Re: [xmpp] IQ Handling vulnerabilities

Thijs Alkemade <thijs@xnyhps.nl> Tue, 11 February 2014 15:31 UTC

Return-Path: <thijs@xnyhps.nl>
X-Original-To: xmpp@ietfa.amsl.com
Delivered-To: xmpp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BC521A0564 for <xmpp@ietfa.amsl.com>; Tue, 11 Feb 2014 07:31:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.948
X-Spam-Level:
X-Spam-Status: No, score=0.948 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, LOTS_OF_MONEY=0.001, RP_MATCHES_RCVD=-0.548] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NWGgSvdhSMlm for <xmpp@ietfa.amsl.com>; Tue, 11 Feb 2014 07:31:52 -0800 (PST)
Received: from s.xnyhps.nl (s.xnyhps.nl [46.19.32.61]) by ietfa.amsl.com (Postfix) with ESMTP id BEDEF1A05E0 for <xmpp@ietf.org>; Tue, 11 Feb 2014 07:31:51 -0800 (PST)
Received: from [192.168.1.4] (196pc201.sshunet.nl [145.97.201.196]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by s.xnyhps.nl (Postfix) with ESMTPSA id 2093C247FD; Tue, 11 Feb 2014 16:31:38 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=xnyhps.nl; s=mail; t=1392132701; bh=xOwuL2olihdo6N1z4F341UvH1MkMs5RBjvIOvqIY098=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=Psw7MUHFqr3Nw4CoSRZGs+wkpoumnHNhXZgvtUPGty+XyegrHasP/YkI2c6SP/xVa l3z7bBLs0ltKJqRvtgPv+lWNPn3aLlQc+oO2aTzHvS+L3cL62wu+Cj3q/mI7W0d/Jv wkXSh5Cjdf10NKDayrO0Q+Yd6LVfyBVgnr/y85hE=
Content-Type: multipart/signed; boundary="Apple-Mail=_D329E652-F036-4921-B5DF-FAD94442C96F"; protocol="application/pgp-signature"; micalg=pgp-sha1
Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
From: Thijs Alkemade <thijs@xnyhps.nl>
In-Reply-To: <52FA3E53.3060009@ahsoftware.de>
Date: Tue, 11 Feb 2014 16:33:26 +0100
Message-Id: <0C2D606F-F718-4B07-A0A8-329C547D1BD8@xnyhps.nl>
References: <CAOb_FnxS-dMT85N7LHj5M9JWk3pL85=ugrDqaT7j5d28HBr0Cw@mail.gmail.com> <CF194491.38AD3%jhildebr@cisco.com> <2F5E925F-021D-408E-91D9-3CC5BEB6BEC6@nostrum.com> <48F4D361-4403-47E6-862D-FBDDDEBCC642@xnyhps.nl> <CF1A369C.38BE2%jhildebr@cisco.com> <CAKHUCzyCwKbmnUoXLHW=XzYbiFrcg-dQsDojGUnA-_r3qK+_Vg@mail.gmail.com> <CF1A4928-54B5-4A95-9A4B-0EC572A3CDBD@cisco.com> <CF1E56C5.38F45%jhildebr@cisco.com> <B671D7DA-CE9A-4A2C-8EDE-BF94F5F6FE82@xnyhps.nl> <52FA165B.8050901@ahsoftware.de> <CAKHUCzzhxKLbkNE=WjtP9S6XWm14-5e7Ut150x4k1akegm+1Qw@mail.gmail.com> <52FA3E53.3060009@ahsoftware.de>
To: Alexander Holler <holler@ahsoftware.de>
X-Mailer: Apple Mail (2.1827)
Cc: XMPP Working Group <xmpp@ietf.org>
Subject: Re: [xmpp] IQ Handling vulnerabilities
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/xmpp/>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Feb 2014 15:31:54 -0000

On 11 feb. 2014, at 16:14, Alexander Holler <holler@ahsoftware.de> wrote:

> Am 11.02.2014 13:29, schrieb Dave Cridland:
>> On Tue, Feb 11, 2014 at 12:23 PM, Alexander Holler <holler@ahsoftware.de>wrote;wrote:
>> 
>>> Hmm, in all these mails it was never be mentioned that IDs still have to
>>> be unique over some time for one session. I'm not sure if such is given
>>> with the above constructs. It might be very unlikely that the same ID will
>>> appear twice, but someone has to take a deeper look at it when using such
>>> constructs like above. Of course, in reality the window in time IDs must be
>>> unique is rather small, but ...
>>> 
>> 
>> You'd need random collisions amongst cryptographically secure hashes.
>> You're pretty safe.
> 
> I don't aggree. You are safe if you use the hash as intendend, but not
> if you just use some part of the hash(-number) or hashes of hashes. I'm
> not sure about how safe it is (in regard to collisions) if you look at
> consequent hashes of hashes. I would assume that is not what
> cryptographers do look for (primarily).
> 
> At least I can't remember to have seen some discussion if the series of
> hash(hash(hash(...))) is collision free (that is imho quiet different
> than hash(random); hash(random)). Of course, I'm not looking that often
> at cryptographic papers, I usually prefer if cryptographers do such. ;)

You're not going to stumble upon a SHA-1 collision by accident. Even if you do
"hashes of hashes". The esitmated cost of an intentional SHA-1 collision is
still at least $1M:
https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html

If you do happen to find one, congratulations, you are now famous. Nobody has
published a SHA-1 collision yet.

Collisions in 'id's is also not very relevant. In any XMPP client, there will
be a finite list of 'id's for which it still expects a reply (outstanding
queries, unacked messages). Checking against each of those is trivial.

Thijs