Re: [keyassure] Opening issue #21: "Need to specify which crypto

Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 02 March 2011 23:16 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B0B293A687D for <keyassure@core3.amsl.com>; Wed, 2 Mar 2011 15:16:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.74
X-Spam-Level:
X-Spam-Status: No, score=-104.74 tagged_above=-999 required=5 tests=[AWL=1.859, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NdnYqXANepXr for <keyassure@core3.amsl.com>; Wed, 2 Mar 2011 15:16:35 -0800 (PST)
Received: from scss.tcd.ie (hermes.cs.tcd.ie [134.226.32.56]) by core3.amsl.com (Postfix) with ESMTP id A5D3C3A68B7 for <keyassure@ietf.org>; Wed, 2 Mar 2011 15:16:34 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 3C4793E40AC; Wed, 2 Mar 2011 23:17:11 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1299107830; bh=JRatl/lNTqDRB5 gYWkuO59qBVr86YdQl4A/u6ula/H4=; b=q8LlnbUlBbLPe5ySPlVZtDScf1/ZLL sUN9jFxKdfqEiCZtBStT1vL2p0hANBBDDykZNoHyv+k5clfpx7ReWcaoJTP+vAdG zsQBYoq/fn9xO6ZhMgeKsO2pr+SyCiRurt+2G3gCWXEKamvlZm1U1a4m5ieGz4aB S4gmkvTP193S0jCC1K2JBQ1jjCeII+kiVyQhAMCJZewQAH7aoL539dETGxm2n1hS l1swV31ChC3EkvPMcBq8GMFtLvLo53UsgPu+i0x55W0KteKjcqcJkrBcznLR7MFs 6Sugo9+tJa9aAtuzoGiv5luHPL+ZssZk5XcSnqgKDMYMFBc6pbEQMqjg==
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id bc22EIQsGhHE; Wed, 2 Mar 2011 23:17:10 +0000 (GMT)
Received: from [10.87.48.2] (dsl-102-234.cust.imagine.ie [87.232.102.234]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 3FFBD3E40AB; Wed, 2 Mar 2011 23:17:10 +0000 (GMT)
Message-ID: <4D6ECFF5.7030507@cs.tcd.ie>
Date: Wed, 02 Mar 2011 23:17:09 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101208 Lightning/1.0b2 Thunderbird/3.1.7
MIME-Version: 1.0
To: Phillip Hallam-Baker <hallam@gmail.com>
References: <AANLkTikHANKvT49P5RUwjxRt5oEMFxV5dYQLcCXixLSA@mail.gmail.com> <201103021724.p22HOttB009647@fs4113.wdf.sap.corp> <AANLkTimuo1fjW7QQffK5ah4_Bw0LUXoRzVaULbCmpzUU@mail.gmail.com> <4DD7F1F3-476F-4C2F-9DCD-6A6678045C69@cs.tcd.ie> <AANLkTinsXqdKgmo4=1kruFhNi1gTydTwhg1cZxFM0qo7@mail.gmail.com>
In-Reply-To: <AANLkTinsXqdKgmo4=1kruFhNi1gTydTwhg1cZxFM0qo7@mail.gmail.com>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: "keyassure@ietf.org" <keyassure@ietf.org>
Subject: Re: [keyassure] Opening issue #21: "Need to specify which crypto
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Mar 2011 23:16:36 -0000

I think this is a good enough statement of the situation as I
understand it.

Thanks,
S.

On 02/03/11 23:09, Phillip Hallam-Baker wrote:
> What I meant to write was that SHA1 is only marginally more secure
> than MD5 was when we decided to stop using it. Obviously with 32 extra
> bits it is harder to break.
> 
> 
> If you look at the internals of SHA1-0, the original proposal, you
> will find that it is in effect simply MD5 with an additional set of
> state variables to extend the size to 160 bits.
> 
> The spec was amended to add in an additional expansion function before
> it was approved. In a private conversation in 1995 at the time the
> Dobbertin attack was first circulated, Rivest was of the opinion that
> this would make it somewhat more resistant to the Dobbertin attack but
> not considerably so.
> 
> 
> While the attacks on SHA1 are currently theoretical, they are rapidly
> approaching the point at which we started to decide that use of MD5
> should be avoided.
> 
> Further, even though we stopped using MD5 in the mid 90s, it is still
> possible to use MD5 securely but doing so requires considerable
> attention to other security precautions. So even if there is a
> theoretical break of SHA1 we are hardly in a situation where we will
> face an immediate crisis.
> 
> If SHA1 is 'broken' tomorrow it is likely going to be 2020 before
> there is a practical exploit based on that attack. But that is not
> reason for complacency as it is likely to take us a decade to dig our
> way out of using SHA1.
> 
> 
> On Wed, Mar 2, 2011 at 4:37 PM, Stephen Farrell
> <stephen.farrell@cs.tcd.ie> wrote:
>>
>>
>> On 2 Mar 2011, at 21:24, Phillip Hallam-Baker <hallam@gmail.com> wrote:
>>
>>> Which is why I am arguing it is time to withdraw SHA1 from service. It
>>> is only marginally more secure than MD5.
>>
>> "Marginally"? Evidence please? I dont think exageration helps your case.
>>
>> S
>>
>>
>>>
>>>
>>>
>>> On Wed, Mar 2, 2011 at 12:24 PM, Martin Rex <mrex@sap.com> wrote:
>>>> Phillip Hallam-Baker wrote:
>>>>>
>>>>> The use of MD2 in a self signed cert has little risk as far as use of
>>>>> the cert itself goes since it only serves as proof of possession which
>>>>> is only relevant when the browser provider chooses to install it in
>>>>> the browser.
>>>>
>>>> In the universe where I live, there exist collision attacks against MD2.
>>>>  (check http://en.wikipedia.org/wiki/MD2_%28cryptography%29)
>>>>
>>>> So an RSA-key for which a PKCS#1 encrypted MD2 signature has been
>>>> published is a real security problem and ought to have been discarded
>>>> long ago.
>>>>
>>>> Else someone could try to use the preimage attack to issue himself
>>>> an intermediate CA cert under such a root cert, reusing the md2-based
>>>> signature on the RootCA cert.
>>>>
>>>> I would REALLY like to kill md2withRsaEncryption as a digital
>>>> signature algorithm from our PKI implementation, like I did
>>>> with all of md4-based digital signature algorithms.
>>>>
>>>>
>>>> Getting rid of "tainted" RSA keys is also important.
>>>>
>>>> Why do you think that FIPS 186-3 says that you are not allowed
>>>> to use an RSA keypair for both PKCS-v1.5 and PKCS-PSS signatures?
>>>> Because you "taint" your RSA key on the first time that you use it
>>>> for a weak scheme.
>>>>
>>>> -Martin
>>>>
>>>
>>>
>>>
>>> --
>>> Website: http://hallambaker.com/
>>> _______________________________________________
>>> keyassure mailing list
>>> keyassure@ietf.org
>>> https://www.ietf.org/mailman/listinfo/keyassure
>>
> 
> 
>