Re: [saag] RFC analyzing IETF use of hash functions [was: Re: [Cfrg] Further MD5 breaks: Creating a rogue CA certificate]

Sean Shen <sshen@huawei.com> Tue, 06 January 2009 03:33 UTC

Return-Path: <saag-bounces@ietf.org>
X-Original-To: saag-archive@ietf.org
Delivered-To: ietfarch-saag-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9D67428C0EA; Mon, 5 Jan 2009 19:33:59 -0800 (PST)
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8E74028C0E0 for <saag@core3.amsl.com>; Mon, 5 Jan 2009 19:33:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.948
X-Spam-Level:
X-Spam-Status: No, score=-1.948 tagged_above=-999 required=5 tests=[AWL=0.651, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kOAQn2IeMNs5 for <saag@core3.amsl.com>; Mon, 5 Jan 2009 19:33:58 -0800 (PST)
Received: from szxga03-in.huawei.com (unknown [119.145.14.66]) by core3.amsl.com (Postfix) with ESMTP id 035CE28C0EA for <saag@ietf.org>; Mon, 5 Jan 2009 19:33:58 -0800 (PST)
Received: from huawei.com (szxga03-in [172.24.2.9]) by szxga03-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0KD100M4E5VY41@szxga03-in.huawei.com> for saag@ietf.org; Tue, 06 Jan 2009 11:33:34 +0800 (CST)
Received: from huawei.com ([172.24.1.12]) by szxga03-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0KD1005QS5VYD6@szxga03-in.huawei.com> for saag@ietf.org; Tue, 06 Jan 2009 11:33:34 +0800 (CST)
Received: from s00102542 ([10.111.12.128]) by szxml05-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTPA id <0KD100IR75VV1T@szxml05-in.huawei.com> for saag@ietf.org; Tue, 06 Jan 2009 11:33:34 +0800 (CST)
Date: Tue, 06 Jan 2009 11:33:31 +0800
From: Sean Shen <sshen@huawei.com>
In-reply-to: <4962CE09.5010007@ieca.com>
To: cfrg@irtf.org, saag@ietf.org
Message-id: <00be01c96faf$8bea0720$800c6f0a@china.huawei.com>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
X-Mailer: Microsoft Office Outlook 11
Thread-index: AclvrcHnT6xNM1OrR8C5J7pd5NPAAQAAK0Ww
Subject: Re: [saag] RFC analyzing IETF use of hash functions [was: Re: [Cfrg] Further MD5 breaks: Creating a rogue CA certificate]
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: saag-bounces@ietf.org
Errors-To: saag-bounces@ietf.org

Hi,
A draft in CSI work group gives some analysis on hash threats on
CGA(RFC3972) and SeND(RFC3971). Hope it also provides valuable info.
I will be happy to give review or other possible support for this valuable
work.

Best,

Sean

>-----Original Message-----
>From: saag-bounces@ietf.org [mailto:saag-bounces@ietf.org] On 
>Behalf Of Sean Turner
>Sent: Tuesday, January 06, 2009 11:21 AM
>To: David McGrew
>Cc: cfrg@irtf.org; saag@ietf.org
>Subject: Re: [saag] RFC analyzing IETF use of hash functions 
>[was: Re: [Cfrg] Further MD5 breaks: Creating a rogue CA certificate]
>
>Dave,
>
>When the S/MIME WG penned
>http://tools.ietf.org/html/draft-ietf-smime-multisig-05 we 
>added an appendix that addresses where hashes are located in 
>CMS's SignedData and the attacks against those hashes.  I'd be 
>willing to help craft any other wording necessary for S/MIME|CMS.
>
>spt
>
>David McGrew wrote:
>> Hi Ran,
>> 
>> I think it is a great idea to document the IETF applications/uses of 
>> hashing, and the attacks against particular uses of hashing. 
> It would 
>> make a great CFRG informational RFC, if we can find volunteers to 
>> contribute to and edit it.  I offer to review it.
>> 
>> David
>> 
>> On Dec 31, 2008, at 7:48 AM, RJ Atkinson wrote:
>> 
>>>
>>> [Distribution trimmed slightly to reduce cross-posting and 
>improve SNR.]
>>>
>>> On  30 Dec 2008, at 20:20, Peter Gutmann wrote:
>>>> The current MD5 attack is very cool but there's no need to 
>worry about
>>>> bad guys doing much with it because it's much, much easier to get
>>>> legitimate CA-issued certs the normal way, you buy them just like
>>>> everyone else does (except that you use someone else's credit card
>>>> and identity, obviously).
>>>
>>>
>>> Two thoughts:
>>>
>>> 1) Protocol Issues
>>>
>>> The IETF ought to be thinking about a wide range of IETF protools
>>> in the same way that Peter thinks about CA security issues above.
>>>
>>> For some IETF protocols, for example all of the IGP authentication
>>> extensions (excepting RFC-2154, AFAICT), active non-cryptographic
>>> attacks are feasible (if not yet seen in the deployed world, AFAICT)
>>> that are much easier than *any* cryptographic attack.  Again, and
>>> only by way of example, RFC-4822 discusses some of these that are
>>> specific to RIPv2 authentication.
>>>
>>> For protocols where non-cryptographic attacks are feasible AND
>>> are lower cost than a cryptographic attack, really it does not make
>>> much difference what cryptographic algorithm gets deployed by a user
>>> -- and the IETF's focus should be on improving the underlying 
>>> authentication mechanism BEFORE worrying about which cryptographic
>>> algorithms are being deployed.
>>>
>>> Attackers are generally both smart and lazy, so they won't waste
>>> time on an expensive cryptographic attack when a lower effort
>>> non-cryptographic attack exists.
>>>
>>>
>>> 2) Hash algorithm analysis
>>>
>>> It would be very helpful if a *set* of mathematicians/cryptographers
>>> could jointly put together a summary of the known attacks on all
>>> the widely used hash algorithms (e.g. MD2, MD4, MD5, SHA-0, SHA-1,
>>> SHA-2, others), *including references to the published literature*.
>>>
>>> Ideally, this analysis would also include discussion of 
>whether those
>>> attacks apply for those same algorithms when used in the 
>modes employed
>>> by various IETF protocols today (e.g. Keyed-Hash as used in 
>OSPFv2 MD5
>>> or RIPv2 MD5, HMAC-Hash, and so forth).
>>>
>>> This would be most useful to have as an Informational RFC,
>>> and SOON, so that IETF WGs could have some "consensus" document
>>> to refer to -- and to cite explicitly -- if any IETF WGs decide
>>> to make hash algorithm recommendations or decisions.
>>>
>>> I don't understand IRTF process details perfectly, but perhaps
>>> the CFRG chairs might undertake creating such a document as a
>>> near-term official CFRG group project.
>>>
>>> Yours,
>>>
>>> Ran
>>> rja@extremenetworks.com
>>>
>>> _______________________________________________
>>> Cfrg mailing list
>>> Cfrg@irtf.org
>>> https://www.irtf.org/mailman/listinfo/cfrg
>> 
>> _______________________________________________
>> saag mailing list
>> saag@ietf.org
>> https://www.ietf.org/mailman/listinfo/saag
>> 
>_______________________________________________
>saag mailing list
>saag@ietf.org
>https://www.ietf.org/mailman/listinfo/saag
>


_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag