Re: [openpgp] Followup on fingerprints
Bill Frantz <frantz@pwpconsult.com> Sun, 09 August 2015 21:51 UTC
Return-Path: <frantz@pwpconsult.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED72E1A21AF for <openpgp@ietfa.amsl.com>; Sun, 9 Aug 2015 14:51:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BXwhwaZXQnn5 for <openpgp@ietfa.amsl.com>; Sun, 9 Aug 2015 14:51:57 -0700 (PDT)
Received: from elasmtp-masked.atl.sa.earthlink.net (elasmtp-masked.atl.sa.earthlink.net [209.86.89.68]) by ietfa.amsl.com (Postfix) with ESMTP id 409101A219C for <openpgp@ietf.org>; Sun, 9 Aug 2015 14:51:56 -0700 (PDT)
Received: from [174.236.35.106] (helo=Williams-MacBook-Pro.local) by elasmtp-masked.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from <frantz@pwpconsult.com>) id 1ZOYVQ-0006ha-VL; Sun, 09 Aug 2015 17:51:49 -0400
Date: Sun, 09 Aug 2015 14:52:15 -0700
From: Bill Frantz <frantz@pwpconsult.com>
To: ianG <iang@iang.org>
X-Priority: 3
In-Reply-To: <55C77E9B.1080807@iang.org>
Message-ID: <r422Ps-1075i-41F2431F7E1149849C861F2D27D5FCA3@Williams-MacBook-Pro.local>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Mailsmith 2.3.1 (422)
X-ELNK-Trace: 3a5e54fa03f1b3e21aa676d7e74259b7b3291a7d08dfec798bfd2f608b3f0690c666301ae546bbc6350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 174.236.35.106
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/yVukH0Gn1Cu8ThnlLFA_4iiIUUs>
Cc: openpgp@ietf.org
Subject: Re: [openpgp] Followup on fingerprints
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Aug 2015 21:51:59 -0000
On 8/9/15 at 9:23 AM, iang@iang.org (ianG) wrote: >>There has also been an undertone of, "If we can't come up with an >>attack, there aren't any." in this thread. > > >I disagree with that characterisation. I would rather see it like this: > >If we can't come up with an attack, >then we should not defend against it. >We should *accept the risk*. The specific issue I was addressing was PHB's source code checkin attack. Most of us, me included, thought that specific attack was not very convincing. However, to my mind, there may be other, more serious attacks using the same basic mechanism. Just because we can't think of them doesn't mean we shouldn't defend against them. Using all the bits of the key fingerprint hash is probably good a good enough defense against these unanticipated attacks, and we should state that in the security considerations section. A better defense would be to use the key itself, but that is probably overkill in most situations. >>I find this attitude very >>dangerous as new classes of attacks (e.g. power analysis) are constantly >>being discovered. > > >1. when that information develops, we can "come up with the >attack." This stops us drifting into lab myopia. > >2. How is power analysis going to effect a hash? Surely, if I >can do power analysis, I'm not that concerned about the hash, >I'd rather suck the key bits? OK, I know it was an example... >but this is an example of "not an attack." Power analysis was an example of a class of attack that came up late in the security analysis field and exposed a significant number of vulnerabilities. It is not a attack against hashes. Those are more likely to be new mathematical techniques. >>I would suggest wording in the security considerations section something >>like: >> >>"During the design process, any application using key fingerprints >>SHOULD characterize the consequences of a fingerprint collision on the >>application's security and implementation integrity, particularly when >>using fewer bits than the output of the fingerprint hash." > > >If we're talking about a mid-range published key fingerprint of >say 100 bits, then there is a capability for collisions and >perhaps preimages in the future, sure. > >But we have a built in mechanism for that already; increase to 150 then 200. So how about: > > >"During the design process of any application using shortened >key fingerprints, attention should be paid to a recovery >strategy in the event that the shortened fingerprint becomes >subject to collisions or preimage attacks." My problem with that statement is that there is no incentive to analyse the failure mode of the application should a collision occur. I agree that a collision is far more likely to be due to a hardware or software error than a hash failure, but performing the analysis can make the application more robust. Let me return to my straw man example of a application that routes messages based on key fingerprint. If it assumes that there is only one routing address/fingerprint, and there is a collision, then it will route all the colliding messages to one address. If it assumes that there may be more than one address, then it will route all colliding messages to all the address. In the later case, the receivers will not be able to decrypt all the messages, but the messages encrypted to them will get through, a more robust situation. Cheers - Bill ----------------------------------------------------------------------- Bill Frantz | Security is like Government | Periwinkle (408)356-8506 | services. The market doesn't | 16345 Englewood Ave www.pwpconsult.com | want to pay for them. | Los Gatos, CA 95032
- [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints Werner Koch
- Re: [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints Werner Koch
- Re: [openpgp] Followup on fingerprints Vincent Breitmoser
- Re: [openpgp] Followup on fingerprints Daniel Kahn Gillmor
- Re: [openpgp] Followup on fingerprints Daniel Kahn Gillmor
- Re: [openpgp] Followup on fingerprints Werner Koch
- Re: [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints Wyllys Ingersoll
- Re: [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints Daniel Kahn Gillmor
- Re: [openpgp] Followup on fingerprints Vincent Breitmoser
- Re: [openpgp] Followup on fingerprints Derek Atkins
- Re: [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints Vincent Breitmoser
- Re: [openpgp] Followup on fingerprints ianG
- Re: [openpgp] Followup on fingerprints Gregory Maxwell
- Re: [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints Derek Atkins
- Re: [openpgp] Followup on fingerprints Gregory Maxwell
- Re: [openpgp] Followup on fingerprints Derek Atkins
- Re: [openpgp] Followup on fingerprints Peter Pentchev
- Re: [openpgp] Followup on fingerprints Derek Atkins
- Re: [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints Vincent Breitmoser
- Re: [openpgp] Followup on fingerprints Vincent Breitmoser
- Re: [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints Werner Koch
- Re: [openpgp] Followup on fingerprints Nicholas Cole
- Re: [openpgp] Followup on fingerprints Derek Atkins
- Re: [openpgp] Followup on fingerprints Derek Atkins
- Re: [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints Derek Atkins
- Re: [openpgp] Followup on fingerprints Vincent Breitmoser
- Re: [openpgp] Followup on fingerprints Daniel Kahn Gillmor
- Re: [openpgp] Followup on fingerprints Daniel Kahn Gillmor
- Re: [openpgp] Followup on fingerprints Derek Atkins
- Re: [openpgp] Followup on fingerprints ianG
- Re: [openpgp] Followup on fingerprints Vincent Breitmoser
- Re: [openpgp] Followup on fingerprints Nicholas Cole
- Re: [openpgp] Followup on fingerprints Werner Koch
- Re: [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints Daniel Kahn Gillmor
- Re: [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints ianG
- Re: [openpgp] Followup on fingerprints Vincent Breitmoser
- Re: [openpgp] Followup on fingerprints Bill Frantz
- Re: [openpgp] Followup on fingerprints ianG
- Re: [openpgp] Followup on fingerprints Bill Frantz