IETF Logo Mail Archive

Re: [keyassure] Opening issue #21: "Need to specify which crypto

Phillip Hallam-Baker <hallam@gmail.com> Tue, 08 March 2011 20:45 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C8F7B3A635F for <keyassure@core3.amsl.com>; Tue, 8 Mar 2011 12:45:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.564
X-Spam-Level:
X-Spam-Status: No, score=-3.564 tagged_above=-999 required=5 tests=[AWL=0.034, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 99M9KAdJ1wwQ for <keyassure@core3.amsl.com>; Tue, 8 Mar 2011 12:45:52 -0800 (PST)
Received: from mail-bw0-f44.google.com (mail-bw0-f44.google.com [209.85.214.44]) by core3.amsl.com (Postfix) with ESMTP id EE4653A6359 for <keyassure@ietf.org>; Tue, 8 Mar 2011 12:45:51 -0800 (PST)
Received: by bwz13 with SMTP id 13so182137bwz.31 for <keyassure@ietf.org>; Tue, 08 Mar 2011 12:47:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=bKzwR/bVGxynoHA8ML0B/wqDqyhWKjmuabddzGXw9po=; b=rmAWum8hpGeY8mVloTTh7O3uwaZ5qL1Ld1JufdUuZwfmAJ7erubRw8mQXggA61huN4 rCKf2LcoA+Gt8E8HpjgP1BX0L8BAfVJwwFrLT+hwMUUfdcbclUKazAHITQ0RfSN5Ca+K K2bIdXZB8FJhNtLtttC1hKB8uipqIyyI7BysY=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=dCkFFs/ZWXPkfXF0SffUOhC7+PB1RIRwGRFj/x3X5Ezg4vl+7LqNDsvltNOcSlD8o5 4fEP0TxffN+B4CMWfMTCMXc5ib4HiTsR9mxB+ZSC+HdDiDLFOI8wcCC8VBB1qkq9HCdK EDIlolz6voI3ODkRQloT/+osQvxjQPldY88Fk=
MIME-Version: 1.0
Received: by 10.204.59.140 with SMTP id l12mr4694449bkh.168.1299617226410; Tue, 08 Mar 2011 12:47:06 -0800 (PST)
Received: by 10.204.14.139 with HTTP; Tue, 8 Mar 2011 12:47:06 -0800 (PST)
In-Reply-To: <20110308180516.GC23708@vacation.karoshi.com.>
References: <B99194C1-6A2F-4378-835D-4E1096FB095A@icsi.berkeley.edu> <201103081657.p28GvYwq001089@fs4113.wdf.sap.corp> <20110308180516.GC23708@vacation.karoshi.com.>
Date: Tue, 08 Mar 2011 15:47:06 -0500
Message-ID: <AANLkTikUGM2T6n+M8DGpKvnq7Yf9e993hdtJfvwcjAzC@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: bmanning@vacation.karoshi.com
Content-Type: multipart/alternative; boundary="001636ed6d011fd7ff049dfeb7af"
Cc: keyassure@ietf.org
Subject: Re: [keyassure] Opening issue #21: "Need to specify which crypto
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Mar 2011 20:45:53 -0000

Quite possibly, but most people know not to wait for IETF process before
deployment.

I don't like the idea of SHA2-512/256 because the new IV is going to require
people to use a different code library to get support and that may be
tricky.

Given that SHA2-512 is fastest on 64 bit machines and given that these are
now the mainstream, would it not make sense to simply go to SHA2-384 or
SHA2-512 as the only mandatory for the time being with the expectation of
adding in some flavor of SHA3 when that is possible?


I think we need to break this down in matrix fashion

1) Attack
    A compromise that could lead an attacker to break DANE.

2) Reputation
   A compromise that falls short of enabling an actual attack against DANE
but will lead to concerns amongst users and pressure for a new algorithm.
(c.f. demands to change HMAC-MD5 despite no evidence this is necessary).

3) Support
   Is the algorithm supported in standard cryptographic toolkits, is
widespread support to be expected in the future.

4) Performance
    Not really a factor for this application but will determine whether it
is used for other purposes.

5) Industry
   Is the algorithm THE industry standard or merely A standard.

SHA-1:  Good for 20 years on attack but unknown as far as reputation. Is the
main target of cryptanalysis at the moment. Support is universal.

SHA2-256: Good for 30+ years on attack and at least 10 for reputation.
Support is near universal.

SHA2-386: Good for 40+ years on attack and probably 30+ for reputation.
Support is near universal

SHA2-512: Good for 50+ years on attack but likely 20+ on reputation due to
the fact that if 512 bits is specified in a protocol it is difficult to
explain why less than 512 bits are necessary.

SHA3-*: Will be THE standard in some strength as far as we can predict.
While it is possible something else will beat SHA3, I can't see that
happening and people being happy with SHA2.

So my recommendation would be

1) Do not define any code point for SHA1.

2) Define code point for SHA2-384

3) Expect to support SHA3 in the future via some mechanism. Add it to the
draft if the competition schedule makes this practical.


As a general rule I would prefer to only define IANA code points for
algorithms that the IETF REQUIRES.

I would support all other crypto by reserving one code point for specifying
algorithms by means of ASN.1 OID prefix.

The reason for doing that is that it means that the group does not need to
consider the inevitable requests to support other algorithms or deal with
the damage caused when a refusal is ignored.

We cannot stop the Russian federation from using GOST but we can stop them
getting a reserved code point.

On Tue, Mar 8, 2011 at 1:05 PM, <bmanning@vacation.karoshi.com> wrote:

> On Tue, Mar 08, 2011 at 05:57:34PM +0100, Martin Rex wrote:
> >
> > It fosters on the premise that SHA-1 is completely and throroughly
> > broken and SHA-256 impaired by more serious attacks than currently
> > known for SHA-1 _long_ before a SHA-3 finalist is selected.
> >
> >
> > -Martin
>
>        my working analog here is that you don't shoot at a moving
>        target - you shoot ahead of it.
>
>        given the pace of the IETF processes, I fully expect there will
>        be a SHA-3 finalist selected before this spec lands.  (YMMV of
> course)
>
> --bill
> _______________________________________________
> keyassure mailing list
> keyassure@ietf.org
> https://www.ietf.org/mailman/listinfo/keyassure
>



-- 
Website: http://hallambaker.com/

v2.23.0 | Report a Bug | By Email