RE: I-D ACTION:draft-laganier-ipv6-khi-00.txt

["Christian Huitema" <huitema at windows.microsoft.com>]

> => security considerations explain that:
>  - SHA1 can be replaced by something else
>  - SHA1 is still good for this usage
>  - if SHA1 or another important detail is changed then another prefix
>    must be used.
> 
>    The syntax should allow for an
>    identification of the algorithm as part of the "hash input".
> 
> => the document explains why this is a bad idea.

Let's say that I don't buy the justification contained in the document.
Having a fixed hash function in an algorithm is not acceptable, period.

The cryptographic identifier is checked by comparing the address and
some "input". The input will be carried by an upper level protocol. One
might expect the input to contain a set of information, such as a host
name, a public key, maybe a certificate linking name and key, and maybe
some other information required by the particular application. My point
is simple: one should expect the input to also contain an identifier of
the particular hashing function that is being used.

Variable hashing functions open the possibility of a "downgrade" attack,
in which an attacker manages to produce the same "address bits" using a
very weak and easy to crack algorithm. However, protection against the
downgrade attack is very easy. The host that receives a cryptographic
address and the claimed input will check that the algorithm identified
in the input is "strong enough", and will treat an attempt to use a weak
hash the same way as a failed hash.

-- Christian Huitema

--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6 at ietf.org
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------