Re: [Tm-rid] Some updates and work on HHITs

On 8/20/19 4:39 PM, Wiethuechter, Adam wrote:
> Everyone,
>
> Attached is the latest version of the HHIT generation script 
> (2019.08a13) along with a script to search for duplicate HITs/HHITs 
> when a data set is generated.
>
> Pertaining to the last update here;
> - We now use ORCHID to generate both HITs and HHITs from the key-pair 
> generated
> - A data set can be created (default size of 1000000, can be changed 
> in script), this will output a text file called "hhit_set.txt" 
> containing the pairs of HIT/HHITs to feed into the duplicate tester 
> program.
> - General clean up and documentation of the script for better 
> understanding
> - Disabled the DER format for public key generation and switched to 
> PUB format as DER could not be opened in the script without errors.
>
> I generated a 1M data set (by request of Bob) with the scripts and 
> searched for duplicate HITs and HHITs. None were found in my data set.

Per the collision formula, the probability of collision of 1M in a 
potential population of 2^64 is:

  2.7x10^-6 %

That is basically a zero probability.  IF you had collisions then I 
would be suspicious of some underlying assumption.

No collisions is good.  10M takes the probability down to:

  2.7x10^-4 %; still basically zero.

This means that a Registry should only need a single assigned HDA value 
to support a LARGE number of customers.  Plus the use of the HIP 
registration protocol will have the HDA rejecting duplicate HHITs, 
operating on a first come basis.  Thus even if there were an attack 
against the small hash piece, an attacker would not 'get far' as the 
registered HI SHOULD be in the Registry.

I will soon be posting here on work items.

Bob

>
> To test yourself run the following (everything generated will drop 
> into the same directory as the scripts, so be careful):
> $ python3 hhit-gen.py -n <name> -p <password> --dataset y
> $ python3 hhit-dup.py
>
> The duplication tester script will output 2 files once complete:
> - "hit_dups.txt" = a file containing the duplicate records for HITs
> - "hhit_dups.txt" = a file containing the duplicate records for HHITs
>
> For anyone curious I also have my data set tarred up (its 212.4MB) 
> that I will offer up if anyone wishes to have it to confirm my results 
> in their own way. Just email me and I will send it to you directly.
>
> On Wed, Aug 14, 2019 at 2:28 PM Wiethuechter, Adam 
> <adam.wiethuechter@axenterprize.com 
> <mailto:adam.wiethuechter@axenterprize.com>> wrote:
>
>     All,
>
>     Attached is a quick Python3 script I created using Bob's email.
>     It does not handle the actual creation of the HHIT yet, but does
>     perform the operations for the key generation.
>
>     On Wed, Aug 14, 2019 at 8:50 AM Robert Moskowitz
>     <rgm@labs.htt-consult.com <mailto:rgm@labs.htt-consult.com>> wrote:
>
>         Just to let people here know I have been working away with some
>         groundwork, expanding on the prior list of documents and
>         peripheral things.
>
>         Right now I am working on what a eddsa pki would be that would
>         back up
>         the proposed HHITs and various repositories.  For this I want to
>         generate some testing HHITs.
>
>         I will use openssl from my draft-moskowitz-eddsa-pki and HHIT
>         format
>         from draft-moskowitz-hierarchical-hip (sec 4).
>
>         I make the ed25519 keypair with:
>
>             openssl genpkey -aes256 -algorithm ed25519 -outform pem -out
>         entity.key.pem
>
>         Note the keypair is encrypted; it contains the private key. 
>         This can be
>         viewed with:
>
>             openssl pkey -inform pem -in entity.key.pem -text -noout
>
>         The public key can be extracted in DER format with:
>
>         openssl pkey -in entity.key.pem -out entity.pub.der -outform
>         DER -pubout
>
>         For the HHIT:
>
>         HIT SUITE ID = 4
>         RAA = 10
>         HDA = 20
>
>         It would be great to have this as a python or perl script. 
>         That way I
>         may learn something along the way.
>
>         Inputs are:
>
>         key file name
>         key password
>         HIT Suite ID
>         RRA
>         HDA
>
>         Output should be:
>
>         the HHIT in 128bit binary to some file
>         the HHIT in ipv6 : display format
>
>         Thanks on any help.  I will be posting this to both the tm-rid
>         list and
>         the hipsec list.
>
>         Bob
>
>
>         -- 
>         Tm-rid mailing list
>         Tm-rid@ietf.org <mailto:Tm-rid@ietf.org>
>         https://www.ietf.org/mailman/listinfo/tm-rid
>
>
>
>     -- 
>     73's,
>     Adam T. Wiethuechter
>
>
>
> -- 
> 73's,
> Adam T. Wiethuechter

-- 
Standard Robert Moskowitz
Owner
HTT Consulting
C:248-219-2059
F:248-968-2824
E:rgm@labs.htt-consult.com

There's no limit to what can be accomplished if it doesn't matter who 
gets the credit

Re: [Tm-rid] Some updates and work on HHITs

Attachment: HIT collision probablity.xls