[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cfrg] DNSSEC considering adopting GOST R 34.10-2001 and GOST R 34.11-94

To: "cfrg at irtf.org" <cfrg at irtf.org>
Subject: Re: [Cfrg] DNSSEC considering adopting GOST R 34.10-2001 and GOST R 34.11-94
From: "Blumenthal, Uri" <uri at ll.mit.edu>
Date: Mon, 1 Jun 2009 13:55:29 -0400
Accept-language: en-US
Acceptlanguage: en-US
Delivered-to: cfrg at core3.amsl.com
In-reply-to: <D7D61B60-577C-464D-A8E0-D7CB4390CAF6 at cisco.com>
List-archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-help: <mailto:cfrg-request@irtf.org?subject=help>
List-id: Crypto Forum Research Group <cfrg.irtf.org>
List-post: <mailto:cfrg@irtf.org>
List-subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
List-unsubscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
Thread-index: Acnf6i5Ctezlzf+2SZi3hZHBYwgyswC9/gNX
Thread-topic: [Cfrg] DNSSEC considering adopting GOST R 34.10-2001 and GOST R 34.11-94

Title: Re: [Cfrg] DNSSEC considering adopting GOST R 34.10-2001 and GOST R 34.11-94

My questions and concerns with standardizing GOST R-34.11-94 would be:

In what freely available publication is this algorithm described (and please don’t point me at Google)? If there’s an English description too – please point me at it also.

When everybody is moving to 128-bit block cipher (and its derivatives) – what is the point of relying on an older 64-bit construct? (Whose cipher incarnation has its block size too small, with key size unjustifiably big)

Some attacks against GOST hash were published – why include an algorithm with chinks in the armor when there are several algorithms with no known attacks?

Plus of course I share the concerns that David mentioned.
--
Regards,
Uri
<Disclaimer>

On 5/28/09 19:14 , "David McGrew" <mcgrew at cisco.com> wrote:

On Apr 27, 2009, at 8:02 AM, Christian Rechberger wrote:

> Quoting Paul Hoffman <paul.hoffman at vpnc.org>:
>
>> At 6:00 AM -0700 4/27/09, David McGrew wrote:
>>> some other important questions: how widely reviewed is that
>>> algorithm?
>>
>> I believe that Ólafur would like CFRG to determine the answer to
>> that question. The expertise for "how widely reviewed" is in this
>> group, not in DNSEXT.
>>
>>> What are the claimed security levels?
>>
>> And herein lies a problem. The GOST specs are in Russian. I do not
>> believe that there are any official English translations, and that
>> the unofficial ones are expensive. (I would love to be wrong about
>> either of those statements.) I have Cc' the author of the relevant
>> draft on this message so he can help.
>>
>>> Where is guidance on how to use the algorithm?
>>
>> In the draft itself: <http://www.ietf.org/internet-drafts/draft-dolmatov-dnsext-dnssec-gost-00.txt
>> >

The draft doesn't have a "security considerations" section. There is
no guidance other than key size and hash size, and neither the draft
nor RFC 4357 describe what the targeted security level is, or describe
the attacks mentioned by Christian below. The Internet community
deserves more information from its standards track documents.

It appears that the specification for the GOST R 34.11-94 hash
function is not easily accessible. Is is only referenced by RFC 4491,
and is not defined there. If there really is an expectation that the
hash will be widely used on the Internet, then there should be an RFC
that specifies how to implement the hash, as RFC 3394 did for the NIST
Key Wrap algorithm, for instance.

If I'm missing some source of information, I hope that someone will
point it out,

David

>>
>>
>>
>>> I cannot find any references to it in the peer-reviewed literature.
>>> Perhaps I am not using the right keyword or something.
>>
>> Here are a few:
>>
>> <http://www.iacr.org/conferences/asiacrypt2005/rump/Dunkelman_AC05_Rump.pdf
>> >
>>
>> <https://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=80200&pCurrPk=36649
>> >
>>
>> <https://online.tu-graz.ac.at/tug_online/voe_main2.getvolltext?pDocumentNr=81262
>> >
>>
>>> If anyone on the CFRG list has reviewed the algorithm, it would be
>>> great if we could hear from them.
>>
>> Yes, please!
>>
> I'm one of the authors of the above mentioned papers.
>
> To cut a long story short: We looked at the alleged GOST hash (using
> a unofficial translations and help from people knowing Russian), and
> found both collision and preimage attacks, suggesting that the GOST
> hash function is less secure than one would expect from a "good"
> hash function.
>
> Note that none of the attacks we propose is practical. Still, no
> such attacks are known on any of the SHA-2 hash functions.
>
> Best regards,
> Christian
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg at irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg

_______________________________________________
Cfrg mailing list
Cfrg at irtf.org
http://www.irtf.org/mailman/listinfo/cfrg

References:
- Re: [Cfrg] DNSSEC considering adopting GOST R 34.10-2001 and GOST R 34.11-94
  - From: David McGrew

Prev by Date: Re: [Cfrg] DNSSEC considering adopting GOST R 34.10-2001 and GOST R 34.11-94
Next by Date: [Cfrg] Fwd: NIST - FIPS 186-3: The Digital Signature
Previous by thread: Re: [Cfrg] DNSSEC considering adopting GOST R 34.10-2001 and GOST R 34.11-94
Next by thread: Re: [Cfrg] DNSSEC considering adopting GOST R 34.10-2001 and GOST R 34.11-94
Index(es):
- Date
- Thread