Re: [secdir] SecDir review of draft-ietf-csi-hash-threat-09

[Paul Hoffman <phoffman@imc.org>]

At 9:23 AM -0800 3/10/10, Laganier, Julien wrote:
>- Section 3 explains what is a first-preimage attack, a second preimage attack, a collision attacks, etc. I do no think this document is the right place to do this. A simple reference to the definition of the attacks could be added if necessary, e.g. "For a definition of the various attacks against hash function properties, see [HAC] [...] [HAC] Handbook of Applied Cryptography, Alfred J. Menezes et al., 2001, http://www.cacr.math.uwaterloo.ca/hac/"

Or just shorten it to a two-sentence reference to RFC 4270, which is repeatedly referred to in this section.

>- Section 3.1. explains that the "impacts of collision attacks on current uses of CGAs and the CGA hash agility are analyzed in the update of the CGA specification [rfc4982]", yet it goes on with explaining what is the purpose of a CGA etc. If RFC4982 has done the analysis already, simply cite it, and state the result, e.g. "impacts of collision attacks on current uses of CGAs and the CGA hash agility are analyzed in the update of the CGA specification [rfc4982] which concludes that no current hash vulnerability impacts the security properties afforded by the use of CGAs".

Quite right.

>- Section 3.2 similarly goes on musing on attacks against X.509 certificates. Again, I'd rather have the section refer to an analysis of the vulnerabilities introduced by the use of hashes by X.509 certificates, and simply state the conclusion of the analysis in this document. If no proper analysis has been done, then it could be done in this document, but this section as is doesn't seem to do that in an appropriate way.

Fully agree. The quality of collision-based attacks on PKIX certificates continues to improve every few years. Arjen Lenstra and Benne de Weger have no problem finding grad students (and even undergraduates) who want to make their name in this area, often with success.

>- Section 3.3. has a similar problem as above. It muses on non-repudiation etc. but does not say what I'm interested in. If security of SEND does not rely on non-repudiation property of the signature, state it and explain why. I am not interested in how to attack the non-repudiation property of a signature using a hash vulnerability, I am interested in how can (or can't) I attack SEND using a non-repudiation vulnerability...

Non-repudiation is one of the best-known ratholes in the PKIX space.

I apologize for not reading this document sooner, but it is really a mess and should not be published even as an Informational RFC. In addition to the problems listed above, the document is also riddled with factual problems:

- It says that it "analyzes the hash usage in SEND following the recommended approach [rfc4270] [new-hashes]" but does not deal with the methods in [new-hashes] (which has an under-specified reference) at all.

- It says that RFC 4270 says many things that absolutely are not in RFC 4270.

- It says that there have been SHA-1 collisions, which are still likely but still completely theoretical.

- There are numerous context-free statements like "The strength of Internet protocol does not have to be necessarily affected by the weakness of the underlaying hash function".

- The CGA-specific discussion of if preimage attacks were feasible ignores the fact that CGA is the least of anyone's worries if preimage attacks were feasible: there would be a systemwide security meltdown, of which CGA would be a tiny whiff.

Please strongly consider killing off this document, given that RFCs 4270 and 4982 already cover the material completely. If RFC 4982 does not cover every aspect relevant to SEND, a two-paragraph update to RC 4982 would be much better than this document.