[secdir] secdir review of draft-baeuerle-netnews-cancel-lock-05
David Mandelberg <david@mandelberg.org> Sat, 10 June 2017 04:26 UTC
Return-Path: <david@mandelberg.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30651124D85 for <secdir@ietfa.amsl.com>; Fri, 9 Jun 2017 21:26:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GiXWN3FtyHmj for <secdir@ietfa.amsl.com>; Fri, 9 Jun 2017 21:26:37 -0700 (PDT)
Received: from nm10-vm5.access.bullet.mail.gq1.yahoo.com (nm10-vm5.access.bullet.mail.gq1.yahoo.com [216.39.63.128]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0644C127201 for <secdir@ietf.org>; Fri, 9 Jun 2017 21:26:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1497068796; bh=cH7vtDViK57/mXQ7To/TjGIFKA4d1kLnHuLOYvAP0Wo=; h=From:Subject:To:Date:From:Subject; b=Wj1+VHQTyr+r4ThLvthqQ2uJgwzHqsSV7ymQfknwkvavABhZfGnlpZLz/gx0VJoAY00o7ZNoHZEXL2P1cSs7LRC9ICpqNpFSWPtkSp0i+fvNmNhSxxEZvOPZQZspFO5HwgGRIOTafPaPBlibbF2Jtr/PPjkXcAoWITDTD9TqtjhZiDU0SF0B0ikj7E8JsZVRPim8W+5AyFuWUuUz4k35WGCrOXCEksGXS4X/NEybIvRYiU5PAA9JIYjTU/6/dU8JZn7UWLRPvkP+8pDe1umExHsADB6bhBBW8a2MjXsQpS+XlkIztKQW8G7F03G91MmcGFNIupVjaQ188S6Kn+tfAQ==
Received: from [216.39.60.172] by nm10.access.bullet.mail.gq1.yahoo.com with NNFMP; 10 Jun 2017 04:26:36 -0000
Received: from [98.138.104.97] by tm8.access.bullet.mail.gq1.yahoo.com with NNFMP; 10 Jun 2017 04:26:36 -0000
Received: from [127.0.0.1] by smtp117.sbc.mail.ne1.yahoo.com with NNFMP; 10 Jun 2017 04:26:36 -0000
X-Yahoo-Newman-Id: 183491.25595.bm@smtp117.sbc.mail.ne1.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: CrWy.vAVM1kKuAGhseym8CBRbqKchdpnJbXYqnqRH27RGP1 ZWEQ5QJwm0nlOgtEZ0HzUy_ilqHfHNH_YquQLQfK8OzQR46n4bvh.K7J7jKC V5KcldYAzxhdp9vye7jbnSKchmLUtcEs25irFT1YpbOEUl7lrI3s8slthR3u 3sQA7l3KpOlWdoPQtjdBKupdKrQlR4Rx3NqOJx6KtPdclSmMHgOUFWlAQlq5 gX1WGRVDbGtrHU8Fz60F6HW9428CoRF4vPoa8cnFlqhqH.4UBuw4uXPl46Pf ylfRsRyw.au66XhHiQhjQQPwsQjS5f1Yg.uk0OXuTGm1H5ekp3ghyOCn_NpM rKz.VA._8YSSP58i_7zoGZ.B_pTkRcG3KtmpGffaCXMrpV4wNZuiAXFev8S. KMFDxmB.9in.ZS741rA1AMlWoR0PkmBuVmnNTlXoiFt0tX1EAwqpIn9lX8xY rVhZL4VsN04.qqijjNCVVKI0ntaQU2amB2gLIpI2Q9UGZHjcRs0Z_UnTwZU0 Zb88XJKGh39Rr6..7s.8qeqRFgPIVpgdrv4Ddkw0-
X-Yahoo-SMTP: 4kJJK.qswBDPuwyc5wW.BPAQqNXdy5j09UNyeAS0pyOQ708-
Received: from [192.168.1.152] (DD-WRT [192.168.1.1]) by uriel.mandelberg.org (Postfix) with ESMTPSA id 46F841C602E; Sat, 10 Jun 2017 00:26:35 -0400 (EDT)
From: David Mandelberg <david@mandelberg.org>
To: iesg@ietf.org, secdir@ietf.org, draft-baeuerle-netnews-cancel-lock.all@ietf.org
Message-ID: <79785418-2159-2dba-3beb-b9391a5a2ddf@mandelberg.org>
Date: Sat, 10 Jun 2017 00:26:31 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="WWs76wWj7dFgOxsHagClOqQD1w8jFAm0a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/kFJZy1I-UwBmrvsNbRv-BjGEpwE>
Subject: [secdir] secdir review of draft-baeuerle-netnews-cancel-lock-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Jun 2017 04:26:39 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of the review is Not ready. The authentication in this document is single-use per article. I.e., once a single supersede or cancel is issued for an article, anybody can "forge" other valid supersedes or cancels for the same article. I assume that a cancel followed by a forged cancel is unimportant, but what about cancel->supersede, supersede->cancel, or supersede->supersede? Also, what about the race condition if the attacker can propagate the forgery faster than the original propagates? This document recommends calculating a single key K for each article (section 4), then publishing base64(hash(base64(K))) values for multiple different hash algorithms. This means that the preimage resistance of the weakest hash algorithm places an upper bound on the security of the authentication, even if the receiver ignores weaker algorithms. (An attacker who can calculate K from the weak hash can generate valid keys for the stronger hashes.) Additionally, while plenty of research goes into preimage security of individual hash algorithms, I don't think as much research goes into preimage security of multiple algorithms used in parallel on the same input. While I don't know of any non-brute-force attacks that can find X given sha256(X) and sha512(X), I see no reason that it wouldn't be easier than the easiest of the two individual preimage attacks. (I am not an expert though, there might be something I'm missing.) Section 4: Is it ever possible for two different (uid, mid) pairs to have the same concatenated value? E.g., alice@example.co + mfoo and alice@example.com + foo. If that ever happened and one of the two articles was canceled, an attacker would be able to cancel the other article. Section 4: I don't understand Q1. Are you asking me if the existing implementations are doing something insecure? (It's not specified well enough for me to tell.) Section 4: I think you should run any user-supplied password through a key derivation function before using it as a MAC key. Section 7: As I understand the terms, you care about preimage resistance, but not second preimage. (I think preimage covers finding any input that results in the specified output, not only the input that originally generated the specified output. But I might be misunderstanding the terms.) Section 7: I don't know where the minimum key sizes come from, but they seem a bit low to me. And for Q2, I don't know, sorry. -- David Eric Mandelberg / dseomn http://david.mandelberg.org/
- [secdir] secdir review of draft-baeuerle-netnews-… David Mandelberg
- Re: [secdir] secdir review of draft-baeuerle-netn… Michael Bäuerle
- Re: [secdir] secdir review of draft-baeuerle-netn… Michael Bäuerle
- Re: [secdir] secdir review of draft-baeuerle-netn… Michael Bäuerle
- Re: [secdir] secdir review of draft-baeuerle-netn… Michael Bäuerle
- Re: [secdir] secdir review of draft-baeuerle-netn… David Mandelberg
- Re: [secdir] secdir review of draft-baeuerle-netn… David Mandelberg
- Re: [secdir] secdir review of draft-baeuerle-netn… David Mandelberg