IETF Logo Mail Archive

[saag] RFC analyzing IETF use of hash functions [was: Re: [Cfrg] Further MD5 breaks: Creating a rogue CA certificate]

David McGrew <mcgrew@cisco.com> Mon, 05 January 2009 22:50 UTC

Return-Path: <saag-bounces@ietf.org>
X-Original-To: saag-archive@ietf.org
Delivered-To: ietfarch-saag-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5A9523A6979; Mon, 5 Jan 2009 14:50:28 -0800 (PST)
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6EF8728C13D for <saag@core3.amsl.com>; Mon, 5 Jan 2009 14:50:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.532
X-Spam-Level:
X-Spam-Status: No, score=-6.532 tagged_above=-999 required=5 tests=[AWL=0.067, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gpFI4CROaWme for <saag@core3.amsl.com>; Mon, 5 Jan 2009 14:50:23 -0800 (PST)
Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by core3.amsl.com (Postfix) with ESMTP id 74FBC3A6784 for <saag@ietf.org>; Mon, 5 Jan 2009 14:50:23 -0800 (PST)
X-IronPort-AV: E=Sophos;i="4.36,334,1228089600"; d="scan'208";a="224209674"
Received: from sj-dkim-2.cisco.com ([171.71.179.186]) by sj-iport-6.cisco.com with ESMTP; 05 Jan 2009 22:50:09 +0000
Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id n05MoALW025455; Mon, 5 Jan 2009 14:50:10 -0800
Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com [128.107.191.100]) by sj-core-1.cisco.com (8.13.8/8.13.8) with ESMTP id n05MoA78014524; Mon, 5 Jan 2009 22:50:10 GMT
Received: from xfe-sjc-211.amer.cisco.com ([171.70.151.174]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 5 Jan 2009 14:50:10 -0800
Received: from stealth-10-32-254-212.cisco.com ([10.32.254.212]) by xfe-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 5 Jan 2009 14:50:09 -0800
Message-Id: <21E69071-3D71-4882-94DF-80163CE7BEC9@cisco.com>
From: David McGrew <mcgrew@cisco.com>
To: RJ Atkinson <rja@extremenetworks.com>
In-Reply-To: <7E552E3F-C85A-4F0E-AC3E-879720A1E55F@extremenetworks.com>
Mime-Version: 1.0 (Apple Message framework v929.2)
Date: Mon, 05 Jan 2009 14:50:07 -0800
References: <E1LHplH-0006Xw-V6@wintermute01.cs.auckland.ac.nz> <7E552E3F-C85A-4F0E-AC3E-879720A1E55F@extremenetworks.com>
X-Mailer: Apple Mail (2.929.2)
X-OriginalArrivalTime: 05 Jan 2009 22:50:10.0168 (UTC) FILETIME=[F6625F80:01C96F87]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=3144; t=1231195810; x=1232059810; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=mcgrew@cisco.com; z=From:=20David=20McGrew=20<mcgrew@cisco.com> |Subject:=20RFC=20analyzing=20IETF=20use=20of=20hash=20func tions=20[was=3A=20Re=3A=20[Cfrg]=20[saag]=20Further=20MD5=20 breaks=3A=20Creating=20a=20rogue=20CA=20certificate] |Sender:=20; bh=/EOm7o7BFuNGEpF8AWkLvl4Syyir1HDoZeP6RPRibLk=; b=oUT4ALOBNjDsljdVPM+ilLgq4X+HrTd7Qehyy9qeW6vRwPq03+2wXckKZ0 NKtOcHzPvXJ2AFsVwY3vIIY/wUzMHOQl4h9bme9Q0kZbqzksVMB0y760eXcb d1CAE4f3WB;
Authentication-Results: sj-dkim-2; header.From=mcgrew@cisco.com; dkim=pass ( sig from cisco.com/sjdkim2002 verified; );
Cc: cfrg@irtf.org, saag@ietf.org
Subject: [saag] RFC analyzing IETF use of hash functions [was: Re: [Cfrg] Further MD5 breaks: Creating a rogue CA certificate]
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"; DelSp="yes"
Sender: saag-bounces@ietf.org
Errors-To: saag-bounces@ietf.org

Hi Ran,

I think it is a great idea to document the IETF applications/uses of  
hashing, and the attacks against particular uses of hashing.  It would  
make a great CFRG informational RFC, if we can find volunteers to  
contribute to and edit it.  I offer to review it.

David

On Dec 31, 2008, at 7:48 AM, RJ Atkinson wrote:

>
> [Distribution trimmed slightly to reduce cross-posting and improve  
> SNR.]
>
> On  30 Dec 2008, at 20:20, Peter Gutmann wrote:
>> The current MD5 attack is very cool but there's no need to worry  
>> about
>> bad guys doing much with it because it's much, much easier to get
>> legitimate CA-issued certs the normal way, you buy them just like
>> everyone else does (except that you use someone else's credit card
>> and identity, obviously).
>
>
> Two thoughts:
>
> 1) Protocol Issues
>
> The IETF ought to be thinking about a wide range of IETF protools
> in the same way that Peter thinks about CA security issues above.
>
> For some IETF protocols, for example all of the IGP authentication
> extensions (excepting RFC-2154, AFAICT), active non-cryptographic
> attacks are feasible (if not yet seen in the deployed world, AFAICT)
> that are much easier than *any* cryptographic attack.  Again, and
> only by way of example, RFC-4822 discusses some of these that are
> specific to RIPv2 authentication.
>
> For protocols where non-cryptographic attacks are feasible AND
> are lower cost than a cryptographic attack, really it does not make
> much difference what cryptographic algorithm gets deployed by a user
> -- and the IETF's focus should be on improving the underlying  
> authentication mechanism BEFORE worrying about which cryptographic
> algorithms are being deployed.
>
> Attackers are generally both smart and lazy, so they won't waste
> time on an expensive cryptographic attack when a lower effort
> non-cryptographic attack exists.
>
>
> 2) Hash algorithm analysis
>
> It would be very helpful if a *set* of mathematicians/cryptographers
> could jointly put together a summary of the known attacks on all
> the widely used hash algorithms (e.g. MD2, MD4, MD5, SHA-0, SHA-1,
> SHA-2, others), *including references to the published literature*.
>
> Ideally, this analysis would also include discussion of whether those
> attacks apply for those same algorithms when used in the modes  
> employed
> by various IETF protocols today (e.g. Keyed-Hash as used in OSPFv2 MD5
> or RIPv2 MD5, HMAC-Hash, and so forth).
>
> This would be most useful to have as an Informational RFC,
> and SOON, so that IETF WGs could have some "consensus" document
> to refer to -- and to cite explicitly -- if any IETF WGs decide
> to make hash algorithm recommendations or decisions.
>
> I don't understand IRTF process details perfectly, but perhaps
> the CFRG chairs might undertake creating such a document as a
> near-term official CFRG group project.
>
> Yours,
>
> Ran
> rja@extremenetworks.com
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg

_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag

v2.23.0 | Report a Bug | By Email