IETF Logo Mail Archive

Re: [saag] Further MD5 breaks: Creating a rogue CA certificate

RJ Atkinson <rja@extremenetworks.com> Wed, 31 December 2008 15:49 UTC

Return-Path: <saag-bounces@ietf.org>
X-Original-To: saag-archive@ietf.org
Delivered-To: ietfarch-saag-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CB08028C101; Wed, 31 Dec 2008 07:49:19 -0800 (PST)
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B78B228C101 for <saag@core3.amsl.com>; Wed, 31 Dec 2008 07:49:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.229
X-Spam-Level:
X-Spam-Status: No, score=-2.229 tagged_above=-999 required=5 tests=[AWL=0.370, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ztSUxFBdWJaQ for <saag@core3.amsl.com>; Wed, 31 Dec 2008 07:49:18 -0800 (PST)
Received: from vms173001pub.verizon.net (vms173001pub.verizon.net [206.46.173.1]) by core3.amsl.com (Postfix) with ESMTP id 96D1428C0F9 for <saag@ietf.org>; Wed, 31 Dec 2008 07:49:18 -0800 (PST)
Received: from [10.30.20.71] ([72.84.80.181]) by vms173001.mailsrvcs.net (Sun Java System Messaging Server 6.2-6.01 (built Apr 3 2006)) with ESMTPA id <0KCQ006QSZXIGSE5@vms173001.mailsrvcs.net> for saag@ietf.org; Wed, 31 Dec 2008 09:48:59 -0600 (CST)
Date: Wed, 31 Dec 2008 10:48:54 -0500
From: RJ Atkinson <rja@extremenetworks.com>
In-reply-to: <E1LHplH-0006Xw-V6@wintermute01.cs.auckland.ac.nz>
To: saag@ietf.org
Message-id: <7E552E3F-C85A-4F0E-AC3E-879720A1E55F@extremenetworks.com>
MIME-version: 1.0 (Apple Message framework v930.3)
X-Mailer: Apple Mail (2.930.3)
References: <E1LHplH-0006Xw-V6@wintermute01.cs.auckland.ac.nz>
Cc: cfrg@irtf.org
Subject: Re: [saag] Further MD5 breaks: Creating a rogue CA certificate
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: saag-bounces@ietf.org
Errors-To: saag-bounces@ietf.org

[Distribution trimmed slightly to reduce cross-posting and improve SNR.]

On  30 Dec 2008, at 20:20, Peter Gutmann wrote:
> The current MD5 attack is very cool but there's no need to worry about
> bad guys doing much with it because it's much, much easier to get
> legitimate CA-issued certs the normal way, you buy them just like
> everyone else does (except that you use someone else's credit card
> and identity, obviously).


Two thoughts:

1) Protocol Issues

The IETF ought to be thinking about a wide range of IETF protools
in the same way that Peter thinks about CA security issues above.

For some IETF protocols, for example all of the IGP authentication
extensions (excepting RFC-2154, AFAICT), active non-cryptographic
attacks are feasible (if not yet seen in the deployed world, AFAICT)
that are much easier than *any* cryptographic attack.  Again, and
only by way of example, RFC-4822 discusses some of these that are
specific to RIPv2 authentication.

For protocols where non-cryptographic attacks are feasible AND
are lower cost than a cryptographic attack, really it does not make
much difference what cryptographic algorithm gets deployed by a user
-- and the IETF's focus should be on improving the underlying 
authentication mechanism BEFORE worrying about which cryptographic
algorithms are being deployed.

Attackers are generally both smart and lazy, so they won't waste
time on an expensive cryptographic attack when a lower effort
non-cryptographic attack exists.


2) Hash algorithm analysis

It would be very helpful if a *set* of mathematicians/cryptographers
could jointly put together a summary of the known attacks on all
the widely used hash algorithms (e.g. MD2, MD4, MD5, SHA-0, SHA-1,
SHA-2, others), *including references to the published literature*.

Ideally, this analysis would also include discussion of whether those
attacks apply for those same algorithms when used in the modes employed
by various IETF protocols today (e.g. Keyed-Hash as used in OSPFv2 MD5
or RIPv2 MD5, HMAC-Hash, and so forth).

This would be most useful to have as an Informational RFC,
and SOON, so that IETF WGs could have some "consensus" document
to refer to -- and to cite explicitly -- if any IETF WGs decide
to make hash algorithm recommendations or decisions.

I don't understand IRTF process details perfectly, but perhaps
the CFRG chairs might undertake creating such a document as a
near-term official CFRG group project.

Yours,

Ran
rja@extremenetworks.com

_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag

v2.23.0 | Report a Bug | By Email