[Tm-rid] Pre-image attack against HHIT generation
Robert Moskowitz <rgm@labs.htt-consult.com> Wed, 20 November 2019 14:54 UTC
Return-Path: <rgm@labs.htt-consult.com>
X-Original-To: tm-rid@ietfa.amsl.com
Delivered-To: tm-rid@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A232C120824 for <tm-rid@ietfa.amsl.com>; Wed, 20 Nov 2019 06:54:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x3n4rRZQpUTM for <tm-rid@ietfa.amsl.com>; Wed, 20 Nov 2019 06:54:17 -0800 (PST)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [23.123.122.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C29912011A for <tm-rid@ietf.org>; Wed, 20 Nov 2019 06:54:17 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by z9m9z.htt-consult.com (Postfix) with ESMTP id B715C62113 for <tm-rid@ietf.org>; Wed, 20 Nov 2019 09:54:15 -0500 (EST)
X-Virus-Scanned: amavisd-new at htt-consult.com
Received: from z9m9z.htt-consult.com ([127.0.0.1]) by localhost (z9m9z.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id wF4SxGQ5x10U for <tm-rid@ietf.org>; Wed, 20 Nov 2019 09:54:10 -0500 (EST)
Received: from lx140e.htt-consult.com (dhcp-9f34.meeting.ietf.org [31.133.159.52]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by z9m9z.htt-consult.com (Postfix) with ESMTPSA id F2C00620D4 for <tm-rid@ietf.org>; Wed, 20 Nov 2019 09:54:09 -0500 (EST)
To: "tm-rid@ietf.org" <tm-rid@ietf.org>
From: Robert Moskowitz <rgm@labs.htt-consult.com>
Message-ID: <27735a4b-ec24-9d6c-573e-72f99a55ea74@labs.htt-consult.com>
Date: Wed, 20 Nov 2019 22:54:03 +0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.1.1
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/tm-rid/ldCQ6bgbyVqWFGrTkX4Ha_ypyMw>
Subject: [Tm-rid] Pre-image attack against HHIT generation
X-BeenThere: tm-rid@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Trustworthy Multipurpose RemoteID <tm-rid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tm-rid>, <mailto:tm-rid-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tm-rid/>
List-Post: <mailto:tm-rid@ietf.org>
List-Help: <mailto:tm-rid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tm-rid>, <mailto:tm-rid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Nov 2019 14:54:19 -0000
One item that came up in the BOF was the risk of a pre-image attack against HHIT generation. With only 64 bits in the hash, there is a real concern that the attacker can use some bank of GPUs to make lots of x25519 key pairs until getting one that hashes to an observed HHIT and impersonate it. First this attack is marginalized in that the HIT is used to retrieve a DNS HIP RR to get the real registered HI. Then the attackers signed auth message fails Sec 4.1 & 4.2 of draft-wiethuechter-tmrid-auth-02.txt . Further, in the no Internet mode and HDA signed object in Sec 4.3 of draft-wiethuechter-tmrid-auth-02.txt cannot be provided by the UA. But this is an important item that I have to cover in the Security section of the HHIT draft. Thus I am looking for help in references to timing to generate a key pair. How does a preimage attack in this environment work? Is there some shortcut where the attacker need not generate 700M EC pairs until it creates a collision? Please provide references and timings. Then what if the hash is enlarged from 64 bits to 66? 68? How big to have a longer attack time today? And then how long would it take in 5 years from now? That is, is it worth increasing the hash size to get greater preimage attack protection because the attacking will NOT get earier in n years. Perhaps a bit of rambling up there, but I do need to include good information on this in the security section. Bob
- [Tm-rid] Pre-image attack against HHIT generation Robert Moskowitz