Re: [saag] Revision of "Attacks on Cryptographic Hashes in Internet Protocols"

Andrey Jivsov <openpgp@brainhub.org> Wed, 14 November 2012 23:36 UTC

Return-Path: <openpgp@brainhub.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9887421F85B3 for <saag@ietfa.amsl.com>; Wed, 14 Nov 2012 15:36:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.437
X-Spam-Level:
X-Spam-Status: No, score=-0.437 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2HrKxsk48+i5 for <saag@ietfa.amsl.com>; Wed, 14 Nov 2012 15:36:53 -0800 (PST)
Received: from qmta13.emeryville.ca.mail.comcast.net (qmta13.emeryville.ca.mail.comcast.net [IPv6:2001:558:fe2d:44:76:96:27:243]) by ietfa.amsl.com (Postfix) with ESMTP id 32BF921F84EC for <saag@ietf.org>; Wed, 14 Nov 2012 15:36:53 -0800 (PST)
Received: from omta08.emeryville.ca.mail.comcast.net ([76.96.30.12]) by qmta13.emeryville.ca.mail.comcast.net with comcast id PZPp1k0040FhH24ADbct0q; Wed, 14 Nov 2012 23:36:53 +0000
Received: from [127.0.0.1] ([69.181.162.123]) by omta08.emeryville.ca.mail.comcast.net with comcast id Pbcr1k00G2g33ZR8UbcsQX; Wed, 14 Nov 2012 23:36:52 +0000
Message-ID: <50A42ACF.80208@brainhub.org>
Date: Wed, 14 Nov 2012 15:35:43 -0800
From: Andrey Jivsov <openpgp@brainhub.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20120911 Thunderbird/15.0.1
MIME-Version: 1.0
To: Paul Hoffman <paul.hoffman@vpnc.org>
References: <9B93EFAD-AD9B-4402-8CC2-79239EB3DF2E@vpnc.org> <50A40FC8.8080602@brainhub.org> <9BE0FD3C-F9CE-492E-A64C-D7CFB7961D3C@vpnc.org>
In-Reply-To: <9BE0FD3C-F9CE-492E-A64C-D7CFB7961D3C@vpnc.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: IETF Security Area Advisory Group <saag@ietf.org>
Subject: Re: [saag] Revision of "Attacks on Cryptographic Hashes in Internet Protocols"
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Nov 2012 23:36:53 -0000

On 11/14/2012 02:33 PM, Paul Hoffman wrote:
> On Nov 14, 2012, at 1:40 PM, Andrey Jivsov <openpgp@brainhub.org> wrote:
>
>> SHA-2 is well-supported today, but there are no solid reasons why SHA-3 will not be supported equally well in the future.
>
> In that future, we can re-look at support for it in IETF protocols. For now, algorithm agility might be sufficient.

I would agree, but the document such as RFC 4270 influence the future. 
If the message it sends is that the SHA-3 is an odd bifurcation in the 
SHA line, SHA-3 won't gain critical mass.

>> Let's say there is a protocols that is hardwired to SHA1 or MD5. Are we telling people thinking about its improvement to go with the SHA-2?
>
> Yes.
>
>> What about newly designed protocols?
>
> The same.
>
>> If you are a maintainer, what would you prefer: worry about explaining to others that "my SHA-2 use doesn't depend on collision resistance and is not vulnerable to extension attacks", v.s. I "use SHA-3".
>
> Nowhere did we say that you should not use SHA-3. In fact, we said the opposite. We said there was no need to push that.
>
>> I suggest that the document at least softens the statements on SHA-2 v.s. SHA-3. Ideally, I would like to see a path on which we move to the universally supported SHA-3 and, hopefully, the hardware manufacturers are comfortable to jump in.
>
> That's one view; we took a different one. So far, we have had good support in the IETF community for our view, but at some point that might change.
>

It would be useful for me and others to see more details behind the 
arguments that the SHA-2 is preferred to SHA-3 at IETF. I suspect there 
are a lot of assumptions here that may not apply to every particular case.

One of the parameters is the timeline. The transition to a new hash 
algorithm may take years in protocols and formats without algorithm 
agility, while the plans for which route to take are being made today.

For example, in OpenPGP there is a hardwired SHA1 fingerprint. It still 
seems wrong to me to move to SHA-2 and not SHA-3. I am leaning toward 
non-agile solution here because of space constrains and the fact that 
the agility will only be a benefit if Keccak is broken (so instead of 
adding SHA-2 + agility, add hardwired SHA-3 which is good for a few 
decades, at least).