Re: [saag] [Cfrg] RFC analyzing IETF use of hash functions [was: Re: Further MD5 breaks: Creating a rogue CA certificate]

I strongly second. The document might also have some basic 
recommendations (do-s and dont-s).

(the other) Ran

On Mon, 5 Jan 2009, David McGrew wrote:

> Hi Ran,
>
> I think it is a great idea to document the IETF applications/uses of hashing, 
> and the attacks against particular uses of hashing.  It would make a great 
> CFRG informational RFC, if we can find volunteers to contribute to and edit 
> it.  I offer to review it.
>
> David
>
> On Dec 31, 2008, at 7:48 AM, RJ Atkinson wrote:
>
>> 
>> [Distribution trimmed slightly to reduce cross-posting and improve SNR.]
>> 
>> On  30 Dec 2008, at 20:20, Peter Gutmann wrote:
>>> The current MD5 attack is very cool but there's no need to worry about
>>> bad guys doing much with it because it's much, much easier to get
>>> legitimate CA-issued certs the normal way, you buy them just like
>>> everyone else does (except that you use someone else's credit card
>>> and identity, obviously).
>> 
>> 
>> Two thoughts:
>> 
>> 1) Protocol Issues
>> 
>> The IETF ought to be thinking about a wide range of IETF protools
>> in the same way that Peter thinks about CA security issues above.
>> 
>> For some IETF protocols, for example all of the IGP authentication
>> extensions (excepting RFC-2154, AFAICT), active non-cryptographic
>> attacks are feasible (if not yet seen in the deployed world, AFAICT)
>> that are much easier than *any* cryptographic attack.  Again, and
>> only by way of example, RFC-4822 discusses some of these that are
>> specific to RIPv2 authentication.
>> 
>> For protocols where non-cryptographic attacks are feasible AND
>> are lower cost than a cryptographic attack, really it does not make
>> much difference what cryptographic algorithm gets deployed by a user
>> -- and the IETF's focus should be on improving the underlying 
>> authentication mechanism BEFORE worrying about which cryptographic
>> algorithms are being deployed.
>> 
>> Attackers are generally both smart and lazy, so they won't waste
>> time on an expensive cryptographic attack when a lower effort
>> non-cryptographic attack exists.
>> 
>> 
>> 2) Hash algorithm analysis
>> 
>> It would be very helpful if a *set* of mathematicians/cryptographers
>> could jointly put together a summary of the known attacks on all
>> the widely used hash algorithms (e.g. MD2, MD4, MD5, SHA-0, SHA-1,
>> SHA-2, others), *including references to the published literature*.
>> 
>> Ideally, this analysis would also include discussion of whether those
>> attacks apply for those same algorithms when used in the modes employed
>> by various IETF protocols today (e.g. Keyed-Hash as used in OSPFv2 MD5
>> or RIPv2 MD5, HMAC-Hash, and so forth).
>> 
>> This would be most useful to have as an Informational RFC,
>> and SOON, so that IETF WGs could have some "consensus" document
>> to refer to -- and to cite explicitly -- if any IETF WGs decide
>> to make hash algorithm recommendations or decisions.
>> 
>> I don't understand IRTF process details perfectly, but perhaps
>> the CFRG chairs might undertake creating such a document as a
>> near-term official CFRG group project.
>> 
>> Yours,
>> 
>> Ran
>> rja@extremenetworks.com
>> 
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> https://www.irtf.org/mailman/listinfo/cfrg
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag