[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[CGA-EXT] comments on draft-ietf-csi-hash-threat-03

To: Ana Kukec <anchie at fer.hr>, Suresh Krishnan <suresh.krishnan at ericsson.com>, JiangSheng 66104 <shengjiang at huawei.com>, "cga-ext at ietf.org" <cga-ext at ietf.org>
Subject: [CGA-EXT] comments on draft-ietf-csi-hash-threat-03
From: marcelo bagnulo braun <marcelo at it.uc3m.es>
Date: Mon, 21 Sep 2009 09:39:46 +0200
Delivered-to: cga-ext at core3.amsl.com
List-archive: <http://www.ietf.org/mail-archive/web/cga-ext>
List-help: <mailto:cga-ext-request@ietf.org?subject=help>
List-id: CGA and SeND Extensions <cga-ext.ietf.org>
List-post: <mailto:cga-ext@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
User-agent: Thunderbird 2.0.0.23 (Macintosh/20090812)

Hi,

I have reviewed this document and i have some comments:

Substantial:
=============

Issue #1
---------

In section 3.3. Attacks against the Digital Signature in the SENDUniversal Signature option

I don't think the document should make an analysis of the SEND universalsignature option yet to be defined and for whicht he WG has no consensusyet.I think the hash analysis required is to be performed about the currentrfc3971 spec.So I suggest to remove all the text referring to the PK-agility andleave only the text about the signature option as defined in rfc3971


Issue #2
--------

Then in section 3.3. it reads:

The possible attack on such explicit digital signature is a
  typical non-repudiation attack, i.e. the Digital Signature field is
  vulnerable to the collision attack.  An attacker produces two
  different messages, m and m', where hash(m) = hash(m').  He underlays
  one of the messages to be signed with the key authorized through
  CGAs, but uses another message afterwards.  However, as denoted in
  [rfc4270], the structure of at least one of two messages in a
  collision attack is strictly predefined.  The previous requirement
  complicates the collision attack, but we have to take into account
  that a variant of SHA-1 was already affected by recent collision
  attacks and we have to prepare for future improved attacks.

I fail to understnad what is the impact of this attack. I mean, it meansthat the attacker could manage to make a host to sign one message andthen present another one. I understnad that. How this applies in thecntext of SeND? could you make an more clear example of what can be donein the actual send protocol?


Issue #3
--------

In section 3.4. Attacks against the Key Hash in the SEND UniversalSignature option it covers the analysis for the SeND universal signatureoption.

Similarly, remove that part and only cover the fields defined in rfc3971

Issue #4
--------

In section 4.1. The negotiation approach for the SEND hash agility
it reads:

  None of the previous solutions supports the negotiation of the hash
  function.  Therefore we propose the negotiation approach for the SEND

I don't think this document proposes anything. I think this should berephrased as another possible option in order to support hash agility(like the others that have been described earlier in the section)


Issue #5
--------

In section 3, the attacks against the one property are described indetail but the one against the collision property is not. Sionce thelast one is the one we care the most, i would suggest some text is addeddescribing it with the same level of detail.


regards, marcelo

Follow-Ups:
- Re: [CGA-EXT] comments on draft-ietf-csi-hash-threat-03
  - From: Sheng Jiang

Prev by Date: [CGA-EXT] comments on draft-jiang-csi-dhcpv6-cga-ps-03.txt
Next by Date: Re: [CGA-EXT] Call for adoption of draft-jiang-csi-dhcpv6-cga-ps-03.txt
Previous by thread: [CGA-EXT] comments on draft-jiang-csi-dhcpv6-cga-ps-03.txt
Next by thread: Re: [CGA-EXT] comments on draft-ietf-csi-hash-threat-03
Index(es):
- Date
- Thread