Re: [secdir] Secdir review of draft-turner-md4-to-historic-08

Sean Turner <turners@ieca.com> Mon, 06 December 2010 14:04 UTC

Return-Path: <turners@ieca.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8DE973A67FA for <secdir@core3.amsl.com>; Mon, 6 Dec 2010 06:04:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.523
X-Spam-Level:
X-Spam-Status: No, score=-102.523 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, UNPARSEABLE_RELAY=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MfHndluETFkK for <secdir@core3.amsl.com>; Mon, 6 Dec 2010 06:04:13 -0800 (PST)
Received: from nm12.bullet.mail.sp2.yahoo.com (nm12.bullet.mail.sp2.yahoo.com [98.139.91.82]) by core3.amsl.com (Postfix) with SMTP id 464B33A67AF for <secdir@ietf.org>; Mon, 6 Dec 2010 06:04:13 -0800 (PST)
Received: from [98.139.91.61] by nm12.bullet.mail.sp2.yahoo.com with NNFMP; 06 Dec 2010 14:05:34 -0000
Received: from [98.139.91.4] by tm1.bullet.mail.sp2.yahoo.com with NNFMP; 06 Dec 2010 14:05:34 -0000
Received: from [127.0.0.1] by omp1004.mail.sp2.yahoo.com with NNFMP; 06 Dec 2010 14:05:34 -0000
X-Yahoo-Newman-Id: 52588.21997.bm@omp1004.mail.sp2.yahoo.com
Received: (qmail 25711 invoked from network); 6 Dec 2010 14:05:34 -0000
Received: from thunderfish.local (turners@96.231.120.248 with plain) by smtp111.biz.mail.sp1.yahoo.com with SMTP; 06 Dec 2010 06:05:32 -0800 PST
X-Yahoo-SMTP: ZrP3VLSswBDL75pF8ymZHDSu9B.vcMfDPgLJ
X-YMail-OSG: dFfiCwQVM1luQuLhJzg3pIJJ6ojD5E78_IiHIQVsDcW2VlO DfFzb4lPMc8nnpxP4GxxvMtmWuX4iDWtMdhLBGbsRljqA9GbD9C7.F7cfnDc iOuAkZeFUEIDgB_O7gSqEZwjMmyTCRvRqGLH4w3EschTXwxy3aXTWBG1OCK9 zuNONPCfWxyMuGzD_c38l7CWSKy3lALJeVyccUxnYN5oqlgA1aovmqQ3hsqX 73WGgMX1XLM1IHmiDoF8-
X-Yahoo-Newman-Property: ymail-3
Message-ID: <4CFCEDAB.9040909@ieca.com>
Date: Mon, 06 Dec 2010 09:05:31 -0500
From: Sean Turner <turners@ieca.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.12) Gecko/20101027 Lightning/1.0b2 Thunderbird/3.1.6
MIME-Version: 1.0
To: Catherine Meadows <catherine.meadows@nrl.navy.mil>
References: <8B1C3F0B-07B7-4B48-A2BA-9E8719A49CF9@nrl.navy.mil>
In-Reply-To: <8B1C3F0B-07B7-4B48-A2BA-9E8719A49CF9@nrl.navy.mil>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] Secdir review of draft-turner-md4-to-historic-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Dec 2010 14:04:17 -0000

Catherine,

Thanks for the review.  Responses inline.

spt

On 12/3/10 5:37 PM, Catherine Meadows wrote:
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
>
>
> This document recommends that the MD4 hash algorithm be retired and moved to historic status and gives
> the rationale for doing this, namely its known vulnerability to collision and pre-image attacks. The impact is mostly minimal, except
> for three Microsoft RFCs that are still supported in various versions of  Windows and the RADIUS and EAP RFCs .  It would be helpful to learn what other algorithms
> these OSs and RFCs support.  This would give a better idea of the effect of dropping MD4; if there are other alternatives supported by the OS's
> the impact should be minimal here as well.

I it might be hard to explain what alternatives are in each of the OS's 
because it depends a lot on what version/release/path combo is being 
used.  I think RFC 4757 hints pretty strongly that 
aes256-cts-hmac-sha1-96 is supported because it says to use that alg 
instread of RC4-HMAC.

> Other than that, I have no problems with the decision or rationale.  I agree, as I am sure that everyone else does, that MD4
> should be retired.
>
> Some nits:
>
> 1.  "Section 6 also discussed" should be "Section 6 also discusses"   This occurs in several places.

Fixed

> 2. " The RC4-HMAC is supported in Microsoft's Windows 2000 and
>             later for backwards compatibility with Windows 2000. "
> later supported by what?  I assume later versions of Windows, but it is probably a good idea to make this clear.

r/later/later versions of Windows

> 3. When you say that with one exception the impact of retiring MD4 would be minimal, it would be a good idea to mention that exception upfront.
> It is fairly clear after you read the whole impact section  that the exception is the Microsoft RFCs, but nowhere where is that  said explicitly.

How about:

The impact of moving MD4 to Historic is minimal with the one exception 
of Microsoft's use of MD4 as part of RC4-HMAC in Windows, the as 
described below.

> 4.  I'm not sure wether or not   the discussion of MD4's resistance against key recovery attack really belongs in the impacts section (in the discussion
> of RC4-HMAC).  It might give the impression that RC4-HMAC is secure against key recovery, and, given the other attacks found against MD4, it is reasonable
> to believe that this security is only temporary.  I would suggest putting this discussion in the security considerations section, and also, wherever it does end up, adding the appropriate
> caveats.

I'm hesitant to move the text because it's in there specifically to 
address a comment by Sam Hartman.

My understanding of MD4's use in RC4-HMAC is that MD4 is used to 
generate a key from a password and then that key is used as input to 
HMAC-MD5.  So I am actually saying that RC4-HMAC is secure against key 
recovery attacks but this is entirely because HMAC-MD5 is used.  In 
other words, when HMAC-MD5 is broken then RC4-HMAC is broken.