Re: Hash Algorithm Agility via Certificate/CRL/OCSP Extensions
Daniel Brown <DBrown@certicom.com> Fri, 06 October 2006 15:49 UTC
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GVrwg-000708-Ew for pkix-archive@lists.ietf.org; Fri, 06 Oct 2006 11:49:06 -0400
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GVrwc-0004rS-PI for pkix-archive@lists.ietf.org; Fri, 06 Oct 2006 11:49:06 -0400
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k96Ecduj055014; Fri, 6 Oct 2006 07:38:39 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k96EcdXR055013; Fri, 6 Oct 2006 07:38:39 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mail.ca.certicom.com (nat194.certicom.com [66.48.18.194]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k96Eccfi054995 for <ietf-pkix@imc.org>; Fri, 6 Oct 2006 07:38:38 -0700 (MST) (envelope-from DBrown@certicom.com)
Received: from spamfilter.certicom.com (localhost.localdomain [127.0.0.1]) by mail.ca.certicom.com (Postfix) with ESMTP id BC2C9100DE507; Fri, 6 Oct 2006 10:38:32 -0400 (EDT)
Received: from mail.ca.certicom.com ([127.0.0.1]) by spamfilter.certicom.com (storm [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 01822-71; Fri, 6 Oct 2006 10:38:29 -0400 (EDT)
Received: from certicom1.certicom.com (domino1.certicom.com [10.0.1.24]) by mail.ca.certicom.com (Postfix) with ESMTP id A22D8100D9F95; Fri, 6 Oct 2006 10:38:29 -0400 (EDT)
In-Reply-To: <200610051624.43995.rob.stradling@comodo.com>
To: Rob Stradling <rob.stradling@comodo.com>
Cc: "ietf-pkix@imc.org" <ietf-pkix@imc.org>
Subject: Re: Hash Algorithm Agility via Certificate/CRL/OCSP Extensions
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 6.5.5 November 30, 2005
Message-ID: <OF9A6FF33F.22FA4ABF-ON852571FF.004D8920-852571FF.0050CF8E@certicom.com>
From: Daniel Brown <DBrown@certicom.com>
Date: Fri, 06 Oct 2006 10:37:06 -0400
X-MIMETrack: Serialize by Router on Certicom1/Certicom(Release 7.0.1|January 17, 2006) at 10/06/2006 10:37:04 AM, Serialize complete at 10/06/2006 10:37:04 AM
Content-Type: multipart/alternative; boundary="=_alternative 0050CF8C852571FF_="
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
X-Spam-Score: 2.1 (++)
X-Scan-Signature: e472ca43d56132790a46d9eefd95f0a5
Rob Stradling wrote on 10/05/2006 11:24:43 AM: > Most currently valid X.509 certificates rely on the SHA-1 algorithm. If/when > SHA-1 gets sufficiently "broken", the signatures on those certificates will > become worthless. Some experts believe that SHA-1 might get broken really > quite soon. > X.509 allows us to stop using SHA-1 and start using SHA-256 (or SHA-384, or > SHA-512, etc) instead. However, if we were to do this today, most existing > software (including all versions of Windows prior to Vista...which isn't even > launched yet) would not be able to verify the signatures on the certificates > at all. > > I want to be able to do *all* of the following (in no particular order)... > 1. Start using SHA-256/384/512/etc in X.509 certificates ASAP, so that the > latest software can take advantage of these (hopefully) more secure hash > algorithms. > 2. Avoid keeping SHA-1 as a single point of failure until such > time as there > is widespread support for SHA-256/384/512/etc. > 3. Stop having to rely on any single hash algorithm when verifying the > signature of an X.509 Certificate. > > I hope this explains my aims more clearly. As I understand your proposal (please correct me as necessary), if M is the ToBeSigned - before your new SHA256 extension - a CA with RSA private key (n,d) would generate a signature essentially like S = PKCS1(SHA1(M | SHA256(M)))^d mod n That's a clever idea if it stops the known SHA1 attacks, but has it been carefully scrutinized against other attacks? In particular, is some of the benefit of using SHA256 lost once it has gone through the SHA1 output (since 256 bits has been crunched to 160 bits). For example, birthday attacks on SHA256 should take about 2^128 hashes, but with your construction birthday attacks should take about 2^81 hashes, which is certainly better than the 2^63 (the current SHA1 strength), but much worse than 2^128 (the current SHA256 strength). Admittedly, these are rather theoretically high levels of security, which the very pragmatic PKIX group may not be terribly concerned about, but it leads me to question whether your objective 2 will be fully met. Aside: Does the PKIX group feel that the paper "Colliding X.509 Certificates" http://eprint.iacr.org/2005/067 is of no concern (assuming that it can eventually be extended to SHA1)? (I've been getting that impression from various comments.) If so, why? Some possible reasons are: (1) pre-existing certs (issued before collision attack) are not affected and are still verifiable and usable, (2) when a collision attack is discovered, CAs can halt issuing certs and upgrade to a better hash. In particular, these reasons make it seems that PKIX can afford to wait until the very last minute, i.e. when SHA1 is actually broken, rather than to upgrade to some fix like SHA256 before SHA1 is broken. If new hashes such as SHA256 are ready to go, then that should be enough preparation for the least amount of downtime during the upgrade. Older implementations will not be able to process the new certs, though. My concern with a last-minute approach is that perhaps somebody will use the collision attacks before a CA becomes aware of it? Is there some other good reason that I should not have this concern? For example, is there something else about the "Colliding X.509 Certs" paper that means it will not be useful for a realistic attack. Thanks, Dan Brown (905) 501-3857 http://www.certicom.com
- Hash Algorithm Agility via Certificate/CRL/OCSP E… Rob Stradling
- Re: Hash Algorithm Agility via Certificate/CRL/OC… Rob Stradling
- Re: Hash Algorithm Agility via Certificate/CRL/OC… Denis Pinkas
- Re: Hash Algorithm Agility via Certificate/CRL/OC… Rob Stradling
- Re: Hash Algorithm Agility via Certificate/CRL/OC… Denis Pinkas
- Key Compromise, Rollover and Loss (was Re: Hash A… Arshad Noor
- Re: Hash Algorithm Agility via Certificate/CRL/OC… Paul Hoffman
- RE: Hash Algorithm Agility via Certificate/CRL/OC… Paul Hoffman
- RE: Hash Algorithm Agility via Certificate/CRL/OC… Michael Myers
- RE: Hash Algorithm Agility via Certificate/CRL/OC… Paul Hoffman
- RE: Hash Algorithm Agility via Certificate/CRL/OC… Michael Myers
- Re: Hash Algorithm Agility via Certificate/CRL/OC… Rob Stradling
- Re: Hash Algorithm Agility via Certificate/CRL/OC… Rob Stradling
- Re: Hash Algorithm Agility via Certificate/CRL/OC… Daniel Brown
- Re: Hash Algorithm Agility via Certificate/CRL/OC… Rob Stradling
- Re: Key Compromise, Rollover and Loss (was Re: Ha… Joel Kazin