Re: [secdir] review of draft-ietf-dnsext-dnssec-gost-05

Paul Hoffman <phoffman@imc.org> Fri, 08 January 2010 16:13 UTC

Mime-Version: 1.0
Message-Id: <p06240812c76d0821dd1b@[10.20.30.158]>
In-Reply-To: <20100108144431.GB26259@shinkuro.com>
References: <p06240810c76be77be756@[128.89.89.161]> <20100107222809.GA25747@shinkuro.com> <p06240818c76c1a38cbf8@[128.89.89.161]> <20100108144431.GB26259@shinkuro.com>
Date: Fri, 08 Jan 2010 08:12:29 -0800
To: Andrew Sullivan <ajs@shinkuro.com>, Stephen Kent <kent@bbn.com>
From: Paul Hoffman <phoffman@imc.org>
Content-Type: text/plain; charset="us-ascii"
Cc: secdir@ietf.org, dol@cryptocom.ru, ogud@ogud.com, Ralph Droms <rdroms@cisco.com>
Subject: Re: [secdir] review of draft-ietf-dnsext-dnssec-gost-05
Precedence: list

To take it one step further: a signing algorithm that is easily broken opens up a new attack vector. Imagine that all DNSSEC "client" implementations (resolvers) need to support two algorithms, A and B. If A and B are of actual equal strength, an attacker has an equal problem. However, if B is found to have weaknesses that allows an attacker to forge signatures, that attacker then can create a bogus chain to a trust anchor using B in the entire path.

It is for this reason that DNSSEC does not, for example, require that resolvers MUST be able to validate RSA signatures with 256-bit keys. However, by saying that resolvers MUST be able to validate anything other than the widely-agreed-to algorithms, you are opening up such an attack.

GOST signatures use a hash algorithm that has a known academic attack. Thus, even if the GOST asymmetric encryption algorithm is as strong as RSA with the size of keys that people are using, the overall signing algorithm may be weaker. This is *not* an argument that Russia should not use GOST: they have made their own security decisions based on the same knowledge that we have (and possibly more). It is, however, an argument against making everyone else be able to verify GOST signatures as if they were equivalent to other mandatory-to-implement signature algorithms.

Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Andrew Sullivan
[secdir] review of draft-ietf-dnsext-dnssec-gost-… Stephen Kent
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Stephen Kent
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Andrew Sullivan
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Paul Hoffman
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Uri Blumenthal
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Andrew Sullivan
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Paul Hoffman
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… David McGrew
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Nicolas Williams
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Eric Rescorla
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Stephen Kent
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Basil Dolmatov
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Basil Dolmatov
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Uri Blumenthal
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Sandra Murphy
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Sandra Murphy
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Stephen Kent
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Nicolas Williams
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Andrew Sullivan
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Basil Dolmatov
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Stephen Kent
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Andrew Sullivan
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Basil Dolmatov
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Stephen Kent
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Jeffrey Hutzelman
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Andrew Sullivan
Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Jeffrey Hutzelman