IETF Logo Mail Archive

[saag] attacks on keyed-hash constructions [was: Re: [cfrg] Further MD5 breaks: Creating a rogue CA certificate]

David McGrew <mcgrew@cisco.com> Mon, 05 January 2009 18:15 UTC

Return-Path: <saag-bounces@ietf.org>
X-Original-To: saag-archive@ietf.org
Delivered-To: ietfarch-saag-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B90393A6962; Mon, 5 Jan 2009 10:15:44 -0800 (PST)
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DB3353A688B for <saag@core3.amsl.com>; Mon, 5 Jan 2009 10:15:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.513
X-Spam-Level:
X-Spam-Status: No, score=-6.513 tagged_above=-999 required=5 tests=[AWL=0.086, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hS0DOZ2qLKuA for <saag@core3.amsl.com>; Mon, 5 Jan 2009 10:15:42 -0800 (PST)
Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by core3.amsl.com (Postfix) with ESMTP id F2ED23A63D2 for <saag@ietf.org>; Mon, 5 Jan 2009 10:15:41 -0800 (PST)
X-IronPort-AV: E=Sophos;i="4.36,332,1228089600"; d="p7s'?scan'208";a="224066225"
Received: from sj-dkim-1.cisco.com ([171.71.179.21]) by sj-iport-6.cisco.com with ESMTP; 05 Jan 2009 18:15:29 +0000
Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id n05IFTwg004793; Mon, 5 Jan 2009 10:15:29 -0800
Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-1.cisco.com (8.13.8/8.13.8) with ESMTP id n05IFTt1024062; Mon, 5 Jan 2009 18:15:29 GMT
Received: from xfe-sjc-212.amer.cisco.com ([171.70.151.187]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 5 Jan 2009 10:15:29 -0800
Received: from stealth-10-32-254-212.cisco.com ([10.32.254.212]) by xfe-sjc-212.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 5 Jan 2009 10:15:28 -0800
Message-Id: <5F8E31B0-CD96-4ED1-83FD-883F0AD78657@cisco.com>
From: David McGrew <mcgrew@cisco.com>
To: RJ Atkinson <rja@extremenetworks.com>
In-Reply-To: <EDF5EEB5-4363-4ED1-A865-66C073E17969@extremenetworks.com>
Mime-Version: 1.0 (Apple Message framework v929.2)
Date: Mon, 05 Jan 2009 10:15:26 -0800
References: <200812301605.mBUG5cKU027325@raisinbran.srv.cs.cmu.edu> <9535147E88DA266C69B983D0@atlantis.pc.cs.cmu.edu> <p0624081dc5802a331eac@[10.20.30.158]> <alpine.LFD.1.10.0812301313570.2644@perf.cac.washington.edu> <200901051006.FAA20784@Sparkle.Rodents-Montreal.ORG> <EDF5EEB5-4363-4ED1-A865-66C073E17969@extremenetworks.com>
X-Mailer: Apple Mail (2.929.2)
X-OriginalArrivalTime: 05 Jan 2009 18:15:28.0611 (UTC) FILETIME=[969C5B30:01C96F61]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=5059; t=1231179329; x=1232043329; c=relaxed/simple; s=sjdkim1004; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=mcgrew@cisco.com; z=From:=20David=20McGrew=20<mcgrew@cisco.com> |Subject:=20attacks=20on=20keyed-hash=20constructions=20[wa s=3A=20Re=3A=20[cfrg]=20Further=20MD5=20breaks=3A=20Creating =20a=20rogue=20CA=20certificate] |Sender:=20; bh=qPhI4WZyZUZj1QJj+mjGuOCPBHDq0ZmCR0YsJEtfVis=; b=jLe9CpwfbLw6qFZiLttqNAHMr3IckcKvlUyuj0O3RSjvj7W+2q0K8ZOsfm i6/sXhyWMPuxWIseEY7CbLm4+1NyhFHB4TZ6C3+eFDZ0FC/ZJ4VwuHnPi5uv rtI8RjGvfhStRo0a+jdc5Ydow8QC76wKUkpfpqtbas/QDxwbVTXZI=;
Authentication-Results: sj-dkim-1; header.From=mcgrew@cisco.com; dkim=pass ( sig from cisco.com/sjdkim1004 verified; );
Cc: ietf-pkix@imc.org, ietf-smime@imc.org, cfrg@irtf.org, saag@ietf.org
Subject: [saag] attacks on keyed-hash constructions [was: Re: [cfrg] Further MD5 breaks: Creating a rogue CA certificate]
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1333270379=="
Sender: saag-bounces@ietf.org
Errors-To: saag-bounces@ietf.org

Hi Ran,

On Jan 5, 2009, at 5:26 AM, RJ Atkinson wrote:

>
> On  5 Jan 2009, at 04:57, der Mouse wrote:
>> What I, as an amateur, take away from it is approximately "MD5 is
>> showing more and more cracks and nobody should use it for anything  
>> that
>> needs to withstand a malicious adversary".
>
> Within the CA world, many folks here seem to agree.
>
> However, the usage in CAs is rather different from
> some other modes of operation (e.g. Keyed-Hash, HMAC-Hash).
>
> So far, there are no known attacks on those other modes of operation.
> [If someone knows of a refereed paper that's been published
> on those latter topics, please share a citation here.]

I'm not sure what you mean by keyed-hash, but here are some attacks  
that might be relevant.

[1] B. Preneel and P. van Oorschot, “MD-x MAC and building fast MACs  
from hash
functions,” Advances in Cryptology – Crypto 95 Proceedings, Lecture  
Notes in Computer
Science Vol. 963, D. Coppersmith ed., Springer-Verlag, 1995.

[2] B. Preneel and P. van Oorschot, “On the security of two MAC  
algorithms,” Advances
in Cryptology – Eurocrypt 96 Proceedings, Lecture Notes in Computer  
Science Vol. ??,
U. Maurer ed., Springer-Verlag, 1996.

RFC 2385 uses the method broken in Section 4.2 of [1].

HMAC seems to be secure given some reasonable assumptions about the  
hash functions (namely, that the underlying hash has a compression  
function that is a PRF - no collision resistance is required); see http://eprint.iacr.org/2006/043

>
>
>> These may be the best openly published breaks of MD5 at the moment,
>
> Mind, there are published "serious attacks" [using NIST's words
> from their web site] against SHA-0 and SHA-1 also.   Timothy
> Miller seemed to suggest in recent email that perhaps the PKIX WG
> might enhance the CA structure to increase attack resistance in an
> algorithm-independent way.
>
> Now, may I suggest that folks please LOOK AT and possibly
> REDUCE/EDIT the CC line as they reply to this thread going forward.
> Items that are PKIX specific likely belong only on the PKIX
> list.  Ditto for SMIME specific issues to the SMIME list.
> That would leave only generic comments for the SAAG list.
>

Done.

David


_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag

v2.23.0 | Report a Bug | By Email