Re: [xmpp] IQ Handling vulnerabilities

Dave Cridland <dave@cridland.net> Tue, 11 February 2014 17:06 UTC

Return-Path: <dave@cridland.net>
X-Original-To: xmpp@ietfa.amsl.com
Delivered-To: xmpp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C00AE1A0660 for <xmpp@ietfa.amsl.com>; Tue, 11 Feb 2014 09:06:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mMDKxd4Le90G for <xmpp@ietfa.amsl.com>; Tue, 11 Feb 2014 09:06:52 -0800 (PST)
Received: from mail-ob0-x234.google.com (mail-ob0-x234.google.com [IPv6:2607:f8b0:4003:c01::234]) by ietfa.amsl.com (Postfix) with ESMTP id BE1651A0656 for <xmpp@ietf.org>; Tue, 11 Feb 2014 09:06:48 -0800 (PST)
Received: by mail-ob0-f180.google.com with SMTP id wp4so9062333obc.39 for <xmpp@ietf.org>; Tue, 11 Feb 2014 09:06:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cridland.net; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=beY3xAkkvkMMey1pQlim+VTT8JbAqSE1hfj+QjapXA0=; b=I9L5BEllT41peFSWBjtdW7JKK9g5Py7FA9xsks2d7J472tQOjhgll9yw3AdyPMAdiW hFL0QEfU0Ry7UomnxliEi1/wdiUuuk6TB1g/4rCDzhdRZp6DYdH8nyoyOUhKUP1qKmnx bAknE69ePVXi3mKJJHO2UOABE4GKEyQJLSLYE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=beY3xAkkvkMMey1pQlim+VTT8JbAqSE1hfj+QjapXA0=; b=hS6z7Upn+jJs50/5rljOHs5OwekVZj0IP/u37EhRREvc0iZDc/uljRx26vnNv33xX+ Q0XokG5vkXDOLIFytx90R/zRX0gYRZcfXQ585pBS9ThrHhV6i6JWYGhrhPDerB+ThTUK /o5jnMczyf2lERaH7vz5GJu8Ksv0N7omfiMlCjYmJhw7gyDt3XdW2KZzt/um4xfgGPLa nN6a9XdhWYhWWgPLuiZbaxC+cb35SheXBOfKZlLLwUbdPHsDzr3kG6J24r6okSUanE/u 53bmWtR9tJKmeR4hNyq1M+FCorvUebqkbS2iTNr1+tOOwlb6QupQveRfiiTs4rravmL9 TMFA==
X-Gm-Message-State: ALoCoQli+ZAPUnBP1NQHrIzt4LD9QfHzI4ntDsuMQvKrVJEKatKyx44/Y1oe68PKuTEb2KpSpxb7
MIME-Version: 1.0
X-Received: by 10.60.116.74 with SMTP id ju10mr32369504oeb.6.1392138408057; Tue, 11 Feb 2014 09:06:48 -0800 (PST)
Received: by 10.60.55.197 with HTTP; Tue, 11 Feb 2014 09:06:47 -0800 (PST)
In-Reply-To: <52FA5060.9040303@ahsoftware.de>
References: <CAOb_FnxS-dMT85N7LHj5M9JWk3pL85=ugrDqaT7j5d28HBr0Cw@mail.gmail.com> <CF194491.38AD3%jhildebr@cisco.com> <2F5E925F-021D-408E-91D9-3CC5BEB6BEC6@nostrum.com> <48F4D361-4403-47E6-862D-FBDDDEBCC642@xnyhps.nl> <CF1A369C.38BE2%jhildebr@cisco.com> <CAKHUCzyCwKbmnUoXLHW=XzYbiFrcg-dQsDojGUnA-_r3qK+_Vg@mail.gmail.com> <CF1A4928-54B5-4A95-9A4B-0EC572A3CDBD@cisco.com> <CF1E56C5.38F45%jhildebr@cisco.com> <B671D7DA-CE9A-4A2C-8EDE-BF94F5F6FE82@xnyhps.nl> <52FA165B.8050901@ahsoftware.de> <CAKHUCzzhxKLbkNE=WjtP9S6XWm14-5e7Ut150x4k1akegm+1Qw@mail.gmail.com> <52FA3E53.3060009@ahsoftware.de> <0C2D606F-F718-4B07-A0A8-329C547D1BD8@xnyhps.nl> <52FA4D02.5050907@ahsoftware.de> <52FA5060.9040303@ahsoftware.de>
Date: Tue, 11 Feb 2014 17:06:47 +0000
Message-ID: <CAKHUCzyv1cMiZn9OkAXOeaMs-Ti8Z32K-gjygc1dMM9NVLqVPQ@mail.gmail.com>
From: Dave Cridland <dave@cridland.net>
To: Alexander Holler <holler@ahsoftware.de>
Content-Type: multipart/alternative; boundary=089e0116150a4a70a504f2247b30
Cc: XMPP Working Group <xmpp@ietf.org>
Subject: Re: [xmpp] IQ Handling vulnerabilities
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/xmpp/>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Feb 2014 17:06:55 -0000

On Tue, Feb 11, 2014 at 4:31 PM, Alexander Holler <holler@ahsoftware.de>wrote;wrote:

> which I interpret such, that, besides using a hash from hash (so no new
> source), the ID consists of just the first 10 characters of the 40 of a
> sha1. And then you argument with the collision rate of sha1?
>
>
Oh, I see what you mean now.

Yes, on that model the collision would probably happen much sooner.

It's a collision space of 2^40, though, so a birthday attack would hit
after about 1.3 million stanzas by my calculations. The chance of this
causing a problem seems pretty low.

Dave.