Re: [secdir] Secdir review of draft-turner-md2-to-historic-05

Sean Turner <turners@ieca.com> Mon, 18 October 2010 19:01 UTC

Return-Path: <turners@ieca.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 09EBF3A6E33 for <secdir@core3.amsl.com>; Mon, 18 Oct 2010 12:01:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.518
X-Spam-Level:
X-Spam-Status: No, score=-102.518 tagged_above=-999 required=5 tests=[AWL=0.080, BAYES_00=-2.599, UNPARSEABLE_RELAY=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xPF8GY1tTtpz for <secdir@core3.amsl.com>; Mon, 18 Oct 2010 12:01:45 -0700 (PDT)
Received: from smtp111.biz.mail.mud.yahoo.com (smtp111.biz.mail.mud.yahoo.com [209.191.68.76]) by core3.amsl.com (Postfix) with SMTP id ADE4C3A6BBC for <secdir@ietf.org>; Mon, 18 Oct 2010 12:01:31 -0700 (PDT)
Received: (qmail 57821 invoked from network); 18 Oct 2010 19:02:58 -0000
Received: from thunderfish.local (turners@96.231.118.186 with plain) by smtp111.biz.mail.mud.yahoo.com with SMTP; 18 Oct 2010 12:02:57 -0700 PDT
X-Yahoo-SMTP: ZrP3VLSswBDL75pF8ymZHDSu9B.vcMfDPgLJ
X-YMail-OSG: qDP4mGsVM1kGJuYDVYgVAqOZw_5rb0zFQmFBBVHc1llKLlr c1w0vb76lpAAg7c6ZTwxnqJJD1pFfvUQIko0fbTJMbeMAHpF2df3LjsQb.GD vkF8g8D0WbSI1ysD_fs0XiaMhVyvlG0ogIsA6KePvmOlYQtQcxmKiF8q7u3z ir6XG2J6CBGspaIdbVe9iuR7Hl7oMcKzKktbK0yzSiaPyXQJA3HNfv1ICP0P WPoAFmC.K1qUJ2BIo44RxOpTSzYs6zyTV70lEx1LBu6ECFuyRFA.1PuuO17q tbIGyiWdmImKJftvCDZ4d8.oZBTRI7ShIrgV6giVJs7so4RuO.87b2Q--
X-Yahoo-Newman-Property: ymail-3
Message-ID: <4CBC99E0.2080204@ieca.com>
Date: Mon, 18 Oct 2010 15:02:56 -0400
From: Sean Turner <turners@ieca.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.9) Gecko/20100915 Lightning/1.0b2 Thunderbird/3.1.4
MIME-Version: 1.0
To: Catherine Meadows <catherine.meadows@nrl.navy.mil>
References: <864DCF6A-A192-41F6-9A46-04D6AC64DC06@nrl.navy.mil>
In-Reply-To: <864DCF6A-A192-41F6-9A46-04D6AC64DC06@nrl.navy.mil>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: draft-turner-md2-to-historic.all@tools.ietf.org, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] Secdir review of draft-turner-md2-to-historic-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Oct 2010 19:01:46 -0000

Catherine,

Thanks for your review.

How about I make the following two changes:

1) In Section 1, add something to provide a better characterization of 
the collision-resistance:

OLD:

  Since its publication, MD2 has been shown to not be collision-free
  [ROCH1995][KNMA2005][ROCH1997] and shown to have successful
  pre-image attacks [KNMA2005][MULL2004][KMM2010].

NEW:

  Since its publication, MD2 has been shown to not be collision-free
  [ROCH1995][KNMA2005][ROCH1997], albeit successful pre-image attacks
  for properly implement MD2 are not that damaging. MD2 has also been
  shown to have successful pre-image and second-preimage attacks
  [KNMA2005[MULL2004][KMM2010].

2) In section 6, align the last sentence of the second paragraph and 
the 1st sentence of paragraph 3:

OLD:

  .., which is not significantly better than the birthday attack.

  Even though collision attacks on MD2 are not more powerful than
  the  birthday attack, MD2 was found not to be one-way...

NEW:

  .., which is not significantly better than the birthday attack.

  Even though collision attacks on MD2 are not significantly more
  powerful than the birthday attack, MD2 was found not to be
  one-way...

spt

On 10/16/10 2:36 PM, Catherine Meadows wrote:
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
>
>
> This document recommends that the MD2 hash algorithm be moved to historic status and gives
> the rationale for doing this.  The reasons are mainly security-related, given that the algorithm
> has been shown not to be collision-free and is vulnerable to pre-image attacks.  Performance is also an
> issue.  The impact is minimal, given that support for MD2 in the standards that refer to it is either optional or
> discouraged.
>
> I have no problems with the decision or rationale.  I agree, as I am sure that everyone else does, the MD2
> should be retired.
>
> I do have one minor recommendation though about the rationale: in section 2 (the Rationale section),
> you say that MD2 has been shown to not be collision-free and is vulnerable to pre-image attacks.  The Rationale
> appears to give both these concerns equal value. But in Section 6 (Security Considerations), you say
> that the most successful collision attacks against MD2 are not significantly better than the birthday attack,
> and the real security problems with MD2 have to do with its vulnerability to pre-image attacks.  It seems to me that
> this reasoning should be reflected in the Rationale.
>
>
> Catherine Meadows
> Naval Research Laboratory
> Code 5543
> 4555 Overlook Ave., S.W.
> Washington DC, 20375
> phone: 202-767-3490
> fax: 202-404-7942
> email: catherine.meadows@nrl.navy.mil
>
> _______________________________________________
> secdir mailing list
> secdir@ietf.org
> https://www.ietf.org/mailman/listinfo/secdir
>