IETF Logo Mail Archive

Re: [xmpp] IQ Handling vulnerabilities

"Joe Hildebrand (jhildebr)" <jhildebr@cisco.com> Fri, 14 February 2014 05:27 UTC

Return-Path: <jhildebr@cisco.com>
X-Original-To: xmpp@ietfa.amsl.com
Delivered-To: xmpp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F0CC1A00D9 for <xmpp@ietfa.amsl.com>; Thu, 13 Feb 2014 21:27:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.049
X-Spam-Level:
X-Spam-Status: No, score=-15.049 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.548, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MybrmSReM86t for <xmpp@ietfa.amsl.com>; Thu, 13 Feb 2014 21:27:32 -0800 (PST)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) by ietfa.amsl.com (Postfix) with ESMTP id 9DB991A00B9 for <xmpp@ietf.org>; Thu, 13 Feb 2014 21:27:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1295; q=dns/txt; s=iport; t=1392355651; x=1393565251; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=T2nOX7Z1/5FTOtDszsso0QkG5QFJAUOUKnKCCx1U2Ew=; b=Ovg6o49RwgxFvzyxklqSsz+Q27kFcNeDFzETzI+9U1A1f6zV2yb1E785 WrMlI/qsM20nQSbsoInvQD2nqMoiHOxgvWwZu0E/JtPfGHYESN22PssWm fS4c4fcWQFg9P1+SQ5fYDx2yijrhojiF5kGjGBFgVUgKU8UcXmqUtg+CT E=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgMFAHuo/VKtJV2Y/2dsb2JhbABZgwY4V79agRkWdIImAQEEAQEBNzQLEAIBCDYQJwslAgQBDQUbh2oNyGwTBI55B4Q4BJgskiODLYIq
X-IronPort-AV: E=Sophos;i="4.95,843,1384300800"; d="scan'208";a="303834600"
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by rcdn-iport-1.cisco.com with ESMTP; 14 Feb 2014 05:27:31 +0000
Received: from xhc-aln-x10.cisco.com (xhc-aln-x10.cisco.com [173.36.12.84]) by rcdn-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id s1E5RVT8025120 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 14 Feb 2014 05:27:31 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.86]) by xhc-aln-x10.cisco.com ([173.36.12.84]) with mapi id 14.03.0123.003; Thu, 13 Feb 2014 23:27:30 -0600
From: "Joe Hildebrand (jhildebr)" <jhildebr@cisco.com>
To: Alexander Holler <holler@ahsoftware.de>, Dave Cridland <dave@cridland.net>
Thread-Topic: [xmpp] IQ Handling vulnerabilities
Thread-Index: AQHPIy5NY8RkLrfuaUqqtuYhYOIBR5qopVEAgACdaoCAAL9TgP//w6cAgACRRID//6GvV4AEt5CAgAFRugGAAGYnAIAALgeAgAAFTgCAAAw0AIAABAMAgAAJ3oCAAAYHgIAACJcAgAANxACAA2HhAA==
Date: Fri, 14 Feb 2014 05:27:30 +0000
Message-ID: <CF22F6E5.3993D%jhildebr@cisco.com>
References: <CAOb_FnxS-dMT85N7LHj5M9JWk3pL85=ugrDqaT7j5d28HBr0Cw@mail.gmail.com> <CF194491.38AD3%jhildebr@cisco.com> <2F5E925F-021D-408E-91D9-3CC5BEB6BEC6@nostrum.com> <48F4D361-4403-47E6-862D-FBDDDEBCC642@xnyhps.nl> <CF1A369C.38BE2%jhildebr@cisco.com> <CAKHUCzyCwKbmnUoXLHW=XzYbiFrcg-dQsDojGUnA-_r3qK+_Vg@mail.gmail.com> <CF1A4928-54B5-4A95-9A4B-0EC572A3CDBD@cisco.com> <CF1E56C5.38F45%jhildebr@cisco.com> <B671D7DA-CE9A-4A2C-8EDE-BF94F5F6FE82@xnyhps.nl> <52FA165B.8050901@ahsoftware.de> <CAKHUCzzhxKLbkNE=WjtP9S6XWm14-5e7Ut150x4k1akegm+1Qw@mail.gmail.com> <52FA3E53.3060009@ahsoftware.de> <0C2D606F-F718-4B07-A0A8-329C547D1BD8@xnyhps.nl> <52FA4D02.5050907@ahsoftware.de> <52FA5060.9040303@ahsoftware.de> <CAKHUCzyv1cMiZn9OkAXOeaMs-Ti8Z32K-gjygc1dMM9NVLqVPQ@mail.gmail.com> <52FA5DB5.50206@ahsoftware.de> <52FA64EA.3010003@ahsoftware.de> <52FA7076.6070208@ahsoftware.de>
In-Reply-To: <52FA7076.6070208@ahsoftware.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.9.131030
x-originating-ip: [10.21.65.209]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <0EE9DA693A176B42AC64C60AB02FDFC3@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/xmpp/kb6W0f_vDHDW13NfdyWfHyGoDXE
Cc: XMPP Working Group <xmpp@ietf.org>
Subject: Re: [xmpp] IQ Handling vulnerabilities
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/xmpp/>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Feb 2014 05:27:34 -0000

(as chair)
Yes, let's call that off-topic.

(as individual)
I don't believe we have to specify an algorithm, since there are no
interoperability consequences.

On 2/11/14 11:48 AM, "Alexander Holler" <holler@ahsoftware.de> wrote:

>Am 11.02.2014 18:59, schrieb Alexander Holler:
>
>> To play with that hash of hash, is it possible that the hash of a hash
>> is the hash itself? If that ever happens your system will have a
>> problem, so how likely is that? And in the proposed solution it's a bit
>> more difficult, because only the higher 5 bytes of the 20 bytes long
>> hash are used. At least for me, the answer to that isn't obvious.
>
>To become completely offtopic, one could formalize that question to how
>the possibility is that
>
>sha1^n(x) = sha1(x) for 2 < n <= 100
>
>(if you need that 100  IDs in series are unique) and furthermore you
>have to look at the upper 5 bytes. I'm not sure if that is what
>cryptographers usually do look at if they check hash algorithms. So
>argueing with whatever they found out about sha1 doesn't look obvious to
>me.
>
>Regards,
>
>Alexander Holler
>
>_______________________________________________
>xmpp mailing list
>xmpp@ietf.org
>https://www.ietf.org/mailman/listinfo/xmpp
>


-- 
Joe Hildebrand

v2.23.0 | Report a Bug | By Email