Re: [saag] [Cfrg] RFC analyzing IETF use of hash functions [was: Re: Further MD5 breaks: Creating a rogue CA certificate]
David McGrew <mcgrew@cisco.com> Tue, 06 January 2009 12:32 UTC
Return-Path: <saag-bounces@ietf.org>
X-Original-To: saag-archive@ietf.org
Delivered-To: ietfarch-saag-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9C6673A6941; Tue, 6 Jan 2009 04:32:30 -0800 (PST)
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4419A3A6941 for <saag@core3.amsl.com>; Tue, 6 Jan 2009 04:32:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.544
X-Spam-Level:
X-Spam-Status: No, score=-6.544 tagged_above=-999 required=5 tests=[AWL=0.055, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yOgdpOABI2va for <saag@core3.amsl.com>; Tue, 6 Jan 2009 04:32:28 -0800 (PST)
Received: from sj-iport-3.cisco.com (sj-iport-3.cisco.com [171.71.176.72]) by core3.amsl.com (Postfix) with ESMTP id 4AC0C3A6923 for <saag@ietf.org>; Tue, 6 Jan 2009 04:32:28 -0800 (PST)
X-IronPort-AV: E=Sophos;i="4.36,338,1228089600"; d="scan'208";a="126827219"
Received: from sj-dkim-1.cisco.com ([171.71.179.21]) by sj-iport-3.cisco.com with ESMTP; 06 Jan 2009 12:32:15 +0000
Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id n06CWFmw002914; Tue, 6 Jan 2009 04:32:15 -0800
Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-5.cisco.com (8.13.8/8.13.8) with ESMTP id n06CWFet020575; Tue, 6 Jan 2009 12:32:15 GMT
Received: from xfe-sjc-211.amer.cisco.com ([171.70.151.174]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 6 Jan 2009 04:32:15 -0800
Received: from stealth-10-32-254-212.cisco.com ([10.32.254.212]) by xfe-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 6 Jan 2009 04:32:14 -0800
Message-Id: <7D2B3E4D-B8DE-46C3-AFE8-48FC88C375AF@cisco.com>
From: David McGrew <mcgrew@cisco.com>
To: Sean Shen <sshen@huawei.com>
In-Reply-To: <00be01c96faf$8bea0720$800c6f0a@china.huawei.com>
Mime-Version: 1.0 (Apple Message framework v929.2)
Date: Tue, 06 Jan 2009 04:32:13 -0800
References: <00be01c96faf$8bea0720$800c6f0a@china.huawei.com>
X-Mailer: Apple Mail (2.929.2)
X-OriginalArrivalTime: 06 Jan 2009 12:32:14.0879 (UTC) FILETIME=[CE33FAF0:01C96FFA]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=4911; t=1231245135; x=1232109135; c=relaxed/simple; s=sjdkim1004; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=mcgrew@cisco.com; z=From:=20David=20McGrew=20<mcgrew@cisco.com> |Subject:=20Re=3A=20[Cfrg]=20[saag]=20RFC=20analyzing=20IET F=20use=20of=20hash=20functions=20[was=3A=20Re=3A=20Further= 20MD5=20breaks=3A=20Creating=20a=20rogue=20CA=20certificate] |Sender:=20; bh=8pGPbrqdajogPvPYDwWEaK+jPD/TzQG4edLtySsWBUU=; b=IUIaXoEV+BUsVHbcj564OxhuUpwbtEw1JHD7a6d/4iOPjovFRz/xD8F2Hp ySRv/6sORPQkzMxrzgwh4++YM7n0WkA+IyTRsgjEylUJzebh2ZW6h2tII1+K QwlSi3MBhln/SI7MTmhXNGNY0salcpPCBUCiPRM7NcLyt1GEKmXfU=;
Authentication-Results: sj-dkim-1; header.From=mcgrew@cisco.com; dkim=pass ( sig from cisco.com/sjdkim1004 verified; );
Cc: cfrg@irtf.org, saag@ietf.org
Subject: Re: [saag] [Cfrg] RFC analyzing IETF use of hash functions [was: Re: Further MD5 breaks: Creating a rogue CA certificate]
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"; DelSp="yes"
Sender: saag-bounces@ietf.org
Errors-To: saag-bounces@ietf.org
thanks for volunteering, Sean. On Jan 5, 2009, at 7:33 PM, Sean Shen wrote: > Hi, > A draft in CSI work group gives some analysis on hash threats on > CGA(RFC3972) and SeND(RFC3971). Hope it also provides valuable info. > I will be happy to give review or other possible support for this > valuable > work. > > Best, > > Sean > >> -----Original Message----- >> From: saag-bounces@ietf.org [mailto:saag-bounces@ietf.org] On >> Behalf Of Sean Turner >> Sent: Tuesday, January 06, 2009 11:21 AM >> To: David McGrew >> Cc: cfrg@irtf.org; saag@ietf.org >> Subject: Re: [saag] RFC analyzing IETF use of hash functions >> [was: Re: [Cfrg] Further MD5 breaks: Creating a rogue CA certificate] >> >> Dave, >> >> When the S/MIME WG penned >> http://tools.ietf.org/html/draft-ietf-smime-multisig-05 we >> added an appendix that addresses where hashes are located in >> CMS's SignedData and the attacks against those hashes. I'd be >> willing to help craft any other wording necessary for S/MIME|CMS. >> >> spt >> >> David McGrew wrote: >>> Hi Ran, >>> >>> I think it is a great idea to document the IETF applications/uses of >>> hashing, and the attacks against particular uses of hashing. >> It would >>> make a great CFRG informational RFC, if we can find volunteers to >>> contribute to and edit it. I offer to review it. >>> >>> David >>> >>> On Dec 31, 2008, at 7:48 AM, RJ Atkinson wrote: >>> >>>> >>>> [Distribution trimmed slightly to reduce cross-posting and >> improve SNR.] >>>> >>>> On 30 Dec 2008, at 20:20, Peter Gutmann wrote: >>>>> The current MD5 attack is very cool but there's no need to >> worry about >>>>> bad guys doing much with it because it's much, much easier to get >>>>> legitimate CA-issued certs the normal way, you buy them just like >>>>> everyone else does (except that you use someone else's credit card >>>>> and identity, obviously). >>>> >>>> >>>> Two thoughts: >>>> >>>> 1) Protocol Issues >>>> >>>> The IETF ought to be thinking about a wide range of IETF protools >>>> in the same way that Peter thinks about CA security issues above. >>>> >>>> For some IETF protocols, for example all of the IGP authentication >>>> extensions (excepting RFC-2154, AFAICT), active non-cryptographic >>>> attacks are feasible (if not yet seen in the deployed world, >>>> AFAICT) >>>> that are much easier than *any* cryptographic attack. Again, and >>>> only by way of example, RFC-4822 discusses some of these that are >>>> specific to RIPv2 authentication. >>>> >>>> For protocols where non-cryptographic attacks are feasible AND >>>> are lower cost than a cryptographic attack, really it does not make >>>> much difference what cryptographic algorithm gets deployed by a >>>> user >>>> -- and the IETF's focus should be on improving the underlying >>>> authentication mechanism BEFORE worrying about which cryptographic >>>> algorithms are being deployed. >>>> >>>> Attackers are generally both smart and lazy, so they won't waste >>>> time on an expensive cryptographic attack when a lower effort >>>> non-cryptographic attack exists. >>>> >>>> >>>> 2) Hash algorithm analysis >>>> >>>> It would be very helpful if a *set* of mathematicians/ >>>> cryptographers >>>> could jointly put together a summary of the known attacks on all >>>> the widely used hash algorithms (e.g. MD2, MD4, MD5, SHA-0, SHA-1, >>>> SHA-2, others), *including references to the published literature*. >>>> >>>> Ideally, this analysis would also include discussion of >> whether those >>>> attacks apply for those same algorithms when used in the >> modes employed >>>> by various IETF protocols today (e.g. Keyed-Hash as used in >> OSPFv2 MD5 >>>> or RIPv2 MD5, HMAC-Hash, and so forth). >>>> >>>> This would be most useful to have as an Informational RFC, >>>> and SOON, so that IETF WGs could have some "consensus" document >>>> to refer to -- and to cite explicitly -- if any IETF WGs decide >>>> to make hash algorithm recommendations or decisions. >>>> >>>> I don't understand IRTF process details perfectly, but perhaps >>>> the CFRG chairs might undertake creating such a document as a >>>> near-term official CFRG group project. >>>> >>>> Yours, >>>> >>>> Ran >>>> rja@extremenetworks.com >>>> >>>> _______________________________________________ >>>> Cfrg mailing list >>>> Cfrg@irtf.org >>>> https://www.irtf.org/mailman/listinfo/cfrg >>> >>> _______________________________________________ >>> saag mailing list >>> saag@ietf.org >>> https://www.ietf.org/mailman/listinfo/saag >>> >> _______________________________________________ >> saag mailing list >> saag@ietf.org >> https://www.ietf.org/mailman/listinfo/saag >> > > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg _______________________________________________ saag mailing list saag@ietf.org https://www.ietf.org/mailman/listinfo/saag
- [saag] Further MD5 breaks: Creating a rogue CA ce… Russ Housley
- Re: [saag] Further MD5 breaks: Creating a rogue C… Jeffrey Hutzelman
- Re: [saag] Further MD5 breaks: Creating a rogue C… Eric Rescorla
- Re: [saag] Further MD5 breaks: Creating a rogue C… Russ Housley
- Re: [saag] Further MD5 breaks: Creating a rogue C… Paul Hoffman
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Eric Rescorla
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Jeffrey Hutzelman
- Re: [saag] Further MD5 breaks: Creating a rogue C… Russ Housley
- Re: [saag] Further MD5 breaks: Creating a rogue C… Yoav Nir
- Re: [saag] Further MD5 breaks: Creating a rogue C… Russ Housley
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Eric Rescorla
- Re: [saag] Further MD5 breaks: Creating a rogue C… Russ Housley
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Eric Rescorla
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Nicolas Williams
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Jeffrey Hutzelman
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] Further MD5 breaks: Creating a rogue C… Santosh Chokhani
- Re: [saag] Further MD5 breaks: Creating a rogue C… Santosh Chokhani
- Re: [saag] Further MD5 breaks: Creating a rogue C… Santosh Chokhani
- Re: [saag] Further MD5 breaks: Creating a rogue C… Hugo Krawczyk
- Re: [saag] Further MD5 breaks: Creating a rogue C… Jeffrey Hutzelman
- Re: [saag] Further MD5 breaks: Creating a rogue C… Peter Gutmann
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Eric Rescorla
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] Further MD5 breaks: Creating a rogue C… RJ Atkinson
- Re: [saag] Further MD5 breaks: Creating a rogue C… Santosh Chokhani
- Re: [saag] Further MD5 breaks: Creating a rogue C… Vishwas Manral
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … RJ Atkinson
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Peter Gutmann
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Peter Gutmann
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Ben Laurie
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Eric Rescorla
- Re: [saag] RFC analyzing IETF use of hash functio… Sean Shen
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Paul Hoffman
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Ben Laurie
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Ben Laurie
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Robert Moskowitz
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Sean Shen
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Yoav Nir
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Paul Hoffman
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Yoav Nir
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Peter Gutmann
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Paul Hoffman
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Jeffrey Hutzelman
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] Further MD5 breaks: Creating a rogue C… RL 'Bob' Morgan
- Re: [saag] Further MD5 breaks: Creating a rogue C… Peter Hesse
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Blake Ramsdell
- Re: [saag] Further MD5 breaks: Creating a rogue C… Scott Rea
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Timothy J. Miller
- Re: [saag] Further MD5 breaks: Creating a rogue C… Timothy J. Miller
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Timothy J. Miller
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Tim Moses
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Mike
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Richard Graveman
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Mike
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Dr Stephen Henson
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Timothy J. Miller
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Timothy J. Miller
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Timothy J. Miller
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Timothy J. Miller
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Timothy J. Miller
- Re: [saag] Further MD5 breaks: Creating a rogue C… Philipp Guehring
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Mike
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Peter Hesse
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Weger, B.M.M. de
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Yoav Nir
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Yoav Nir
- Re: [saag] Further MD5 breaks: Creating a rogue C… der Mouse
- Re: [saag] Further MD5 breaks: Creating a rogue C… RJ Atkinson
- [saag] attacks on keyed-hash constructions [was: … David McGrew
- Re: [saag] attacks on keyed-hash constructions [w… RJ Atkinson
- [saag] RFC analyzing IETF use of hash functions [… David McGrew
- Re: [saag] [Cfrg] RFC analyzing IETF use of hash … Paul Hoffman
- Re: [saag] Further MD5 breaks: Creating a rogue C… Jeffrey Hutzelman
- Re: [saag] [Cfrg] RFC analyzing IETF use of hash … Vishwas Manral
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Stephen Kent
- Re: [saag] RFC analyzing IETF use of hash functio… Sean Turner
- Re: [saag] RFC analyzing IETF use of hash functio… David McGrew
- Re: [saag] [Cfrg] RFC analyzing IETF use of hash … David McGrew
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Timothy J. Miller
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Timothy J. Miller
- Re: [saag] [Cfrg] attacks on keyed-hash construct… Christian Rechberger
- Re: [saag] [Cfrg] RFC analyzing IETF use of hash … Ran Canetti
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Timothy J. Miller
- Re: [saag] [Cfrg] RFC analyzing IETF use of hash … David McGrew
- Re: [saag] [Cfrg] RFC analyzing IETF use of hash … Joseph Salowey (jsalowey)