Re: [secdir] [Drip] Secdir last call review of draft-ietf-drip-arch-22
Robert Moskowitz <rgm@labs.htt-consult.com> Thu, 12 May 2022 14:30 UTC
Return-Path: <rgm@labs.htt-consult.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D5F1C1594AB; Thu, 12 May 2022 07:30:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.754
X-Spam-Level:
X-Spam-Status: No, score=-3.754 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-1.857, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0EgX8UUkM5Mm; Thu, 12 May 2022 07:29:59 -0700 (PDT)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [23.123.122.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7134C157B3A; Thu, 12 May 2022 07:29:58 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by z9m9z.htt-consult.com (Postfix) with ESMTP id 3CE6862569; Thu, 12 May 2022 10:29:10 -0400 (EDT)
X-Virus-Scanned: amavisd-new at htt-consult.com
Received: from z9m9z.htt-consult.com ([127.0.0.1]) by localhost (z9m9z.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 2y8oiDRmHfJe; Thu, 12 May 2022 10:28:59 -0400 (EDT)
Received: from [192.168.160.11] (unknown [192.168.160.11]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by z9m9z.htt-consult.com (Postfix) with ESMTPSA id E3C8C6247F; Thu, 12 May 2022 10:28:58 -0400 (EDT)
Content-Type: multipart/alternative; boundary="------------M7lzqusFTTCbaAOovyFq9ggv"
Message-ID: <03e602ed-c970-dccd-2e7c-99a976978a8c@labs.htt-consult.com>
Date: Thu, 12 May 2022 10:29:44 -0400
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.8.0
Content-Language: en-US
To: Valery Smyslov <valery@smyslov.net>, 'shuai zhao' <shuai.zhao@ieee.org>, "'Stuart W. Card'" <stu.card@axenterprize.com>, 'Robert Moskowitz' <rgm@htt-consult.com>
Cc: draft-ietf-drip-arch.all@ietf.org, last-call@ietf.org, tm-rid@ietf.org, secdir@ietf.org
References: <164864828914.19999.4038160950945043224@ietfa.amsl.com> <PH0PR17MB5728869B4521B619367A133AF4CB9@PH0PR17MB5728.namprd17.prod.outlook.com> <316c01d86605$738d9d80$5aa8d880$@smyslov.net>
From: Robert Moskowitz <rgm@labs.htt-consult.com>
In-Reply-To: <316c01d86605$738d9d80$5aa8d880$@smyslov.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/x-XVaav4M2rv311fGtBhf4xL468>
Subject: Re: [secdir] [Drip] Secdir last call review of draft-ietf-drip-arch-22
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 May 2022 14:30:01 -0000
I have cut the reply to include only the one action item: On 5/12/22 09:37, Valery Smyslov wrote: > > Hi Shuai, > > *From:*shuai zhao [mailto:shuai.zhao@ieee.org] > *Sent:* Thursday, May 12, 2022 3:11 AM > *To:* Valery Smyslov; Stuart W. Card; Robert Moskowitz > *Cc:* draft-ietf-drip-arch.all@ietf.org; last-call@ietf.org; > tm-rid@ietf.org; secdir@ietf.org > *Subject:* Re: Secdir last call review of draft-ietf-drip-arch-22 > > Hi Valery, > > We have this Github issue tracker > <https://github.com/ietf-wg-drip/draft-ietf-drip-arch/issues/40> for > your comments. Please see our response below. > > thanks for the github reference. Please see my comments inline. > > *From: *Valery Smyslov via Datatracker <noreply@ietf.org> > *Date: *Wednesday, March 30, 2022 at 6:51 AM > *To: *secdir@ietf.org <secdir@ietf.org> > *Cc: *draft-ietf-drip-arch.all@ietf.org > <draft-ietf-drip-arch.all@ietf.org>, last-call@ietf.org > <last-call@ietf.org>, tm-rid@ietf.org <tm-rid@ietf.org> > *Subject: *Secdir last call review of draft-ietf-drip-arch-22 > > Reviewer: Valery Smyslov > Review result: Has Issues > > The topic of the draft is complex and involves many fields which I'm > not expert > of. The overall architecture looks secure, however it's difficult for > me to > analyse all the details. Nevertheless, it seems to me that there are some > security issues with the draft. > > 3. Section 9. > > The size of the public key hash in the HHIT is also of concern. It > is well within current server array technology to compute another key > pair that hashes to the same HHIT. > > If I understand the draft correctly, the size of public key hash is 20 > or 19 > octets (Section 3.1). > > Bob/ The architecture document does not detail the format of an HHIT. > > It turns out that in draft-ietf-drip-rid, the hash size is 64 bits so > this attack is real and details about it are in the Security > Considerations > > of that draft. Perhaps say: > > The size of the public key hash in the HHIT (64 bits) is also of concern > > Finding another key pair that hashes to the same hash > requires second preimage attack, which must take in this case 2^160 or > 2^152. > In my understanding of the state-of-art, it's still beyond > possibilities of > current computers. Am I missing something? > > Bob/ Unfortunately you have to see: draft-ietf-drip-rid-17 sec 10. > > [Med] The initial point was to record the potential security > consideration that should be further examined in the solution spec. > > I'm not convinced we need to call out solution-specific details (e.g., > 64 bits) here or call out ietf-drip-rid. > > I still think that the current text is confusing: it states > that the size of public key hash in the HHIT allows > to find second preimage without any hint on what the size is > or can be. > > I think that a way to eliminate this confusion without mentioning a > concrete value would be to modify the text > that **if** the size of public key hash in the HHIT is > chosen not large enough by solution spec, > then it may be possible to find second preimage and so on. > Valery, The size of the public key hash in the HHIT is also of concern. If the size of the public key hash in the HHIT is not large enough, it could be within current server array technology to compute another key pair that hashes to the same HHIT. ? Bob
- [secdir] Secdir last call review of draft-ietf-dr… Valery Smyslov via Datatracker
- Re: [secdir] Secdir last call review of draft-iet… Robert Moskowitz
- Re: [secdir] Secdir last call review of draft-iet… mohamed.boucadair
- Re: [secdir] [Last-Call] Secdir last call review … Michael Richardson
- Re: [secdir] Secdir last call review of draft-iet… Valery Smyslov
- Re: [secdir] Secdir last call review of draft-iet… Card, Stu
- Re: [secdir] Secdir last call review of draft-iet… Valery Smyslov
- Re: [secdir] Secdir last call review of draft-iet… shuai zhao
- Re: [secdir] Secdir last call review of draft-iet… Valery Smyslov
- Re: [secdir] [Drip] Secdir last call review of dr… Robert Moskowitz
- Re: [secdir] [Drip] Secdir last call review of dr… Valery Smyslov
- Re: [secdir] Secdir last call review of draft-iet… Card, Stu