[saag] draft-turner-md4-to-historic and Microsoft use of Md4
Sam Hartman <hartmans-ietf@mit.edu> Wed, 07 July 2010 17:58 UTC
Return-Path: <hartmans@mit.edu>
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C9FFA3A6838 for <saag@core3.amsl.com>; Wed, 7 Jul 2010 10:58:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.16
X-Spam-Level:
X-Spam-Status: No, score=-2.16 tagged_above=-999 required=5 tests=[AWL=0.105, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rvsOWF1mbsS0 for <saag@core3.amsl.com>; Wed, 7 Jul 2010 10:58:45 -0700 (PDT)
Received: from mail.suchdamage.org (permutation-city.suchdamage.org [69.25.196.28]) by core3.amsl.com (Postfix) with ESMTP id 07B713A67E5 for <saag@ietf.org>; Wed, 7 Jul 2010 10:58:44 -0700 (PDT)
Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id B4F77203C7; Wed, 7 Jul 2010 13:58:41 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 8144440D4; Wed, 7 Jul 2010 13:58:38 -0400 (EDT)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: Sean Turner <turners@ieca.com>, saag@ietf.org, ietf-krb-wg@anl.gov, cfrg@irtf.org
References: <4C10E308.9060503@ieca.com> <4C335C75.7070508@ieca.com> <FAD1CF17F2A45B43ADE04E140BA83D4801060605@scygexch1.cygnacom.com>
Date: Wed, 07 Jul 2010 13:58:38 -0400
In-Reply-To: <FAD1CF17F2A45B43ADE04E140BA83D4801060605@scygexch1.cygnacom.com> (Santosh Chokhani's message of "Wed, 7 Jul 2010 13:17:14 -0400")
Message-ID: <tslhbkb8981.fsf_-_@mit.edu>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: [saag] draft-turner-md4-to-historic and Microsoft use of Md4
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jul 2010 17:58:45 -0000
Sean, I've mentioned this in private mail, but I believe your draft should discuss the Microsoft uses of md4 particularly for converting passwords to key and discuss the impact of attacks on this use before it is published. I am not intending to imply you're ignoring my comment: it was made recently. I just wanted to get it into the public discussion so others could think about it. It's not entirely clear what properties are desired of a cryptographic function in these uses. In the Kerberos string-to-key operation, I think there are at least two goals: 1) Take a password of sufficient quality and produce a good key 2) Make it difficult to recover the password given the key. There may be other goals. This is an area where the Kerberos community has struggled to come up with security requirements. It's clear that md4 fails at the second goal. However, it's not clear that the Microsoft protocol uses of md4 actually try to achieve this goal. In the case of Kerberos, one of the main reasons you want to prevent recovery of the password is so you can use the same password in different realms without exposing it. For this reason, an identifier of the principal and realm is included in the key computation. However, rc4-hmac-md5 (the Kerberos enctype that uses md4 for string2key) explicitly does not produce different keys for different realms. So, I'm not actually sure whether one-way is a security goal or not for this use of md4. I have not been able to determine the impact of attacks on md4 on its use as a funtion to produce high-quality keys from high-quality passwords. In conclusion, I think we need to be able to tell people what the impact of the attacks on md4 is on widely deployed uses before publishing.
- Re: [saag] [Fwd: I-D ACTION:draft-turner-md2-to-h… Simon Josefsson
- [saag] [Fwd: I-D ACTION:draft-turner-md2-to-histo… Sean Turner
- Re: [saag] [Cfrg] [Fwd: I-D ACTION:draft-turner-m… Blumenthal, Uri - 0668 - MITLL
- Re: [saag] [Cfrg] [Fwd: I-D ACTION:draft-turner-m… Peter Gutmann
- Re: [saag] [Fwd: I-D ACTION:draft-turner-md2-to-h… Joe Touch
- Re: [saag] [Fwd: I-D ACTION:draft-turner-md2-to-h… Simon Josefsson
- Re: [saag] [Fwd: I-D ACTION:draft-turner-md2-to-h… Simon Josefsson
- Re: [saag] [Fwd: I-D ACTION:draft-turner-md2-to-h… Sean Turner
- Re: [saag] [Fwd: I-D ACTION:draft-turner-md2-to-h… Simon Josefsson
- Re: [saag] [Fwd: I-D ACTION:draft-turner-md2-to-h… SM
- Re: [saag] [Fwd: I-D ACTION:draft-turner-md2-to-h… Simon Josefsson
- Re: [saag] [Fwd: I-D ACTION:draft-turner-md2-to-h… Santosh Chokhani
- Re: [saag] [Cfrg] [Fwd: I-D ACTION:draft-turner-m… Peter Gutmann
- Re: [saag] [Fwd: I-D ACTION:draft-turner-md2-to-h… Simon Josefsson
- Re: [saag] [Cfrg] [Fwd: I-D ACTION:draft-turner-m… Len Sassaman
- Re: [saag] [Fwd: I-D ACTION:draft-turner-md2-to-h… Len Sassaman
- Re: [saag] [Fwd: I-D ACTION:draft-turner-md2-to-h… Len Sassaman
- Re: [saag] [Cfrg] [Fwd: I-D ACTION:draft-turner-m… Len Sassaman
- Re: [saag] [pkix] [Fwd: I-D ACTION:draft-turner-m… Tom Gindin
- Re: [saag] [Fwd: I-D ACTION:draft-turner-md2-to-h… SM
- Re: [saag] [Fwd: I-D ACTION:draft-turner-md2-to-h… Sean Turner
- Re: [saag] [pkix] [Fwd: I-D ACTION:draft-turner-m… Andrea Caccia
- Re: [saag] [Fwd: I-D ACTION:draft-turner-md2-to-h… Sean Turner
- Re: [saag] [Fwd: I-D ACTION:draft-turner-md2-to-h… Santosh Chokhani
- [saag] draft-turner-md4-to-historic and Microsoft… Sam Hartman
- Re: [saag] draft-turner-md4-to-historic and Micro… Sean Turner