Re: Standardize RSA/SHA256 ?
Ólafur Guðmundsson /DNSEXT co-chair <ogud@ogud.com> Fri, 12 May 2006 14:54 UTC
From: Ólafur Guðmundsson /DNSEXT co-chair <ogud@ogud.com>
Subject: Re: Standardize RSA/SHA256 ?
Date: Fri, 12 May 2006 10:54:07 -0400
Lines: 47
References: <6.2.5.6.2.20060508094001.03182b80@ogud.com> <Pine.LNX.4.44.0605091629550.31070-100000@citation2.av8.net> <87vesecle7.fsf@latte.josefsson.org> <44644DBB.3080605@NLnetLabs.nl>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-From: owner-namedroppers@ops.ietf.org Fri May 12 17:04:34 2006
Return-path: <owner-namedroppers@ops.ietf.org>
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on psg.com
X-Spam-Level:
X-Spam-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.1.1
X-Mailer: QUALCOMM Windows Eudora Version 6.2.5.6
To: Jelte Jansen <jelte@NLnetLabs.nl>, namedroppers@ops.ietf.org
In-Reply-To: <44644DBB.3080605@NLnetLabs.nl>
References: <6.2.5.6.2.20060508094001.03182b80@ogud.com> <Pine.LNX.4.44.0605091629550.31070-100000@citation2.av8.net> <87vesecle7.fsf@latte.josefsson.org> <44644DBB.3080605@NLnetLabs.nl>
X-Scanned-By: MIMEDefang 2.56 on 66.92.146.160
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
X-Message-ID:
Message-ID: <20140418072200.2560.49616.ARCHIVE@ietfa.amsl.com>
At 04:56 12/05/2006, Jelte Jansen wrote: > > > >> For the above reasons, I think that we have time to consider the > >> correct course of action. There is no need to rush into more > >> algorithms which require more code on nameservers and resolvers. > > > > Yes, or at least, we need to document a more compelling reason to do > > RSA-SHA-265. > > > >So why is this an issue for RSA/SHA256, and not for >draft-ietf-dnsext-ds-sha256-05.txt, which also makes SHA256 mandatory? <Chair-hat=on> The issues here are slightly different. DS digest is the SAME for the lifetime of the DS record. Digest inside a RRSIG is going to be different each time the signature is regenerated for that set, thanks to the different signature lifespan timers. Thus in the case of DS an attacker has much longer to be able to generate a DNSKEY that has a matching DS digest to an existing one. The WG was advised by our Security Area Advisor (Russ Housley) that any use of SHA-1 without HMAC wrapper should be retired. As DS was the most vulnerable the chairs got that effort stared on the spot and RFC4509 should be published any day now. <Chair-hat=off> A mitigating fact that RRSIG is not as vulnerable as plain text, against the known SHA1 attacks, is the structured data format of an RRset. Having said that if attack on RRSIG digest, or other structured formats, is valuable enough some smart people will figure out a way to design such an attack. Following up on Hilarie and Rip's messages: One part of the security analysis should be how long signature lifetime can be for the different digest algorithms used as a function of time. This is similar to what is available for lengths of public keys. Olafur -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- RE: Standardize RSA/SHA256 ? Hallam-Baker, Phillip
- Re: Standardize RSA/SHA256 ? Wes Hardaker
- Re: Standardize RSA/SHA256 ? Ólafur Guðmundsson /DNSEXT co-chair
- Standardize RSA/SHA256 ? Ólafur Guðmundsson /DNSEXT co-chair
- Re: Standardize RSA/SHA256 ? Russ Mundy
- Re: Standardize RSA/SHA256 ? Francis Dupont
- Re: Standardize RSA/SHA256 ? Rob Austein
- Re: Standardize RSA/SHA256 ? Mike StJohns
- RE: Standardize RSA/SHA256 ? Hallam-Baker, Phillip
- Re: Standardize RSA/SHA256 ? Hilarie Orman
- Re: Standardize RSA/SHA256 ? Simon Josefsson
- Re: Standardize RSA/SHA256 ? Dean Anderson
- Re: Standardize RSA/SHA256 ? Simon Josefsson
- Re: Standardize RSA/SHA256 ? Ben Laurie
- Re: Standardize RSA/SHA256 ? Simon Josefsson
- RE: Standardize RSA/SHA256 ? Loomis, Rip
- RE: Standardize RSA/SHA256 ? Hallam-Baker, Phillip
- Re: Standardize RSA/SHA256 ? Jelte Jansen
- Re: Standardize RSA/SHA256 ? Simon Josefsson
- Re: Standardize RSA/SHA256 ? Ólafur Guðmundsson /DNSEXT co-chair
- Re: Standardize RSA/SHA256 ? Ben Laurie
- Re: Standardize RSA/SHA256 ? Mike StJohns
- Re: Standardize RSA/SHA256 ? Mark Feldman
- Re: Standardize RSA/SHA256 ? Chris Thompson
- Re: Standardize RSA/SHA256 ? Hallam-Baker, Phillip
- Re: Standardize RSA/SHA256 ? Ben Laurie
- Re: Standardize RSA/SHA256 ? Ben Laurie
- RE: Standardize RSA/SHA256 ? Hallam-Baker, Phillip
- Re: Standardize RSA/SHA256 ? Ólafur Guðmundsson /DNSEXT co-chair