Re: [secdir] Secdir review of draft-turner-md4-to-historic-08

[Sean Turner <turners@ieca.com>]

Catherine,

Thanks for the review.  Responses inline.

spt

On 12/3/10 5:37 PM, Catherine Meadows wrote:
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
>
>
> This document recommends that the MD4 hash algorithm be retired and moved to historic status and gives
> the rationale for doing this, namely its known vulnerability to collision and pre-image attacks. The impact is mostly minimal, except
> for three Microsoft RFCs that are still supported in various versions of  Windows and the RADIUS and EAP RFCs .  It would be helpful to learn what other algorithms
> these OSs and RFCs support.  This would give a better idea of the effect of dropping MD4; if there are other alternatives supported by the OS's
> the impact should be minimal here as well.

I it might be hard to explain what alternatives are in each of the OS's 
because it depends a lot on what version/release/path combo is being 
used.  I think RFC 4757 hints pretty strongly that 
aes256-cts-hmac-sha1-96 is supported because it says to use that alg 
instread of RC4-HMAC.

> Other than that, I have no problems with the decision or rationale.  I agree, as I am sure that everyone else does, that MD4
> should be retired.
>
> Some nits:
>
> 1.  "Section 6 also discussed" should be "Section 6 also discusses"   This occurs in several places.

Fixed

> 2. " The RC4-HMAC is supported in Microsoft's Windows 2000 and
>             later for backwards compatibility with Windows 2000. "
> later supported by what?  I assume later versions of Windows, but it is probably a good idea to make this clear.

r/later/later versions of Windows

> 3. When you say that with one exception the impact of retiring MD4 would be minimal, it would be a good idea to mention that exception upfront.
> It is fairly clear after you read the whole impact section  that the exception is the Microsoft RFCs, but nowhere where is that  said explicitly.

How about:

The impact of moving MD4 to Historic is minimal with the one exception 
of Microsoft's use of MD4 as part of RC4-HMAC in Windows, the as 
described below.

> 4.  I'm not sure wether or not   the discussion of MD4's resistance against key recovery attack really belongs in the impacts section (in the discussion
> of RC4-HMAC).  It might give the impression that RC4-HMAC is secure against key recovery, and, given the other attacks found against MD4, it is reasonable
> to believe that this security is only temporary.  I would suggest putting this discussion in the security considerations section, and also, wherever it does end up, adding the appropriate
> caveats.

I'm hesitant to move the text because it's in there specifically to 
address a comment by Sam Hartman.

My understanding of MD4's use in RC4-HMAC is that MD4 is used to 
generate a key from a password and then that key is used as input to 
HMAC-MD5.  So I am actually saying that RC4-HMAC is secure against key 
recovery attacks but this is entirely because HMAC-MD5 is used.  In 
other words, when HMAC-MD5 is broken then RC4-HMAC is broken.