[saag] attacks on keyed-hash constructions [was: Re: [cfrg] Further MD5 breaks: Creating a rogue CA certificate]
David McGrew <mcgrew@cisco.com> Mon, 05 January 2009 18:15 UTC
Return-Path: <saag-bounces@ietf.org>
X-Original-To: saag-archive@ietf.org
Delivered-To: ietfarch-saag-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B90393A6962; Mon, 5 Jan 2009 10:15:44 -0800 (PST)
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DB3353A688B for <saag@core3.amsl.com>; Mon, 5 Jan 2009 10:15:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.513
X-Spam-Level:
X-Spam-Status: No, score=-6.513 tagged_above=-999 required=5 tests=[AWL=0.086, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hS0DOZ2qLKuA for <saag@core3.amsl.com>; Mon, 5 Jan 2009 10:15:42 -0800 (PST)
Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by core3.amsl.com (Postfix) with ESMTP id F2ED23A63D2 for <saag@ietf.org>; Mon, 5 Jan 2009 10:15:41 -0800 (PST)
X-IronPort-AV: E=Sophos;i="4.36,332,1228089600"; d="p7s'?scan'208";a="224066225"
Received: from sj-dkim-1.cisco.com ([171.71.179.21]) by sj-iport-6.cisco.com with ESMTP; 05 Jan 2009 18:15:29 +0000
Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id n05IFTwg004793; Mon, 5 Jan 2009 10:15:29 -0800
Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-1.cisco.com (8.13.8/8.13.8) with ESMTP id n05IFTt1024062; Mon, 5 Jan 2009 18:15:29 GMT
Received: from xfe-sjc-212.amer.cisco.com ([171.70.151.187]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 5 Jan 2009 10:15:29 -0800
Received: from stealth-10-32-254-212.cisco.com ([10.32.254.212]) by xfe-sjc-212.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 5 Jan 2009 10:15:28 -0800
Message-Id: <5F8E31B0-CD96-4ED1-83FD-883F0AD78657@cisco.com>
From: David McGrew <mcgrew@cisco.com>
To: RJ Atkinson <rja@extremenetworks.com>
In-Reply-To: <EDF5EEB5-4363-4ED1-A865-66C073E17969@extremenetworks.com>
Mime-Version: 1.0 (Apple Message framework v929.2)
Date: Mon, 05 Jan 2009 10:15:26 -0800
References: <200812301605.mBUG5cKU027325@raisinbran.srv.cs.cmu.edu> <9535147E88DA266C69B983D0@atlantis.pc.cs.cmu.edu> <p0624081dc5802a331eac@[10.20.30.158]> <alpine.LFD.1.10.0812301313570.2644@perf.cac.washington.edu> <200901051006.FAA20784@Sparkle.Rodents-Montreal.ORG> <EDF5EEB5-4363-4ED1-A865-66C073E17969@extremenetworks.com>
X-Mailer: Apple Mail (2.929.2)
X-OriginalArrivalTime: 05 Jan 2009 18:15:28.0611 (UTC) FILETIME=[969C5B30:01C96F61]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=5059; t=1231179329; x=1232043329; c=relaxed/simple; s=sjdkim1004; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=mcgrew@cisco.com; z=From:=20David=20McGrew=20<mcgrew@cisco.com> |Subject:=20attacks=20on=20keyed-hash=20constructions=20[wa s=3A=20Re=3A=20[cfrg]=20Further=20MD5=20breaks=3A=20Creating =20a=20rogue=20CA=20certificate] |Sender:=20; bh=qPhI4WZyZUZj1QJj+mjGuOCPBHDq0ZmCR0YsJEtfVis=; b=jLe9CpwfbLw6qFZiLttqNAHMr3IckcKvlUyuj0O3RSjvj7W+2q0K8ZOsfm i6/sXhyWMPuxWIseEY7CbLm4+1NyhFHB4TZ6C3+eFDZ0FC/ZJ4VwuHnPi5uv rtI8RjGvfhStRo0a+jdc5Ydow8QC76wKUkpfpqtbas/QDxwbVTXZI=;
Authentication-Results: sj-dkim-1; header.From=mcgrew@cisco.com; dkim=pass ( sig from cisco.com/sjdkim1004 verified; );
Cc: ietf-pkix@imc.org, ietf-smime@imc.org, cfrg@irtf.org, saag@ietf.org
Subject: [saag] attacks on keyed-hash constructions [was: Re: [cfrg] Further MD5 breaks: Creating a rogue CA certificate]
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1333270379=="
Sender: saag-bounces@ietf.org
Errors-To: saag-bounces@ietf.org
Hi Ran, On Jan 5, 2009, at 5:26 AM, RJ Atkinson wrote: > > On 5 Jan 2009, at 04:57, der Mouse wrote: >> What I, as an amateur, take away from it is approximately "MD5 is >> showing more and more cracks and nobody should use it for anything >> that >> needs to withstand a malicious adversary". > > Within the CA world, many folks here seem to agree. > > However, the usage in CAs is rather different from > some other modes of operation (e.g. Keyed-Hash, HMAC-Hash). > > So far, there are no known attacks on those other modes of operation. > [If someone knows of a refereed paper that's been published > on those latter topics, please share a citation here.] I'm not sure what you mean by keyed-hash, but here are some attacks that might be relevant. [1] B. Preneel and P. van Oorschot, “MD-x MAC and building fast MACs from hash functions,” Advances in Cryptology – Crypto 95 Proceedings, Lecture Notes in Computer Science Vol. 963, D. Coppersmith ed., Springer-Verlag, 1995. [2] B. Preneel and P. van Oorschot, “On the security of two MAC algorithms,” Advances in Cryptology – Eurocrypt 96 Proceedings, Lecture Notes in Computer Science Vol. ??, U. Maurer ed., Springer-Verlag, 1996. RFC 2385 uses the method broken in Section 4.2 of [1]. HMAC seems to be secure given some reasonable assumptions about the hash functions (namely, that the underlying hash has a compression function that is a PRF - no collision resistance is required); see http://eprint.iacr.org/2006/043 > > >> These may be the best openly published breaks of MD5 at the moment, > > Mind, there are published "serious attacks" [using NIST's words > from their web site] against SHA-0 and SHA-1 also. Timothy > Miller seemed to suggest in recent email that perhaps the PKIX WG > might enhance the CA structure to increase attack resistance in an > algorithm-independent way. > > Now, may I suggest that folks please LOOK AT and possibly > REDUCE/EDIT the CC line as they reply to this thread going forward. > Items that are PKIX specific likely belong only on the PKIX > list. Ditto for SMIME specific issues to the SMIME list. > That would leave only generic comments for the SAAG list. > Done. David
_______________________________________________ saag mailing list saag@ietf.org https://www.ietf.org/mailman/listinfo/saag
- [saag] Further MD5 breaks: Creating a rogue CA ce… Russ Housley
- Re: [saag] Further MD5 breaks: Creating a rogue C… Jeffrey Hutzelman
- Re: [saag] Further MD5 breaks: Creating a rogue C… Eric Rescorla
- Re: [saag] Further MD5 breaks: Creating a rogue C… Russ Housley
- Re: [saag] Further MD5 breaks: Creating a rogue C… Paul Hoffman
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Eric Rescorla
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Jeffrey Hutzelman
- Re: [saag] Further MD5 breaks: Creating a rogue C… Russ Housley
- Re: [saag] Further MD5 breaks: Creating a rogue C… Yoav Nir
- Re: [saag] Further MD5 breaks: Creating a rogue C… Russ Housley
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Eric Rescorla
- Re: [saag] Further MD5 breaks: Creating a rogue C… Russ Housley
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Eric Rescorla
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Nicolas Williams
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Jeffrey Hutzelman
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] Further MD5 breaks: Creating a rogue C… Santosh Chokhani
- Re: [saag] Further MD5 breaks: Creating a rogue C… Santosh Chokhani
- Re: [saag] Further MD5 breaks: Creating a rogue C… Santosh Chokhani
- Re: [saag] Further MD5 breaks: Creating a rogue C… Hugo Krawczyk
- Re: [saag] Further MD5 breaks: Creating a rogue C… Jeffrey Hutzelman
- Re: [saag] Further MD5 breaks: Creating a rogue C… Peter Gutmann
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Eric Rescorla
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] Further MD5 breaks: Creating a rogue C… RJ Atkinson
- Re: [saag] Further MD5 breaks: Creating a rogue C… Santosh Chokhani
- Re: [saag] Further MD5 breaks: Creating a rogue C… Vishwas Manral
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … RJ Atkinson
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Peter Gutmann
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Peter Gutmann
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Ben Laurie
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Eric Rescorla
- Re: [saag] RFC analyzing IETF use of hash functio… Sean Shen
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Paul Hoffman
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Ben Laurie
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Ben Laurie
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Robert Moskowitz
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Sean Shen
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Yoav Nir
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Paul Hoffman
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Yoav Nir
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Peter Gutmann
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Paul Hoffman
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Jeffrey Hutzelman
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] Further MD5 breaks: Creating a rogue C… RL 'Bob' Morgan
- Re: [saag] Further MD5 breaks: Creating a rogue C… Peter Hesse
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Blake Ramsdell
- Re: [saag] Further MD5 breaks: Creating a rogue C… Scott Rea
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Timothy J. Miller
- Re: [saag] Further MD5 breaks: Creating a rogue C… Timothy J. Miller
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Timothy J. Miller
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Tim Moses
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Mike
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Richard Graveman
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Mike
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Dr Stephen Henson
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Timothy J. Miller
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Timothy J. Miller
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Timothy J. Miller
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Timothy J. Miller
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Timothy J. Miller
- Re: [saag] Further MD5 breaks: Creating a rogue C… Philipp Guehring
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Mike
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Peter Hesse
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Weger, B.M.M. de
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Yoav Nir
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Yoav Nir
- Re: [saag] Further MD5 breaks: Creating a rogue C… der Mouse
- Re: [saag] Further MD5 breaks: Creating a rogue C… RJ Atkinson
- [saag] attacks on keyed-hash constructions [was: … David McGrew
- Re: [saag] attacks on keyed-hash constructions [w… RJ Atkinson
- [saag] RFC analyzing IETF use of hash functions [… David McGrew
- Re: [saag] [Cfrg] RFC analyzing IETF use of hash … Paul Hoffman
- Re: [saag] Further MD5 breaks: Creating a rogue C… Jeffrey Hutzelman
- Re: [saag] [Cfrg] RFC analyzing IETF use of hash … Vishwas Manral
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Stephen Kent
- Re: [saag] RFC analyzing IETF use of hash functio… Sean Turner
- Re: [saag] RFC analyzing IETF use of hash functio… David McGrew
- Re: [saag] [Cfrg] RFC analyzing IETF use of hash … David McGrew
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Timothy J. Miller
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Timothy J. Miller
- Re: [saag] [Cfrg] attacks on keyed-hash construct… Christian Rechberger
- Re: [saag] [Cfrg] RFC analyzing IETF use of hash … Ran Canetti
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Timothy J. Miller
- Re: [saag] [Cfrg] RFC analyzing IETF use of hash … David McGrew
- Re: [saag] [Cfrg] RFC analyzing IETF use of hash … Joseph Salowey (jsalowey)