答复: RE: RE: about security level evaluation of draft-zhou-6man-mhash-cga-00

zhou.sujing@zte.com.cn Mon, 09 April 2012 05:30 UTC

Return-Path: <zhou.sujing@zte.com.cn>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8A7E21F85DF for <ipv6@ietfa.amsl.com>; Sun, 8 Apr 2012 22:30:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -92.19
X-Spam-Level:
X-Spam-Status: No, score=-92.19 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, CHARSET_FARAWAY_HEADER=3.2, HTML_MESSAGE=0.001, J_CHICKENPOX_39=0.6, MIME_8BIT_HEADER=0.3, MIME_BASE64_TEXT=1.753, MIME_CHARSET_FARAWAY=2.45, RCVD_DOUBLE_IP_LOOSE=0.76, SARE_SUB_ENC_GB2312=1.345, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RhMYU3-mc-hT for <ipv6@ietfa.amsl.com>; Sun, 8 Apr 2012 22:30:07 -0700 (PDT)
Received: from mx5.zte.com.cn (mx5.zte.com.cn [63.217.80.70]) by ietfa.amsl.com (Postfix) with ESMTP id 42E8D21F8608 for <ipv6@ietf.org>; Sun, 8 Apr 2012 22:30:02 -0700 (PDT)
Received: from [192.168.164.15] by mx5.zte.com.cn with surfront esmtp id 621291320096835; Mon, 9 Apr 2012 13:29:43 +0800 (CST)
Received: from [10.30.3.21] by [192.168.164.15] with StormMail ESMTP id 14085.5338359427; Mon, 9 Apr 2012 13:14:38 +0800 (CST)
Received: from notes_smtp.zte.com.cn ([10.30.1.239]) by mse02.zte.com.cn with ESMTP id q395TnIW093117; Mon, 9 Apr 2012 13:29:49 +0800 (GMT-8) (envelope-from zhou.sujing@zte.com.cn)
In-Reply-To: <C91E67751B1EFF41B857DE2FE1F68ABA03CD1BAE@tk5ex14mbxc272.redmond.corp.microsoft.com>
To: Christian Huitema <huitema@microsoft.com>
Subject: =?GB2312?B?tPC4tDogUkU6IFJFOiBhYm91dCBzZWN1cml0eSBsZXZlbCBldmFsdWF0aW9u?= =?GB2312?B?IG9mICBkcmFmdC16aG91LTZtYW4tbWhhc2gtY2dhLTAw?=
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 6.5.6 March 06, 2007
Message-ID: <OFEB23C165.38BEF108-ON482579DB.001B4C6C-482579DB.001E383D@zte.com.cn>
From: zhou.sujing@zte.com.cn
Date: Mon, 9 Apr 2012 13:29:49 +0800
X-MIMETrack: Serialize by Router on notes_smtp/zte_ltd(Release 8.5.1FP4|July 25, 2010) at 2012-04-09 13:29:51, Serialize complete at 2012-04-09 13:29:51
Content-Type: multipart/alternative; boundary="=_alternative 001E383B482579DB_="
X-MAIL: mse02.zte.com.cn q395TnIW093117
Cc: "ipv6@ietf.org" <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Apr 2012 05:30:08 -0000

Hi,Huitema,


Regards~~~

-Sujing Zhou

Christian Huitema <huitema@microsoft.com> 写于 2012-03-29 08:23:38:

> Sujin,
> 
> Your statement  “after attacker has cracked a CGA address, then it 
> is in the same stand as the defender” is incorrect. The attacker 

Thank your for pointing out one of my omission that failing to recall the 
same value "modifier" is used in both HASH1 and HASH2. 

> will not need 65536 additional trials; he will need to find a 
> matching CGA address 65536 times, and each trial is just as complex 
> as finding a matching CGA address. The defender on the other hand 
> can pick any CGA address he wants, so he has to perform just 65536 
trials.
> 

You may have a misundertand about my words.
By "cracked a CGA address", I mean the attacker has obtained another pair 
of public key and private key of his own, and has managed to 
find a suitable "modifer " so that the computated CGA address equals the 
CGA address under attack.
Yes, I did not recall that the same modifier value is to be used in the 
computation of HASH2, so there is little manipulation space for the 
attacker to try a new modifier.

But I don't agree with you in  "each trial is just as complex as finding a 
matching CGA address."
suppose we define a new hash algorithm:
H'(modifier,public key, extension fields, subnet-prefix,collision count)
=HASH2(modifier,0,public key,extension 
fields)||HASH1(modifer,subnet-prefix,collision-count, public key, 
extension fields)
Is this new hash algorithm much much more secure than any one of its 
components?
If it is ,then we have found a good design method of hash algorithm.

As pointed out  by Tim Polk(?) when introducing SHA-3 progress at SAAG 
meeting this time, it is better to be algorithm agile before it is too 
late, 
too much replace cost will be required.

So, I suggest the earlier the problem resolved, the better. 


> -- Christian Huitema





> 
> 
> 
> From: zhou.sujing@zte.com.cn [mailto:zhou.sujing@zte.com.cn] 
> Sent: Wednesday, March 28, 2012 4:46 AM
> To: Christian Huitema
> Cc: ipv6@ietf.org; Jari Arkko
> Subject: 答复: RE: about security level evaluation of draft-
> zhou-6man-mhash-cga-00
> 
> 
> Regards~~~
> 
> -Sujing Zhou 
> 
> Christian Huitema <huitema@microsoft.com> 写于 2012-03-27 23:00:09:
> 
> > > Well, I think it is quite a simple trade-off. Increasing Sec 
> > increases computational effort on both sides by equal amount. 
> > Increasing the length of 
> > > the hash increases computational effort only on the attacker side.
> > As a result, the hash bits are relatively valuable.
> > 
> > Jari, the effect of sec is different on both sides. The effort is 
> > not increased "by equal amount" but rather "in the same proportion."
> > Suppose that an attacker could crack the 59 bit hash in a day with 
> > sec=0. Adding sec = 1 means that the attacker will have to try 65536
> > times as many keys. The time to crack becomes 65536 hours, i.e. 
> > about 7 years. The defender will have to try 65536 instead of one to
> > get the right sec, taking only  a fraction of a second. 
> 
> after attacker has cracked a CGA address, then it is in the same 
> stand as the defender. 
> defender, as well as attacker, has to try one by one to get the 
> right sec, i.e., to get a matching length of zeros, 
> how come attacker need extra 65536 hours but defender only needs a 
> fraction of a second? 
> 
> > > 1) Status quo: RFC 4982 eats three bits for Sec, leaving 59 bits 
> > of hash length after accommodating for u and g bits as well. The 
> > good with this is 
> > > that it leaves maximum size for hash. The bad is that it is less 
> > flexible for adding many new hash algorithms.
> > 
> > I kind of like the status quo.
> > 
> > > 2) The proposed new approach: Eat a total of six bits, for Sec and
> > the hash algorithm identifier. 56 bits remain. The good is that this
> > gives more 
> > > flexibility to allocate hash algorithms, including the ability to 
> > independently choose Sec and the algorithm. The bad is that the 
> hash size is 
> > > decreased.
> > 
> > Decreased a lot. On the other hand, if we do gain the flexibility to
> > define new algorithms, then we can define a mandatory-to-implement 
> > algorithm that incorporates the equivalent of the "sec" strengthening.
> 
> the security of a hash algo can be roughly estimated by length of its 
output,
> from birthday attack, that is about 2^(59/2) or 2^(56/2)(theorical 
> estimate), or less, 
> can you give a more precise of value of "a lot"? 
> I don't see flexibility in defining mandatory-to-implementing hash alg 
> 
> > -- Christian Huitema
> > 
> > 
> > 
> >