RE: RE: about security level evaluation of draft-zhou-6man-mhash-cga-00
Christian Huitema <huitema@microsoft.com> Thu, 29 March 2012 00:23 UTC
Return-Path: <huitema@microsoft.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0A6021E80F1 for <ipv6@ietfa.amsl.com>; Wed, 28 Mar 2012 17:23:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.497
X-Spam-Level:
X-Spam-Status: No, score=-1.497 tagged_above=-999 required=5 tests=[AWL=-2.102, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_BASE64_TEXT=1.753, MIME_CHARSET_FARAWAY=2.45, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V2rD5yJ+qjUn for <ipv6@ietfa.amsl.com>; Wed, 28 Mar 2012 17:23:55 -0700 (PDT)
Received: from db3outboundpool.messaging.microsoft.com (db3ehsobe001.messaging.microsoft.com [213.199.154.139]) by ietfa.amsl.com (Postfix) with ESMTP id 5FEEB21E80B9 for <ipv6@ietf.org>; Wed, 28 Mar 2012 17:23:54 -0700 (PDT)
Received: from mail54-db3-R.bigfish.com (10.3.81.254) by DB3EHSOBE001.bigfish.com (10.3.84.21) with Microsoft SMTP Server id 14.1.225.23; Thu, 29 Mar 2012 00:23:52 +0000
Received: from mail54-db3 (localhost [127.0.0.1]) by mail54-db3-R.bigfish.com (Postfix) with ESMTP id 6C6D016047C; Thu, 29 Mar 2012 00:23:52 +0000 (UTC)
X-SpamScore: -30
X-BigFish: VS-30(zz9371Ic89bh936eKc85bh1432Nzz1202hzz1033IL6d524h8275bh8275dhz2fh2a8h668h839hd25h)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14MLTC103.redmond.corp.microsoft.com; RD:none; EFVD:NLI
Received-SPF: pass (mail54-db3: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=huitema@microsoft.com; helo=TK5EX14MLTC103.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail54-db3 (localhost.localdomain [127.0.0.1]) by mail54-db3 (MessageSwitch) id 1332980630260111_12277; Thu, 29 Mar 2012 00:23:50 +0000 (UTC)
Received: from DB3EHSMHS011.bigfish.com (unknown [10.3.81.226]) by mail54-db3.bigfish.com (Postfix) with ESMTP id 3CC321E0165; Thu, 29 Mar 2012 00:23:50 +0000 (UTC)
Received: from TK5EX14MLTC103.redmond.corp.microsoft.com (131.107.125.8) by DB3EHSMHS011.bigfish.com (10.3.87.111) with Microsoft SMTP Server (TLS) id 14.1.225.23; Thu, 29 Mar 2012 00:23:49 +0000
Received: from TK5EX14MBXC272.redmond.corp.microsoft.com ([169.254.2.3]) by TK5EX14MLTC103.redmond.corp.microsoft.com ([157.54.79.174]) with mapi id 14.02.0283.004; Thu, 29 Mar 2012 00:23:39 +0000
From: Christian Huitema <huitema@microsoft.com>
To: "zhou.sujing@zte.com.cn" <zhou.sujing@zte.com.cn>
Subject: RE: RE: about security level evaluation of draft-zhou-6man-mhash-cga-00
Thread-Topic: RE: about security level evaluation of draft-zhou-6man-mhash-cga-00
Thread-Index: AQHNDCUWKLxARtLzBUSojhXcXZo3xpZ+nkYwgAD6AICAANIHoA==
Date: Thu, 29 Mar 2012 00:23:38 +0000
Message-ID: <C91E67751B1EFF41B857DE2FE1F68ABA03CD1BAE@tk5ex14mbxc272.redmond.corp.microsoft.com>
References: <C91E67751B1EFF41B857DE2FE1F68ABA03CCFA91@tk5ex14mbxc272.redmond.corp.microsoft.com> <OF414A1785.6C8C6FB1-ONC12579CF.003FC355-C12579CF.00409BA8@zte.com.cn>
In-Reply-To: <OF414A1785.6C8C6FB1-ONC12579CF.003FC355-C12579CF.00409BA8@zte.com.cn>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.73]
Content-Type: multipart/alternative; boundary="_000_C91E67751B1EFF41B857DE2FE1F68ABA03CD1BAEtk5ex14mbxc272r_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Cc: "ipv6@ietf.org" <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Mar 2012 00:23:55 -0000
Sujin, Your statement “after attacker has cracked a CGA address, then it is in the same stand as the defender” is incorrect. The attacker will not need 65536 additional trials; he will need to find a matching CGA address 65536 times, and each trial is just as complex as finding a matching CGA address. The defender on the other hand can pick any CGA address he wants, so he has to perform just 65536 trials. -- Christian Huitema From: zhou.sujing@zte.com.cn [mailto:zhou.sujing@zte.com.cn] Sent: Wednesday, March 28, 2012 4:46 AM To: Christian Huitema Cc: ipv6@ietf.org; Jari Arkko Subject: 答复: RE: about security level evaluation of draft-zhou-6man-mhash-cga-00 Regards~~~ -Sujing Zhou Christian Huitema <huitema@microsoft.com<mailto:huitema@microsoft.com>> 写于 2012-03-27 23:00:09: > > Well, I think it is quite a simple trade-off. Increasing Sec > increases computational effort on both sides by equal amount. > Increasing the length of > > the hash increases computational effort only on the attacker side. > As a result, the hash bits are relatively valuable. > > Jari, the effect of sec is different on both sides. The effort is > not increased "by equal amount" but rather "in the same proportion." > Suppose that an attacker could crack the 59 bit hash in a day with > sec=0. Adding sec = 1 means that the attacker will have to try 65536 > times as many keys. The time to crack becomes 65536 hours, i.e. > about 7 years. The defender will have to try 65536 instead of one to > get the right sec, taking only a fraction of a second. after attacker has cracked a CGA address, then it is in the same stand as the defender. defender, as well as attacker, has to try one by one to get the right sec, i.e., to get a matching length of zeros, how come attacker need extra 65536 hours but defender only needs a fraction of a second? > > 1) Status quo: RFC 4982 eats three bits for Sec, leaving 59 bits > of hash length after accommodating for u and g bits as well. The > good with this is > > that it leaves maximum size for hash. The bad is that it is less > flexible for adding many new hash algorithms. > > I kind of like the status quo. > > > 2) The proposed new approach: Eat a total of six bits, for Sec and > the hash algorithm identifier. 56 bits remain. The good is that this > gives more > > flexibility to allocate hash algorithms, including the ability to > independently choose Sec and the algorithm. The bad is that the hash size is > > decreased. > > Decreased a lot. On the other hand, if we do gain the flexibility to > define new algorithms, then we can define a mandatory-to-implement > algorithm that incorporates the equivalent of the "sec" strengthening. the security of a hash algo can be roughly estimated by length of its output, from birthday attack, that is about 2^(59/2) or 2^(56/2)(theorical estimate), or less, can you give a more precise of value of "a lot"? I don't see flexibility in defining mandatory-to-implementing hash alg > -- Christian Huitema > > > >
- Meta comment about "3484bis and privacy addresses" Fernando Gont
- about security level evaluation of draft-zhou-6ma… zhou.sujing
- Re: about security level evaluation of draft-zhou… Jari Arkko
- Re: Meta comment about "3484bis and privacy addre… Dominik Elsbroek
- 答复: Re: about security level evaluation of draft-… zhou.sujing
- draft-gont-6man-stable-privacy-addresses (was: Re… Fernando Gont
- Re: draft-gont-6man-stable-privacy-addresses (was… Jong-Hyouk Lee
- Re: Meta comment about "3484bis and privacy addre… Brian Haberman
- RE: about security level evaluation of draft-zhou… Christian Huitema
- Re: about security level evaluation of draft-zhou… Jari Arkko
- 答复: RE: about security level evaluation of draft-… zhou.sujing
- RE: RE: about security level evaluation of draft-… Christian Huitema
- 答复: RE: RE: about security level evaluation of dr… zhou.sujing
- RE: RE: RE: about security level evaluation of dr… Christian Huitema