.amsl.com (Postfix) with ESMTP id 538C21ADF86 for <ipv6@ietf.org>; Mon, 25 Nov 2013 14:33:47 -0800 (PST)
Received: from kopoli (g225040039.adsl.alicedsl.de [92.225.40.39]) by mrelay.perfora.net (node=mrus0) with ESMTP (Nemesis) id 0MGTYO-1VpUYc2aB6-00DVsE; Mon, 25 Nov 2013 17:33:15 -0500
From: Hosnieh Rafiee <ietf@rozanak.com>
To: 'Christian Huitema' <huitema@microsoft.com>, '6man' <ipv6@ietf.org>, 6man-chairs@tools.ietf.org, Michael Richardson <mcr+ietf@sandelman.ca>
References: <C1684DC4-3748-4B4C-A39F-3B8DB928645D@employees.org> <CEB3E7E4.28A01%elevyabe@cisco.com> <00a201cee6f5$926e6f10$b74b4d30$@rozanak.com> <528E6A0F.6040706@it.uc3m.es> <00aa01cee6f7$934cd640$b9e682c0$@rozanak.com> <528E7193.8010500@it.uc3m.es> <00ac01cee6fc$1dc12f70$59438e50$@rozanak.com> <528E7440.7090400@it.uc3m.es> <00bf01cee6fe$b9f1b430$2dd51c90$@rozanak.com> <528E78B5.8010209@it.uc3m.es> <00f001cee705$16921c10$43b65430$@rozanak.com> <528EFA70.7000800@it.uc3m.es> <001201cee753$11c5a370$3550ea50$@rozanak.com> <CAAfuxnJbmPQVS8BCWbUkmpBFhNHpH=xHLwqQ+nRR_ausL4oUcQ@mail.gmail.com> <004d01cee7c9$9d9e40c0$d8dac240$@rozanak.com> <C91E67751B1EFF41B857DE2FE1F68ABA2FBBECB0@tk5ex14mbxc272.redmond.corp.microsoft.com> <000601cee838$5c1621d0$14426570$@rozanak.com> <C91E67751B1EFF41B857DE2FE1F68ABA2FBBEF40@tk5ex14mbxc272.redmond.corp.microsoft.com>
In-Reply-To: <C91E67751B1EFF41B857DE2FE1F68ABA2FBBEF40@tk5ex14mbxc272.redmond.corp.microsoft.com>
Subject: RE: FW: 6MAN Adoption call on draft-rafiee-6man-ssas-07
Date: Mon, 25 Nov 2013 23:33:03 +0100
Message-ID: <006f01ceea2e$54e43440$feac9cc0$@rozanak.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQKP31oxy+m4IowydrWZjP9sRIlA4AEoIxAUAiamPmIB3MIFWAGmI1ekAkjb0bUBfNo2jgGtLcg0AjFJKW8Bipx0dwGJRgIMAPe3pWYBqyOntAJ2/nKBAlCxwI4BDslnQwGNcEWUAqyNRmWXwqjSUA==
Content-Language: en-us
X-Provags-ID: V02:K0:JJ1JT71N1fLxWjJWlB/Duli0zQcFLsP9q+w0VYSAx/p hmwhAiN2lwH2vZFtacJNolK2JM2FSsbOBMUMQrUfb/qNEmZsep v2TR2sZbiTDmWytLlooXXfRH9wyBiOMUm2UTb3caa9GSfLoKB2 euSPSYfvD6Nr+i1u/dzrP7GAPJ6HFf82Gbvz/dfs5aV3ze+9of rAWF18qN0S3j4oOcRVCTv9CUBxuC9F9386ErrBUa9/zraU392A SzVeUHak9l4TSnl2ndEpgUCghr4JvMOxKLg2PTU5sLbL/orEhh oE7KVwiJlCusc37/vXQ8VJ8nFDexujJOVcEDHi+HS++Mw5m2/P FXpRdDL9iQKVpvQZCTJ8=
Cc: Erik Nordmark <nordmark@sonic.net>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Nov 2013 22:33:50 -0000
Hi Christian, If you think I did not understand the meaning of sec values, please refer to the vulnerability that I am talking in the following draft. Secondly, my whole research during the last years was about CGA and SeND. http://www.ietf.org/id/draft-rafiee-6man-cga-attack-00.txt > > > Sec value ignores so just consider sec value 0. It is not different > > what sec value you use. Attacker only uses sec value 0 and sha1 not sha2 or > n. > > Based on some suggestion, I am going to write an informational draft > > about CGA possible attacks and just refer to it in SSAS. > > Hosnieh, > > I have witnessed many discussions of CGA that stem from a misunderstanding > of the SEC mechanism, and this is clearly one of them. I understand that you > are very concerned with the CPU workload implied by the SEC mechanism, > and thus very motivated to find an alternative. Regrettably, mathematics stand > between you and your goal. > > The fundamental problem with the CGA approach, or any similar mechanism, > is that the 64 bits IID makes for a very weak proof. Whatever the mechanism, > it will take only 2^64 attempts to break it. If we follow NIST recommendations, > we should aim for 80 bits of proof today, and 128 bits soon. > > The CGA design addresses this problem with the SEC mechanism. The idea is > to embed both a signature and a puzzle in the IID. The signature's size is fixed, > but the puzzle can be made arbitrarily complex. With the specific design > picked for CGA, each successive increment of SEC is equivalent to adding 16 > bits to the identifier size, allowing deployments to remain secure in the > future. On the other hand, any design that fixes the proof size to a constant > number, such as 64 bits, is guaranteed to become obsolete in a short time. In > fact, one can argue that 64 bits is already insecure today. > > The puzzle has indeed a price, and the price has to be paid at the time of > address generation. It takes 2^16 attempts to find a key suitable for SEC=1, > 2^32 for SEC=2, and so on. On a PC, the 2^16 attempts take a fraction of a > second. On a mobile phone, with a slower processor, it arguably takes longer > and depletes the battery somewhat. But there are probably ways to > accelerate the process. Smartphone now have capable GPUs, the puzzle > resolution can be trivially parallelized, and thus could be accelerated using > the smart phone's GPU. > > The nice part of the CGA design is that it only requires the puzzle solving when > the address is generated, not when address ownership is verified. That makes > the design asymmetric: no cost for the communication partners, some cost at > generation time for the owner, huge cost for the attacker. > > The SEC protection works even on the collision attack. Yes, it takes an average > of 2^29.5 trials to find 2 keys and salts that hash to the same CGA address, > regardless of the value of the SEC field. But with SEC=N, each trial has a cost of > 2^(16*N), so the complexity of the collision attack is 2^(29.5 + 16*N). With a > simple 64 bit proof and no SEC, the cost would be 2^32. > > Any secure CGA variant will require some form of puzzle. 64 bits is just not > long enough. It is also clear that there will have to be a way to make the puzzle > more complex over time, as attacks just get better. For that reason, I am very > skeptical of the SSAS design, which lacks any such puzzle and locks the proof > to exactly 64 bits. I don't believe we should take a fundamentally insecure > design as a working group item. On the other hand, your draft brings a > number of clarifications on the SEND protocol work items, and that's very > valuable. If you could split out that part as for example "draft-rafiee-6man- > send," we would be very close to consensus. The problem is that the section that you're talking about "such as keeping public key in the node's cache, etc) is a part of SSAS to make it more secure and give it the security of the whole public key without increasing complexity or playing with its performance. It is like CGA that sec value is a part of that. It is how the algorithm works and it is what I thought to find a higher security values as the people who suggested CGA thought about sec value. The security of CGA algorithm is depends on the security of hash functions. If we assume that the attack on sec value (the new vulnerabilities that I wrote as a draft) does not exist, with SHA1 and sec value 1, you need to do brute force attacks maximum on 2^(31.5+16)=2^47.5 now compare this value with SSAS. We all know that for immediate deployment of CGA, the higher sec value will not be used since nobody are willing to wait for 3 hours for sec value 2. With our current situation, SSAS is more secure and faster than CGA (even sec value 1) and if also we consider the special cases where to also keep the public key in node's neighboring cache, then CGA cannot be comparable with SSAS. Secondly, you said that CGA IPR is no problem but we also saw in this mailinglist from other implementers that they do not like this CGA IPR, either it is free for sale nor not. What I understood, they do not like something have IPR and in most cases they are not being motivated to implement CGA with its current situation. Thirdly, To solve the current vulnerability of CGA, you need to change the protocol specification while in SSAS these problems are considered beforehand you do not need to do so. Finally, I agree that local security is really important but the question is that what is the cost providing it? SSAS can be used for all kinds of nodes either with limited resources, for mobile phones, etc. But CGA is not capable since it uses higher range of battery to generate just sec value 1. We all know that in future most devices are going to be smaller in size and unfortunately still the battery technology is not as advanced as it can support the heavy computation, the one like CGA so again the SeND deployment will be stopped because nobody is willing to use it on these devices while SSAS is for all devices either with limited resources or without. Either you are thinking about the current day or future, we need something simple but secure. You can improve CGA but how much?? SSAS with two process provide a high level of security that a node can expect but CGA might be able to do the same with considering a high cost. -----------smile---------- Hosnieh BTW, unfortunately I am unable to response your emails in the next 3 upcoming days since I have to attend a conference and travelling. Please consider delay on my responses.
- Re: Fwd: Fwd: 6MAN Adoption call on draft-rafiee-… Michael Richardson
- Re: 6MAN Adoption call on draft-rafiee-6man-ssas-… Ray Hunter
- Re: 6MAN Adoption call on draft-rafiee-6man-ssas-… Erik Nordmark
- Re: 6MAN Adoption call on draft-rafiee-6man-ssas-… Ray Hunter
- 6MAN Adoption call on draft-rafiee-6man-ssas-07 Ole Troan
- Re: 6MAN Adoption call on draft-rafiee-6man-ssas-… Erik Nordmark
- RE: 6MAN Adoption call on draft-rafiee-6man-ssas-… Hosnieh Rafiee
- RE: 6MAN Adoption call on draft-rafiee-6man-ssas-… Hosnieh Rafiee
- RE: 6MAN Adoption call on draft-rafiee-6man-ssas-… Hosnieh Rafiee
- Re: 6MAN Adoption call on draft-rafiee-6man-ssas-… Dan Wing
- RE: 6MAN Adoption call on draft-rafiee-6man-ssas-… Christian Huitema
- Re: 6MAN Adoption call on draft-rafiee-6man-ssas-… Erik Nordmark
- RE: 6MAN Adoption call on draft-rafiee-6man-ssas-… Hosnieh Rafiee
- Re: 6MAN Adoption call on draft-rafiee-6man-ssas-… Ray Hunter
- Re: [6MAN] 6MAN Adoption call on draft-rafiee-6ma… Warren Kumari
- Re: [6MAN] Re: 6MAN Adoption call on draft-rafiee… Warren Kumari
- Re: [6MAN] 6MAN Adoption call on draft-rafiee-6ma… Hosnieh
- Re: 6MAN Adoption call on draft-rafiee-6man-ssas-… Hosnieh
- Re: 6MAN Adoption call on draft-rafiee-6man-ssas-… Michael Richardson
- Re: 6MAN Adoption call on draft-rafiee-6man-ssas-… Tim Chown
- Re: 6MAN Adoption call on draft-rafiee-6man-ssas-… Hosnieh
- Re: 6MAN Adoption call on draft-rafiee-6man-ssas-… Brian E Carpenter
- RE: 6MAN Adoption call on draft-rafiee-6man-ssas-… Hosnieh Rafiee
- RE: 6MAN Adoption call on draft-rafiee-6man-ssas-… Christian Huitema
- Re: 6MAN Adoption call on draft-rafiee-6man-ssas-… Ole Troan
- RE: 6MAN Adoption call on draft-rafiee-6man-ssas-… Hosnieh Rafiee
- RE: 6MAN Adoption call on draft-rafiee-6man-ssas-… Hosnieh Rafiee
- RE: 6MAN Adoption call on draft-rafiee-6man-ssas-… Hosnieh Rafiee
- RE: 6MAN Adoption call on draft-rafiee-6man-ssas-… Christian Huitema
- RE: 6MAN Adoption call on draft-rafiee-6man-ssas-… Christian Huitema
- RE: 6MAN Adoption call on draft-rafiee-6man-ssas-… Hosnieh Rafiee
- Re: 6MAN Adoption call on draft-rafiee-6man-ssas-… Ole Troan
- Re: 6MAN Adoption call on draft-rafiee-6man-ssas-… Hosnieh
- Re: 6MAN Adoption call on draft-rafiee-6man-ssas-… Ole Troan
- Re: 6MAN Adoption call on draft-rafiee-6man-ssas-… Eric Levy- Abegnoli (elevyabe)
- Re: 6MAN Adoption call on draft-rafiee-6man-ssas-… 神明達哉
- RE: 6MAN Adoption call on draft-rafiee-6man-ssas-… Hosnieh Rafiee
- RE: 6MAN Adoption call on draft-rafiee-6man-ssas-… Hosnieh Rafiee
- RE: 6MAN Adoption call on draft-rafiee-6man-ssas-… Hosnieh Rafiee
- Re: 6MAN Adoption call on draft-rafiee-6man-ssas-… 神明達哉
- Re: 6MAN Adoption call on draft-rafiee-6man-ssas-… Brian E Carpenter
- Fwd: Fwd: 6MAN Adoption call on draft-rafiee-6man… marcelo bagnulo braun
- RE: 6MAN Adoption call on draft-rafiee-6man-ssas-… Hosnieh Rafiee
- RE: Fwd: 6MAN Adoption call on draft-rafiee-6man-… Hosnieh Rafiee
- Re: 6MAN Adoption call on draft-rafiee-6man-ssas-… marcelo bagnulo braun
- Re: Fwd: 6MAN Adoption call on draft-rafiee-6man-… marcelo bagnulo braun
- Re: Fwd: 6MAN Adoption call on draft-rafiee-6man-… marcelo bagnulo braun
- RE: Fwd: 6MAN Adoption call on draft-rafiee-6man-… Hosnieh Rafiee
- Re: 6MAN Adoption call on draft-rafiee-6man-ssas-… marcelo bagnulo braun
- RE: 6MAN Adoption call on draft-rafiee-6man-ssas-… Hosnieh Rafiee
- Re: Fwd: 6MAN Adoption call on draft-rafiee-6man-… marcelo bagnulo braun
- Re: 6MAN Adoption call on draft-rafiee-6man-ssas-… marcelo bagnulo braun
- Re: 6MAN Adoption call on draft-rafiee-6man-ssas-… Tim Chown
- Re: 6MAN Adoption call on draft-rafiee-6man-ssas-… marcelo bagnulo braun
- RE: Fwd: 6MAN Adoption call on draft-rafiee-6man-… Hosnieh Rafiee
- RE: 6MAN Adoption call on draft-rafiee-6man-ssas-… Hosnieh Rafiee
- Re: Fwd: 6MAN Adoption call on draft-rafiee-6man-… marcelo bagnulo braun
- RE: Fwd: 6MAN Adoption call on draft-rafiee-6man-… Hosnieh Rafiee
- Re: 6MAN Adoption call on draft-rafiee-6man-ssas-… Tim Chown
- FW: 6MAN Adoption call on draft-rafiee-6man-ssas-… Hosnieh Rafiee
- Re: Fwd: Fwd: 6MAN Adoption call on draft-rafiee-… Brian E Carpenter
- Re: FW: 6MAN Adoption call on draft-rafiee-6man-s… marcelo bagnulo braun
- RE: FW: 6MAN Adoption call on draft-rafiee-6man-s… Hosnieh Rafiee
- Re: 6MAN Adoption call on draft-rafiee-6man-ssas-… Eric Levy- Abegnoli (elevyabe)
- Re: FW: 6MAN Adoption call on draft-rafiee-6man-s… Dan Luedtke
- Re: Fwd: Fwd: 6MAN Adoption call on draft-rafiee-… Michael Richardson
- Re: 6MAN Adoption call on draft-rafiee-6man-ssas-… Eric Levy- Abegnoli (elevyabe)
- RE: FW: 6MAN Adoption call on draft-rafiee-6man-s… Hosnieh Rafiee
- RE: FW: 6MAN Adoption call on draft-rafiee-6man-s… Hosnieh Rafiee
- RE: FW: 6MAN Adoption call on draft-rafiee-6man-s… Christian Huitema
- Re: FW: 6MAN Adoption call on draft-rafiee-6man-s… marcelo bagnulo braun
- RE: FW: 6MAN Adoption call on draft-rafiee-6man-s… Hosnieh Rafiee
- RE: FW: 6MAN Adoption call on draft-rafiee-6man-s… Hosnieh Rafiee
- RE: Fwd: Fwd: 6MAN Adoption call on draft-rafiee-… Hosnieh Rafiee
- ug [was: 6MAN Adoption call on draft-rafiee-6man-… Brian E Carpenter
- RE: ug [was: 6MAN Adoption call on draft-rafiee-6… Hosnieh Rafiee
- Re: FW: 6MAN Adoption call on draft-rafiee-6man-s… marcelo bagnulo braun
- RE: FW: 6MAN Adoption call on draft-rafiee-6man-s… Hosnieh Rafiee
- RE: FW: 6MAN Adoption call on draft-rafiee-6man-s… Christian Huitema
- RE: FW: 6MAN Adoption call on draft-rafiee-6man-s… Hosnieh Rafiee
- RE: FW: 6MAN Adoption call on draft-rafiee-6man-s… Hosnieh
- Re: 6MAN Adoption call on draft-rafiee-6man-ssas-… Tina TSOU
- RE: 6MAN Adoption call on draft-rafiee-6man-ssas-… Hosnieh Rafiee