Re: [secdir] Secdir review of draft-turner-md2-to-historic-05

Sean Turner <turners@ieca.com> Mon, 18 October 2010 19:25 UTC

Return-Path: <turners@ieca.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D33A23A6E57 for <secdir@core3.amsl.com>; Mon, 18 Oct 2010 12:25:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.523
X-Spam-Level:
X-Spam-Status: No, score=-102.523 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, UNPARSEABLE_RELAY=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v6MFYgP93eiw for <secdir@core3.amsl.com>; Mon, 18 Oct 2010 12:25:26 -0700 (PDT)
Received: from smtp113.biz.mail.mud.yahoo.com (smtp113.biz.mail.mud.yahoo.com [209.191.68.78]) by core3.amsl.com (Postfix) with SMTP id 9ABAF3A6E51 for <secdir@ietf.org>; Mon, 18 Oct 2010 12:25:26 -0700 (PDT)
Received: (qmail 88913 invoked from network); 18 Oct 2010 19:26:47 -0000
Received: from thunderfish.local (turners@96.231.118.186 with plain) by smtp113.biz.mail.mud.yahoo.com with SMTP; 18 Oct 2010 12:26:46 -0700 PDT
X-Yahoo-SMTP: ZrP3VLSswBDL75pF8ymZHDSu9B.vcMfDPgLJ
X-YMail-OSG: GIO9YDQVM1m6Bu2Solm9p2T.7D9JJBXuuVSlPgqIyAqU.US LFkW1g76yUvk__ujLcJ0VMe6ZOqcxPiDJpnGKv0TycbjhbvTsQM.CqIx6.Cj EVCdcZSTRH1RHa_J4J_Q7iey_zenm28irokN9rh1ZXiFL7QjZcCaRcjLASfX 94K3Q.wEVQD_MqbElf6kbFbA48CUNEvpd7psdiUGRCLx.8mGCm.jbKebD_AD eeuNrgCOzZXpRanbXsNpXBNJ_5wlZSCCoXeBb2tdmzUPVkl0Nrzurz7rK7OT fqECMeUboYMzznE811buX7RMaPvJTvdM4WqeTsQ3RgRfJlecvpNj65A--
X-Yahoo-Newman-Property: ymail-3
Message-ID: <4CBC9F75.3030407@ieca.com>
Date: Mon, 18 Oct 2010 15:26:45 -0400
From: Sean Turner <turners@ieca.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.9) Gecko/20100915 Lightning/1.0b2 Thunderbird/3.1.4
MIME-Version: 1.0
To: Catherine Meadows <catherine.meadows@nrl.navy.mil>
References: <864DCF6A-A192-41F6-9A46-04D6AC64DC06@nrl.navy.mil> <4CBC99E0.2080204@ieca.com> <9D18C25E-888A-4807-A983-D0BC208224EB@nrl.navy.mil>
In-Reply-To: <9D18C25E-888A-4807-A983-D0BC208224EB@nrl.navy.mil>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: secdir@ietf.org, draft-turner-md2-to-historic.all@tools.ietf.org, iesg@ietf.org
Subject: Re: [secdir] Secdir review of draft-turner-md2-to-historic-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Oct 2010 19:25:26 -0000

drat - yes the albeit phrase should be about the collision attacks not 
the pre-image attacks.

spt

On 10/18/10 3:16 PM, Catherine Meadows wrote:
> Sean,
>
> Yes, this looks much better, although I think that for
>
> Since its publication, MD2 has been shown to not be collision-free
> [ROCH1995][KNMA2005][ROCH1997], albeit successful pre-image attacks
> for properly implement MD2 are not that damaging.
>
> what you really meant to say was
>
> Since its publication, MD2 has been shown to not be collision-free
> [ROCH1995][KNMA2005][ROCH1997], albeit successful collision attacks
> for properly implemented MD2 are not that damaging.
>
> Is that correct?
>
> Cathy
>
> On Oct 18, 2010, at 3:02 PM, Sean Turner wrote:
>
>> Catherine,
>>
>> Thanks for your review.
>>
>> How about I make the following two changes:
>>
>> 1) In Section 1, add something to provide a better characterization
>> of the collision-resistance:
>>
>> OLD:
>>
>> Since its publication, MD2 has been shown to not be collision-free
>> [ROCH1995][KNMA2005][ROCH1997] and shown to have successful
>> pre-image attacks [KNMA2005][MULL2004][KMM2010].
>>
>> NEW:
>>
>> Since its publication, MD2 has been shown to not be collision-free
>> [ROCH1995][KNMA2005][ROCH1997], albeit successful pre-image attacks
>> for properly implement MD2 are not that damaging. MD2 has also been
>> shown to have successful pre-image and second-preimage attacks
>> [KNMA2005[MULL2004][KMM2010].
>>
>> 2) In section 6, align the last sentence of the second paragraph and
>> the 1st sentence of paragraph 3:
>>
>> OLD:
>>
>> .., which is not significantly better than the birthday attack.
>>
>> Even though collision attacks on MD2 are not more powerful than
>> the birthday attack, MD2 was found not to be one-way...
>>
>> NEW:
>>
>> .., which is not significantly better than the birthday attack.
>>
>> Even though collision attacks on MD2 are not significantly more
>> powerful than the birthday attack, MD2 was found not to be
>> one-way...
>>
>> spt
>>
>> On 10/16/10 2:36 PM, Catherine Meadows wrote:
>>> I have reviewed this document as part of the security directorate's
>>> ongoing effort to review all IETF documents being processed by the
>>> IESG. These comments were written primarily for the benefit of the
>>> security area directors. Document editors and WG chairs should treat
>>> these comments just like any other last call comments.
>>>
>>>
>>> This document recommends that the MD2 hash algorithm be moved to
>>> historic status and gives
>>> the rationale for doing this. The reasons are mainly
>>> security-related, given that the algorithm
>>> has been shown not to be collision-free and is vulnerable to
>>> pre-image attacks. Performance is also an
>>> issue. The impact is minimal, given that support for MD2 in the
>>> standards that refer to it is either optional or
>>> discouraged.
>>>
>>> I have no problems with the decision or rationale. I agree, as I am
>>> sure that everyone else does, the MD2
>>> should be retired.
>>>
>>> I do have one minor recommendation though about the rationale: in
>>> section 2 (the Rationale section),
>>> you say that MD2 has been shown to not be collision-free and is
>>> vulnerable to pre-image attacks. The Rationale
>>> appears to give both these concerns equal value. But in Section 6
>>> (Security Considerations), you say
>>> that the most successful collision attacks against MD2 are not
>>> significantly better than the birthday attack,
>>> and the real security problems with MD2 have to do with its
>>> vulnerability to pre-image attacks. It seems to me that
>>> this reasoning should be reflected in the Rationale.
>>>
>>>
>>> Catherine Meadows
>>> Naval Research Laboratory
>>> Code 5543
>>> 4555 Overlook Ave., S.W.
>>> Washington DC, 20375
>>> phone: 202-767-3490
>>> fax: 202-404-7942
>>> email: catherine.meadows@nrl.navy.mil
>>> <mailto:catherine.meadows@nrl.navy.mil>
>>>
>>> _______________________________________________
>>> secdir mailing list
>>> secdir@ietf.org <mailto:secdir@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/secdir
>>>
>
> Catherine Meadows
> Naval Research Laboratory
> Code 5543
> 4555 Overlook Ave., S.W.
> Washington DC, 20375
> phone: 202-767-3490
> fax: 202-404-7942
> email: catherine.meadows@nrl.navy.mil
> <mailto:catherine.meadows@nrl.navy.mil>
>