Re: [saag] [Cfrg] RFC analyzing IETF use of hash functions [was: Re: Further MD5 breaks: Creating a rogue CA certificate]
Ran Canetti <canetti@post.tau.ac.il> Wed, 07 January 2009 06:35 UTC
Return-Path: <saag-bounces@ietf.org>
X-Original-To: saag-archive@ietf.org
Delivered-To: ietfarch-saag-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CCC4C28C141; Tue, 6 Jan 2009 22:35:16 -0800 (PST)
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 77FDA3A68BA for <saag@core3.amsl.com>; Mon, 5 Jan 2009 22:13:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.208
X-Spam-Level:
X-Spam-Status: No, score=-3.208 tagged_above=-999 required=5 tests=[AWL=-0.609, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id stKMU8BVyQFD for <saag@core3.amsl.com>; Mon, 5 Jan 2009 22:13:05 -0800 (PST)
Received: from cs.tau.ac.il (anna.cs.tau.ac.il [132.67.192.229]) by core3.amsl.com (Postfix) with ESMTP id 5E9983A67C0 for <saag@ietf.org>; Mon, 5 Jan 2009 22:13:04 -0800 (PST)
Received: from localhost.localdomain (nova.cs.tau.ac.il [132.67.192.133]) by cs.tau.ac.il (Postfix) with ESMTP id F2EB01D181EA; Tue, 6 Jan 2009 08:05:21 +0200 (IST)
Received: by localhost.localdomain (Postfix, from userid 3106) id D9F3C1BAC36B; Tue, 6 Jan 2009 08:05:21 +0200 (IST)
Received: from localhost (localhost [127.0.0.1]) by localhost.localdomain (Postfix) with ESMTP id D740C1B4F056; Tue, 6 Jan 2009 08:05:21 +0200 (IST)
Date: Tue, 06 Jan 2009 08:05:21 +0200
From: Ran Canetti <canetti@post.tau.ac.il>
X-X-Sender: canetti@nova.cs.tau.ac.il
To: David McGrew <mcgrew@cisco.com>
In-Reply-To: <21E69071-3D71-4882-94DF-80163CE7BEC9@cisco.com>
Message-ID: <Pine.LNX.4.64.0901060803370.4530@nova.cs.tau.ac.il>
References: <E1LHplH-0006Xw-V6@wintermute01.cs.auckland.ac.nz> <7E552E3F-C85A-4F0E-AC3E-879720A1E55F@extremenetworks.com> <21E69071-3D71-4882-94DF-80163CE7BEC9@cisco.com>
MIME-Version: 1.0
X-Mailman-Approved-At: Tue, 06 Jan 2009 22:35:14 -0800
Cc: RJ Atkinson <rja@extremenetworks.com>, cfrg@irtf.org, saag@ietf.org
Subject: Re: [saag] [Cfrg] RFC analyzing IETF use of hash functions [was: Re: Further MD5 breaks: Creating a rogue CA certificate]
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: saag-bounces@ietf.org
Errors-To: saag-bounces@ietf.org
I strongly second. The document might also have some basic recommendations (do-s and dont-s). (the other) Ran On Mon, 5 Jan 2009, David McGrew wrote: > Hi Ran, > > I think it is a great idea to document the IETF applications/uses of hashing, > and the attacks against particular uses of hashing. It would make a great > CFRG informational RFC, if we can find volunteers to contribute to and edit > it. I offer to review it. > > David > > On Dec 31, 2008, at 7:48 AM, RJ Atkinson wrote: > >> >> [Distribution trimmed slightly to reduce cross-posting and improve SNR.] >> >> On 30 Dec 2008, at 20:20, Peter Gutmann wrote: >>> The current MD5 attack is very cool but there's no need to worry about >>> bad guys doing much with it because it's much, much easier to get >>> legitimate CA-issued certs the normal way, you buy them just like >>> everyone else does (except that you use someone else's credit card >>> and identity, obviously). >> >> >> Two thoughts: >> >> 1) Protocol Issues >> >> The IETF ought to be thinking about a wide range of IETF protools >> in the same way that Peter thinks about CA security issues above. >> >> For some IETF protocols, for example all of the IGP authentication >> extensions (excepting RFC-2154, AFAICT), active non-cryptographic >> attacks are feasible (if not yet seen in the deployed world, AFAICT) >> that are much easier than *any* cryptographic attack. Again, and >> only by way of example, RFC-4822 discusses some of these that are >> specific to RIPv2 authentication. >> >> For protocols where non-cryptographic attacks are feasible AND >> are lower cost than a cryptographic attack, really it does not make >> much difference what cryptographic algorithm gets deployed by a user >> -- and the IETF's focus should be on improving the underlying >> authentication mechanism BEFORE worrying about which cryptographic >> algorithms are being deployed. >> >> Attackers are generally both smart and lazy, so they won't waste >> time on an expensive cryptographic attack when a lower effort >> non-cryptographic attack exists. >> >> >> 2) Hash algorithm analysis >> >> It would be very helpful if a *set* of mathematicians/cryptographers >> could jointly put together a summary of the known attacks on all >> the widely used hash algorithms (e.g. MD2, MD4, MD5, SHA-0, SHA-1, >> SHA-2, others), *including references to the published literature*. >> >> Ideally, this analysis would also include discussion of whether those >> attacks apply for those same algorithms when used in the modes employed >> by various IETF protocols today (e.g. Keyed-Hash as used in OSPFv2 MD5 >> or RIPv2 MD5, HMAC-Hash, and so forth). >> >> This would be most useful to have as an Informational RFC, >> and SOON, so that IETF WGs could have some "consensus" document >> to refer to -- and to cite explicitly -- if any IETF WGs decide >> to make hash algorithm recommendations or decisions. >> >> I don't understand IRTF process details perfectly, but perhaps >> the CFRG chairs might undertake creating such a document as a >> near-term official CFRG group project. >> >> Yours, >> >> Ran >> rja@extremenetworks.com >> >> _______________________________________________ >> Cfrg mailing list >> Cfrg@irtf.org >> https://www.irtf.org/mailman/listinfo/cfrg > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg _______________________________________________ saag mailing list saag@ietf.org https://www.ietf.org/mailman/listinfo/saag
- [saag] Further MD5 breaks: Creating a rogue CA ce… Russ Housley
- Re: [saag] Further MD5 breaks: Creating a rogue C… Jeffrey Hutzelman
- Re: [saag] Further MD5 breaks: Creating a rogue C… Eric Rescorla
- Re: [saag] Further MD5 breaks: Creating a rogue C… Russ Housley
- Re: [saag] Further MD5 breaks: Creating a rogue C… Paul Hoffman
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Eric Rescorla
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Jeffrey Hutzelman
- Re: [saag] Further MD5 breaks: Creating a rogue C… Russ Housley
- Re: [saag] Further MD5 breaks: Creating a rogue C… Yoav Nir
- Re: [saag] Further MD5 breaks: Creating a rogue C… Russ Housley
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Eric Rescorla
- Re: [saag] Further MD5 breaks: Creating a rogue C… Russ Housley
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Eric Rescorla
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Nicolas Williams
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Jeffrey Hutzelman
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] Further MD5 breaks: Creating a rogue C… Santosh Chokhani
- Re: [saag] Further MD5 breaks: Creating a rogue C… Santosh Chokhani
- Re: [saag] Further MD5 breaks: Creating a rogue C… Santosh Chokhani
- Re: [saag] Further MD5 breaks: Creating a rogue C… Hugo Krawczyk
- Re: [saag] Further MD5 breaks: Creating a rogue C… Jeffrey Hutzelman
- Re: [saag] Further MD5 breaks: Creating a rogue C… Peter Gutmann
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Eric Rescorla
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] Further MD5 breaks: Creating a rogue C… RJ Atkinson
- Re: [saag] Further MD5 breaks: Creating a rogue C… Santosh Chokhani
- Re: [saag] Further MD5 breaks: Creating a rogue C… Vishwas Manral
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … RJ Atkinson
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Peter Gutmann
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Peter Gutmann
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Ben Laurie
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Eric Rescorla
- Re: [saag] RFC analyzing IETF use of hash functio… Sean Shen
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Paul Hoffman
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Ben Laurie
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Ben Laurie
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Robert Moskowitz
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Sean Shen
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Yoav Nir
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Paul Hoffman
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Yoav Nir
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Peter Gutmann
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Paul Hoffman
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Jeffrey Hutzelman
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Santosh Chokhani
- Re: [saag] Further MD5 breaks: Creating a rogue C… RL 'Bob' Morgan
- Re: [saag] Further MD5 breaks: Creating a rogue C… Peter Hesse
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Blake Ramsdell
- Re: [saag] Further MD5 breaks: Creating a rogue C… Scott Rea
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Timothy J. Miller
- Re: [saag] Further MD5 breaks: Creating a rogue C… Timothy J. Miller
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Timothy J. Miller
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Tim Moses
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Mike
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Richard Graveman
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Mike
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Dr Stephen Henson
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Timothy J. Miller
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Timothy J. Miller
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Timothy J. Miller
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Timothy J. Miller
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Timothy J. Miller
- Re: [saag] Further MD5 breaks: Creating a rogue C… Philipp Guehring
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Mike
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Peter Hesse
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Weger, B.M.M. de
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Yoav Nir
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Yoav Nir
- Re: [saag] Further MD5 breaks: Creating a rogue C… der Mouse
- Re: [saag] Further MD5 breaks: Creating a rogue C… RJ Atkinson
- [saag] attacks on keyed-hash constructions [was: … David McGrew
- Re: [saag] attacks on keyed-hash constructions [w… RJ Atkinson
- [saag] RFC analyzing IETF use of hash functions [… David McGrew
- Re: [saag] [Cfrg] RFC analyzing IETF use of hash … Paul Hoffman
- Re: [saag] Further MD5 breaks: Creating a rogue C… Jeffrey Hutzelman
- Re: [saag] [Cfrg] RFC analyzing IETF use of hash … Vishwas Manral
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Stephen Kent
- Re: [saag] RFC analyzing IETF use of hash functio… Sean Turner
- Re: [saag] RFC analyzing IETF use of hash functio… David McGrew
- Re: [saag] [Cfrg] RFC analyzing IETF use of hash … David McGrew
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Timothy J. Miller
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Timothy J. Miller
- Re: [saag] [Cfrg] attacks on keyed-hash construct… Christian Rechberger
- Re: [saag] [Cfrg] RFC analyzing IETF use of hash … Ran Canetti
- Re: [saag] [Cfrg] Further MD5 breaks: Creating a … Timothy J. Miller
- Re: [saag] [Cfrg] RFC analyzing IETF use of hash … David McGrew
- Re: [saag] [Cfrg] RFC analyzing IETF use of hash … Joseph Salowey (jsalowey)