IETF Logo Mail Archive

Re: [secdir] Review of draft-ietf-opsec-routing-protocols-crypto-issues-04

Sam Hartman <hartmans-ietf@mit.edu> Fri, 28 May 2010 16:53 UTC

Return-Path: <hartmans@mit.edu>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F0DA23A696F for <secdir@core3.amsl.com>; Fri, 28 May 2010 09:53:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.852
X-Spam-Level:
X-Spam-Status: No, score=-0.852 tagged_above=-999 required=5 tests=[AWL=-0.446, BAYES_20=-0.74, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l0TK+5DX7qtr for <secdir@core3.amsl.com>; Fri, 28 May 2010 09:53:54 -0700 (PDT)
Received: from mail.suchdamage.org (permutation-city.suchdamage.org [69.25.196.28]) by core3.amsl.com (Postfix) with ESMTP id 228783A6955 for <secdir@ietf.org>; Fri, 28 May 2010 09:53:53 -0700 (PDT)
Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id E07C2203C0; Fri, 28 May 2010 12:53:39 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 1257440CC; Fri, 28 May 2010 12:53:05 -0400 (EDT)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: Sandra Murphy <Sandra.Murphy@sparta.com>
References: <20100520172310.GQ9605@oracle.com> <tsl632918s3.fsf@mit.edu> <Pine.WNT.4.64.1005271452060.2996@SMURPHY-LT.columbia.ads.sparta.com> <7539F1875DE542E7803619C575355E02@vishwasd520> <Pine.WNT.4.64.1005271527260.2996@SMURPHY-LT.columbia.ads.sparta.com> <DBEEA96634FE47BB848EBFBCBA8D85C9@vishwasd520> <Pine.WNT.4.64.1005281102450.2996@SMURPHY-LT.columbia.ads.sparta.com>
Date: Fri, 28 May 2010 12:53:05 -0400
In-Reply-To: <Pine.WNT.4.64.1005281102450.2996@SMURPHY-LT.columbia.ads.sparta.com> (Sandra Murphy's message of "Fri, 28 May 2010 11:22:30 -0400 (Eastern Daylight Time)")
Message-ID: <tslocg0vuha.fsf@mit.edu>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: manav.bhatia@alcatel-lucent.com, Vishwas Manral <vishwas@ipinfusion.com>, secdir@ietf.org, shares@nexthop.com, jjaeggli@checkpoint.com, 'Sam Hartman' <hartmans-ietf@mit.edu>
Subject: Re: [secdir] Review of draft-ietf-opsec-routing-protocols-crypto-issues-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 May 2010 16:53:55 -0000

    Sandra> Since we are NOT discussing failures in keyed MD5 that would
    Sandra> permit someone who did not know the key to produce a valid
    Sandra> digest, it must be the case that the attacker is someone who
    Sandra> knows the key - in other words a valid participant.

    Sandra> So.  What would a collision attack allow a valid participant
    Sandra> to do that a valid participant could not already do?  We
    Sandra> know for sure that valid participants can transmit "wrong
    Sandra> topology descriptions" without resorting to the trouble of
    Sandra> finding a hash collision between packets.

O!
I finally understand your question.
Intuitively the answer is that the attacker should not be able to do
anything with a collision  that they cannot already do by knowing the
key, so I didn't even consider that you could be asking this question.

Of course, with many intuitive things, when you actually question the
intuition, it's not obvious why it's true.  However I think I've come up
with an argument.

For a collision attack  to be valuable to the person producing the hash,
the hash needs to be consumed at multiple points in time.
The attacker wins by having the hash consumed associated with m1 at one
point and m2 at another point.

For example, consider the attack where I sign m1 and then later claim to
have signed m2.
That attack is interesting because someone remembers the hash or at
least depends on the hash  and then later is asked to consider the
second message with a given hash.

>From this, I think that if the cryptographic hash is only used to verify
a packet transmitted along-side the hash that a collision is not useful.
The attacker could have simply sent another packet with a different
hash.

Here are some cases though  which a protocol might engage in where this
does not fit:

1) Participants use the hash to identify which packets they've seen in
the past

2) Participants use hashes  to see which packets other participants have
already seen

3) Participants use hashes to identify the base of some delta to an
object

So any case where the lifetime of the hash is longer than just the MAC
verification, I think there is at least the potential for a collision to
be valuable.

I believe at least for OSPF, the attacker gains nothing from collision
attacks.  IS-IS may be more complicated because I think there it's the
content that is MACed not the packet.

v2.23.0 | Report a Bug | By Email