[Mipshop] Your Opinion on RSA Key Length for CGA/CBA Protocol
Christian Vogt <chvogt@tm.uka.de> Sat, 04 November 2006 13:14 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GgLM0-0007Kx-5S; Sat, 04 Nov 2006 08:14:32 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GgLLz-0007Ks-7S for mipshop@ietf.org; Sat, 04 Nov 2006 08:14:31 -0500
Received: from iramx2.ira.uni-karlsruhe.de ([141.3.10.81]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GgLLt-000061-JN for mipshop@ietf.org; Sat, 04 Nov 2006 08:14:31 -0500
Received: from irams1.ira.uni-karlsruhe.de ([141.3.10.5]) by iramx2.ira.uni-karlsruhe.de with esmtps id 1GgLLh-0006EH-Lx; Sat, 04 Nov 2006 14:14:16 +0100
Received: from i72ms2.tm.uni-karlsruhe.de ([141.3.70.17] helo=smtp.ipv6.tm.uni-karlsruhe.de) by irams1.ira.uni-karlsruhe.de with esmtps id 1GgLLh-0004h1-BZ; Sat, 04 Nov 2006 14:14:13 +0100
Received: from [IPv6:2001:638:204:6:20c:6eff:fe40:8d95] (archimedes.ipv6.tm.uni-karlsruhe.de [IPv6:2001:638:204:6:20c:6eff:fe40:8d95]) by smtp.ipv6.tm.uni-karlsruhe.de (Postfix) with ESMTP id 37527B4F7; Sat, 4 Nov 2006 14:14:12 +0100 (CET)
Message-ID: <454C9223.8060009@tm.uka.de>
Date: Sat, 04 Nov 2006 14:14:11 +0100
From: Christian Vogt <chvogt@tm.uka.de>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; de; rv:1.8.0.7) Gecko/20060911 SUSE/1.5.0.7-0.1 Thunderbird/1.5.0.7 Mnenhy/0.7.4.0
MIME-Version: 1.0
To: Mipshop <mipshop@ietf.org>
Content-Type: text/plain; charset="ISO-8859-15"
Content-Transfer-Encoding: 7bit
X-Spam-Score: -4.2 (----)
X-Spam-Status: No
X-Spam-Report: -1.8 ALL_TRUSTED Passed through trusted hosts only via SMTP -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.0000] 0.2 AWL AWL: From: address is in the auto white-list
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 92df29fa99cf13e554b84c8374345c17
Cc: Wassim Haddad <whaddad@tcs.hut.fi>, Jari Arkko <jari.arkko@piuha.net>
Subject: [Mipshop] Your Opinion on RSA Key Length for CGA/CBA Protocol
X-BeenThere: mipshop@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: mipshop.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/mipshop>, <mailto:mipshop-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:mipshop@ietf.org>
List-Help: <mailto:mipshop-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/mipshop>, <mailto:mipshop-request@ietf.org?subject=subscribe>
Errors-To: mipshop-bounces@ietf.org
Hi everybody, the CGA/CBA protocol spec [draft-ietf-mipshop-cga-cba-01] currently stipulates a requirement for a minimum RSA key length of 384 bits. This might be too short, however, as discussed recently with Zhen Cao [1]. The reasons why longer RSA keys may be needed are also explained in [1]. [1] http://www1.ietf.org/mail-archive/web/mipshop/current/msg02929.html This email is to solicit expert opinions on (i) which minimum key length would be appropriate today for the CGA/CBA protocol, and (ii) how to enforce this minimum. My personal opinion is that the current 384-bit minimum key length is too small (see [1] for an explanation), and that it should be increased to 1024 bit for the CGA/CBA protocol. There are 3 options for enforcing a higher minimum key length: (1) Specify a higher minimum key length as part of the CGA/CBA protocol. (2) Let the correspondent node set the minimum key length, and specify an error code in the CGA/CBA protocol which the correspondent node can use in Binding Acknowledgment messages to inform a mobile node that its public key is too short. The mobile node can then either generate a longer RSA key pair and try again, or it can fall back to a standard IPv6 home address. The CGA/CBA protocol draft already covers the case where the home address is not a CGA. (3) Extend the CGA Sec registry entry specified in [draft-bagnulo-multiple-hash-cga-01] by a minimum key length. This would enable the mobile node to set the key length and force an attacker to use the same key length. (If you allow the mobile node to set the key length without encoding the key length into the CGA, then there is nothing that prevents an attacker from spoofing the CGA with a shorter key pair. In other words, downgrading attacks would be possible.) Option (1) is easy to realize, but not crypto agile. Option (2) provides crypto agility, but the mobile node's security hinges on the correspondent node to enforce an appropriate minimum key length. The beauty of option (3) is that it is crypto agile AND enables the mobile node to select a minimum key length (by choosing the right Sec value). My personal preference is hence to go with option (3). We will put these 3 options again on the table during the Mipshop session, and it would be great if folks could speak out---either directly during the session or on this mailing list---with respect to (i) which of the above 3 options they think is most appropriate, and (ii) what minimum key length would be reasonable to suggest today for the CGA/CBA protocol. Note that the keys must be good for at least 24 hours, since this is the maximum lifetime of a correspondent registration permitted in the CGA/CBA protocol. Of course, it would be good if the keys were secure for much longer than 24 hours, so that mobile nodes can use the same keys again in subsequent correspondent registrations. Thanks! - Christian PS: I won't be in San Diego myself, so Wassim will give the Mipshop presentation. Nonetheless, I wish all of you a successful and fun meeting over there! -- Christian Vogt, Institute of Telematics, Universitaet Karlsruhe (TH) www.tm.uka.de/~chvogt/pubkey/ _______________________________________________ Mipshop mailing list Mipshop@ietf.org https://www1.ietf.org/mailman/listinfo/mipshop
- [Mipshop] Your Opinion on RSA Key Length for CGA/… Christian Vogt
- Re: [Mipshop] Your Opinion on RSA Key Length for … Jari Arkko
- Re: [Mipshop] Your Opinion on RSA Key Length for … Christian Vogt
- Re: [Mipshop] Your Opinion on RSA Key Length for … marcelo bagnulo braun