Re: [secdir] Review of draft-ietf-opsec-routing-protocols-crypto-issues-04
Sam Hartman <hartmans-ietf@mit.edu> Fri, 28 May 2010 16:53 UTC
Return-Path: <hartmans@mit.edu>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F0DA23A696F for <secdir@core3.amsl.com>; Fri, 28 May 2010 09:53:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.852
X-Spam-Level:
X-Spam-Status: No, score=-0.852 tagged_above=-999 required=5 tests=[AWL=-0.446, BAYES_20=-0.74, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l0TK+5DX7qtr for <secdir@core3.amsl.com>; Fri, 28 May 2010 09:53:54 -0700 (PDT)
Received: from mail.suchdamage.org (permutation-city.suchdamage.org [69.25.196.28]) by core3.amsl.com (Postfix) with ESMTP id 228783A6955 for <secdir@ietf.org>; Fri, 28 May 2010 09:53:53 -0700 (PDT)
Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id E07C2203C0; Fri, 28 May 2010 12:53:39 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 1257440CC; Fri, 28 May 2010 12:53:05 -0400 (EDT)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: Sandra Murphy <Sandra.Murphy@sparta.com>
References: <20100520172310.GQ9605@oracle.com> <tsl632918s3.fsf@mit.edu> <Pine.WNT.4.64.1005271452060.2996@SMURPHY-LT.columbia.ads.sparta.com> <7539F1875DE542E7803619C575355E02@vishwasd520> <Pine.WNT.4.64.1005271527260.2996@SMURPHY-LT.columbia.ads.sparta.com> <DBEEA96634FE47BB848EBFBCBA8D85C9@vishwasd520> <Pine.WNT.4.64.1005281102450.2996@SMURPHY-LT.columbia.ads.sparta.com>
Date: Fri, 28 May 2010 12:53:05 -0400
In-Reply-To: <Pine.WNT.4.64.1005281102450.2996@SMURPHY-LT.columbia.ads.sparta.com> (Sandra Murphy's message of "Fri, 28 May 2010 11:22:30 -0400 (Eastern Daylight Time)")
Message-ID: <tslocg0vuha.fsf@mit.edu>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: manav.bhatia@alcatel-lucent.com, Vishwas Manral <vishwas@ipinfusion.com>, secdir@ietf.org, shares@nexthop.com, jjaeggli@checkpoint.com, 'Sam Hartman' <hartmans-ietf@mit.edu>
Subject: Re: [secdir] Review of draft-ietf-opsec-routing-protocols-crypto-issues-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 May 2010 16:53:55 -0000
Sandra> Since we are NOT discussing failures in keyed MD5 that would Sandra> permit someone who did not know the key to produce a valid Sandra> digest, it must be the case that the attacker is someone who Sandra> knows the key - in other words a valid participant. Sandra> So. What would a collision attack allow a valid participant Sandra> to do that a valid participant could not already do? We Sandra> know for sure that valid participants can transmit "wrong Sandra> topology descriptions" without resorting to the trouble of Sandra> finding a hash collision between packets. O! I finally understand your question. Intuitively the answer is that the attacker should not be able to do anything with a collision that they cannot already do by knowing the key, so I didn't even consider that you could be asking this question. Of course, with many intuitive things, when you actually question the intuition, it's not obvious why it's true. However I think I've come up with an argument. For a collision attack to be valuable to the person producing the hash, the hash needs to be consumed at multiple points in time. The attacker wins by having the hash consumed associated with m1 at one point and m2 at another point. For example, consider the attack where I sign m1 and then later claim to have signed m2. That attack is interesting because someone remembers the hash or at least depends on the hash and then later is asked to consider the second message with a given hash. >From this, I think that if the cryptographic hash is only used to verify a packet transmitted along-side the hash that a collision is not useful. The attacker could have simply sent another packet with a different hash. Here are some cases though which a protocol might engage in where this does not fit: 1) Participants use the hash to identify which packets they've seen in the past 2) Participants use hashes to see which packets other participants have already seen 3) Participants use hashes to identify the base of some delta to an object So any case where the lifetime of the hash is longer than just the MAC verification, I think there is at least the potential for a collision to be valuable. I believe at least for OSPF, the attacker gains nothing from collision attacks. IS-IS may be more complicated because I think there it's the content that is MACed not the packet.
- [secdir] Review of draft-ietf-opsec-routing-proto… Nicolas Williams
- Re: [secdir] Review of draft-ietf-opsec-routing-p… Sam Hartman
- Re: [secdir] Review of draft-ietf-opsec-routing-p… Sandra Murphy
- Re: [secdir] Review of draft-ietf-opsec-routing-p… Nicolas Williams
- Re: [secdir] Review of draft-ietf-opsec-routing-p… Sandra Murphy
- Re: [secdir] Review of draft-ietf-opsec-routing-p… Sandra Murphy
- Re: [secdir] Review of draft-ietf-opsec-routing-p… Nicolas Williams
- Re: [secdir] Review of draft-ietf-opsec-routing-p… Sam Hartman
- Re: [secdir] Review of draft-ietf-opsec-routing-p… Sam Hartman
- Re: [secdir] Review of draft-ietf-opsec-routing-p… Sam Hartman
- Re: [secdir] Review of draft-ietf-opsec-routing-p… Sandra Murphy
- Re: [secdir] Review of draft-ietf-opsec-routing-p… Sam Hartman
- Re: [secdir] Review of draft-ietf-opsec-routing-p… Sam Hartman
- Re: [secdir] Review of draft-ietf-opsec-routing-p… Bhatia, Manav (Manav)
- Re: [secdir] Review of draft-ietf-opsec-routing-p… Bhatia, Manav (Manav)
- Re: [secdir] Review of draft-ietf-opsec-routing-p… Bhatia, Manav (Manav)