Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2?
Stephen Farrell <stephen.farrell@cs.tcd.ie> Mon, 06 June 2011 11:33 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E2E811E80F3 for <sidr@ietfa.amsl.com>; Mon, 6 Jun 2011 04:33:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WBtFQS+W+73b for <sidr@ietfa.amsl.com>; Mon, 6 Jun 2011 04:33:41 -0700 (PDT)
Received: from scss.tcd.ie (hermes.cs.tcd.ie [134.226.32.56]) by ietfa.amsl.com (Postfix) with ESMTP id 3004411E80FA for <sidr@ietf.org>; Mon, 6 Jun 2011 04:33:40 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 31734171C2B; Mon, 6 Jun 2011 12:33:38 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1307360017; bh=fgs8SSCm4mhe0j SEJoT36UFXZgA1mJmaSR07J1aFzlc=; b=arx7kTOZpGEykArhdV5gr8wZNvolwK 0LPAX76h85mfTJJNDh6Uvfc+Hq1VplYujNZFQuxM21vtyVqy8ibK5k4RBY4Jhrrh J254TSdALSh4OXCcfxENrbh0qPp4lU7PdSAfTTn01dm0WlNF/fQ7bTP27sVrEieO y9pBqyxpGd/g9qpHXjBRzdPTrsPjhObmjwNdkETt3YCCQ8RbCS2sc5w20LZNJehb 4hO+4NpBJuBGk1sOQKryfN6GOpkH+46LjvYKSFwf3rQCXxM+0jrOU8+d+GiudmYd vF2sE0sl0Pi4bGnad3oBWiUOZJHwNcV7gOvAVS0MIcknj8l/Of9Ff0DQ==
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id twW9mnG4IprW; Mon, 6 Jun 2011 12:33:37 +0100 (IST)
Received: from [10.87.48.9] (unknown [86.42.182.86]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id E3CEB171C17; Mon, 6 Jun 2011 12:33:34 +0100 (IST)
Message-ID: <4DECBB0E.3090001@cs.tcd.ie>
Date: Mon, 06 Jun 2011 12:33:34 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110424 Lightning/1.0b2 Thunderbird/3.1.10
MIME-Version: 1.0
To: Paul Hoffman <paul.hoffman@vpnc.org>
References: <4DAF44AC.8060408@isi.edu> <BANLkTikLi2p7UipJ!TRSQqVOL6GkLn=j9iA@mail.gmail.com> <F0FABE61-FC1D-45ED-A21D-ED7A1228A997@isi.edu> <01eb01cc0325$6e4fd260$4001a8c0@gateway.2wire.net> <4DB592B3.3090805@isi.edu> <033e01cc05a8$0a82f160$4001a8c0@gateway.2wire.net> <4DB9A456.3060709@isi.edu> <BANLkTikg18FV5H0bOdOfWMzpTcm_B__EVQ@mail.gmail.com> <017b01cc13ff$0cb6da40$4001a8c0@gateway.2wire.net> <BANLkTink82qvhge6rRhqt5+h-2mEkKBMhA@mail.gmail.com> <m21uzwr3tw.wl%randy@psg.com> <BANLkTimPnMfE1ii=6uwAckoFY0yUU=w43g@mail.gmail.com> <BANLkTinu8pxxCj4cdJzbS3z5h=8=s+U3Gw@mail.gmail.com> <D1D8138DDF34B34B8BC68A11262D10790F6233E006@EUSAACMS0701.eamcs.ericsson.se> <Pine.WNT.4.64.1106031624560.2148@SMURPHY-LT.columbia.ads.sparta.com> <D1D8138DDF34B34B8BC68A11262D10790F6233E04A@EUSAACMS0701.eamcs.ericsson.se> <B! ANLkTi=OcqYbBReP+F+6e+mdqySEWPkq4Q@mail.gmail.com> <D1D8138DDF34B34B8BC68A11262D10790F6233E0E3@EUSAACMS0701.eamcs.ericsson.se> <8FFA5FF6-317C-4433-8629-369563A384FD@vpnc.org>
In-Reply-To: <8FFA5FF6-317C-4433-8629-369563A384FD@vpnc.org>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: sidr@ietf.org
Subject: Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2?
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jun 2011 11:33:42 -0000
On 04/06/11 21:04, Paul Hoffman wrote: > On Jun 3, 2011, at 7:15 PM, Uma Chunduri wrote: > >> exactly how is MD5 the weakest link here? some particular words about the threat model + ability to subvert a running session which ships a few megabytes/minute around would be in order here. >> >> [Uma] >> >> 1. Wang, X., H. Yu, "How to break MD5 and other hash >> functions", Proc. IACR Eurocrypt 2005, Denmark >> 2. RFC 4270 > > Wearing my co-author-of-4270 hat, let me state forcefully: invoking RFC 4270 or *any* current published work on MD5 does not answer the question of how MD5 is the weakest link here. Those are *unrelated* to an attack on the integrity of communication in draft-sidr-rpki-rtr. Collision attacks on MD5 and SHA-1 are, to date, unrelated to preimage attacks, and it is preimage attacks that you care about. So I've been thinking a little about this. First, I do not know of any practical md5 preimage attacks so far, however, if we allow tcp-md5 in this spec, we're effectively betting that that will remain the case for a few years at least and that's not a bet with which I'd be happy when we do have stronger options that are already specified. Second, and perhaps more importantly, given that md5 is broken for collisions, there may be other attacks on this protocol using tcp-md5 that are enabled by that fact and that do not require a preimage break for md5. For example, if an attacker generates two colliding values t2 and t2' and gets a value related to t2 injected into the rpki so that at some later point a cache response message will have the value t1|t2|t3, then our (now on-path) attacker sees t1|t2|t3|MD5(t1|t2|t3|secret) and can substitute t2' for t2 and have that work. I'm making many assumptions here about encodings, lengths and the amount of work involved all working out for an attacker who can inject values into the rpki and be on-path, but I think those are not necessarily unreasonable given the rapidssl attack of a few years ago. [1] [1] http://www.win.tue.nl/hashclash/rogue-ca/ So, unless I'm off the mark on this point, (which is quite possible), I think that tcp-md5 is simply unacceptable here. Stephen. > > > On Jun 4, 2011, at 9:38 AM, Stephen Farrell wrote: > >> Trying to catch up with you all here. >> >>> From reading the mail thread it seems to me that: >> >> - tcp-md5 is available but undesirable >> - tcp-ao is desirable but unavailable so far >> - ssh is available and slightly undesirable for >> performance reasons but desirable in >> security terms >> >> That would imply that an answer might be: >> >> MUST implement SSH; SHOULD implement TCP-AO and >> MUST/SHOULD prefer TCP-AO over SSH if both >> available >> >> Would that garner (rough) consensus? > > Another proposal that might be more likely to garner rough consensus would be: MUST implement TCP-MD5 [RFC2385]; SHOULD implement TCP-AO [RFC5925] (the official successor to TCP-MD5) as soon as possible; if both parties in the protocol support TCP-AO, they SHOULD use TCP-AO and SHOULD NOT use TCP-MD5. After we believe that there is lots of TCP-AO adoption, we revise the document and remove TCP-MD5 as an option. > >> We really do want to deprecate tcp-md5. > > We already have: RFC 5925 obsoletes RFC 2385. The question is whether we want to prevent new protocols from using it and instead force them to use something else that doesn't work as well operationally while TCP-MD5 is still considered safe. Saying "MUST implement SSH" is tantamount to saying "many systems will run unprotected", which might be acceptable until TCP-AO is deployed. However, using TCP-MD5, but only until TCP-AO is deployed, seems like a better idea. > > --Paul Hoffman > >
- [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Jared Mauch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? John Scudder
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Matthias Waehlisch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Hannes Gredler
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Hannes Gredler
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Stephen Kent
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? John Scudder
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Matthias Waehlisch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? John Scudder
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Hannes Gredler
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Danny McPherson
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Hannes Gredler
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Brian Weis
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Brian Weis
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Hannes Gredler
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Smith, Donald
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Hannes Gredler
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Hannes Gredler
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Brian Weis
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Pradosh Mohapatra
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Pradosh Mohapatra
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Sandra Murphy
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Geoff Huston
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Geoff Huston
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Hannes Gredler
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Matthias Waehlisch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Stephen Kent
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Brian Weis
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? t.petch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? t.petch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? t.petch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Uma Chunduri
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Sandra Murphy
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? John Scudder
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Uma Chunduri
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Uma Chunduri
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Uma Chunduri
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Stephen Farrell
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Paul Hoffman
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Robert Raszuk
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Robert Raszuk
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Hannes Gredler
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Robert Raszuk
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Stephen Farrell
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- [sidr] TLS (Was: Re: WGLC draft-sidr-rpki-rtr - t… Paul Hoffman
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Stephen Farrell
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] TLS (Was: Re: WGLC draft-sidr-rpki-rtr… Paul Hoffman
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Stephen Farrell
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? John Scudder
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] draft-sidr-rpki-rtr t.petch
- Re: [sidr] draft-sidr-rpki-rtr Joe Touch
- Re: [sidr] draft-sidr-rpki-rtr Randy Bush
- Re: [sidr] draft-sidr-rpki-rtr Stewart Bryant
- Re: [sidr] draft-sidr-rpki-rtr t.petch
- Re: [sidr] draft-sidr-rpki-rtr Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? t.petch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? t.petch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? t.petch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Paul Hoffman
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Paul Hoffman
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? t.petch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? t.petch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch