draft-ietf-csi-hash-threat-10.txt   draft-ietf-csi-hash-threat-11.txt 
Network Working Group A. Kukec Network Working Group A. Kukec
Internet-Draft University of Zagreb Internet-Draft University of Zagreb
Intended status: Informational S. Krishnan Intended status: Informational S. Krishnan
Expires: January 12, 2011 Ericsson Expires: May 30, 2011 Ericsson
S. Jiang S. Jiang
Huawei Technologies Co., Ltd Huawei Technologies Co., Ltd
July 11, 2010 November 26, 2010
SEND Hash Threat Analysis SEND Hash Threat Analysis
draft-ietf-csi-hash-threat-10 draft-ietf-csi-hash-threat-11
Abstract Abstract
This document analyzes the use of hashes in Secure Neighbor Discovery This document analyzes the use of hashes in Secure Neighbor Discovery
(SEND), the possible threats to these hashes and the impact of recent (SEND), the possible threats to these hashes and the impact of recent
attacks on hash functions used by SEND. The SEND specification attacks on hash functions used by SEND. The SEND specification
[RFC3971] currently uses the SHA-1 [SHA1] hash algorithm and PKIX currently uses the SHA-1 hash algorithm and PKIX certificates and
certificates [RFC5280] and does not provide support for hash does not provide support for hash algorithm agility. This document
algorithm agility. This document provides an analysis of possible provides an analysis of possible threats to the hash algorithms used
threats to the hash algorithms used in SEND. in SEND.
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 12, 2011. This Internet-Draft will expire on May 30, 2011.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 4, line 31 skipping to change at page 4, line 31
3.3. Attacks against the Digital Signature in the SEND RSA Signature 3.3. Attacks against the Digital Signature in the SEND RSA Signature
option option
The digital signature in the RSA Signature option is produced by The digital signature in the RSA Signature option is produced by
signing, with the sender's private key, the SHA-1 hash over certain signing, with the sender's private key, the SHA-1 hash over certain
fields in the Neighbor Discovery message as described in Section 5.2 fields in the Neighbor Discovery message as described in Section 5.2
of [RFC3971]. It is possible for an attacker to come up with two of [RFC3971]. It is possible for an attacker to come up with two
different Neighbor Discovery messages m and m' that result in the different Neighbor Discovery messages m and m' that result in the
same value in the Digital Signature field. Since the structure of same value in the Digital Signature field. Since the structure of
the Neighbor Discovery messages is well defined, it is not possible the Neighbor Discovery messages is well defined, it is not practical
to use this vulnerability in real world attacks. to use this vulnerability in real world attacks.
3.4. Attacks against the Key Hash field of the SEND RSA Signature 3.4. Attacks against the Key Hash field of the SEND RSA Signature
option option
The SEND RSA signature option described in Section 5.2 of [RFC3971] The SEND RSA signature option described in Section 5.2 of [RFC3971]
defines a Key Hash field. This field contains a SHA-1 hash of the defines a Key Hash field. This field contains a SHA-1 hash of the
public key that was used to generate the CGA. To use a collision public key that was used to generate the CGA. To use a collision
attack on this field, the attacker needs to come up with another attack on this field, the attacker needs to come up with another
public key (k') that produces the same hash as the real key (k). But public key (k') that produces the same hash as the real key (k). But
skipping to change at page 5, line 21 skipping to change at page 5, line 21
This document analyzes the impact that the attacks against hash This document analyzes the impact that the attacks against hash
functions hash attacks have on SEND. It concludes that the only functions hash attacks have on SEND. It concludes that the only
practical attack on SEND stems from a successful attack on an practical attack on SEND stems from a successful attack on an
underlying CGA. It does not add any new vulnerabilities to SEND. underlying CGA. It does not add any new vulnerabilities to SEND.
6. Acknowledgements 6. Acknowledgements
The authors would like to thank Lars Eggert, Pete McCann, Julien The authors would like to thank Lars Eggert, Pete McCann, Julien
Laganier, Jari Arkko, Paul Hoffman, Pasi Eronen, Adrian Farrel, Dan Laganier, Jari Arkko, Paul Hoffman, Pasi Eronen, Adrian Farrel, Dan
Romascanu, Tim Pol, Richard Woundy and Marcelo Bagnulo for reviewing Romascanu, Tim Pol, Richard Woundy, Marcelo Bagnulo and Barry Leiba
earlier versions of this document and providing comments to make it for reviewing earlier versions of this document and providing
better. comments to make it better.
7. References 7. References
7.1. Normative References 7.1. Normative References
[NEW-HASHES] [NEW-HASHES]
Bellovin, S. and E. Rescorla, "Deploying a New Hash Bellovin, S. and E. Rescorla, "Deploying a New Hash
Algorithm", November 2005. Algorithm", November 2005.
[RFC4270] Hoffman, P. and B. Schneier, "Attacks on Cryptographic [RFC4270] Hoffman, P. and B. Schneier, "Attacks on Cryptographic
skipping to change at page 6, line 17 skipping to change at page 6, line 17
Housley, R., and W. Polk, "Internet X.509 Public Key Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, May 2008. (CRL) Profile", RFC 5280, May 2008.
[SHA1] NIST, FIBS PUB 180-1, "Secure Hash Standard", April 1995. [SHA1] NIST, FIBS PUB 180-1, "Secure Hash Standard", April 1995.
[SHA1-COLL] [SHA1-COLL]
Wang, X., Yin, L., and H. Yu, "Finding Collisions in the Wang, X., Yin, L., and H. Yu, "Finding Collisions in the
Full SHA-1. CRYPTO 2005: 17-36", 2005. Full SHA-1. CRYPTO 2005: 17-36", 2005.
[SLdeW2009]
Stevens, M., Lenstra, A., de Weger, B., "Chosen-prefix
Collisions for MD5 and Applications, Journal of
Cryptology, 2009.", 2009, <http://deweger.xs4all.nl/
papers/%5B42%5DStLedW-MD5-JCryp%5B2009%5D.pdf>.
[SSALMOdeW2009]
Stevens, M., Sotirov, A., Appelbaum, J., Lenstra, A.,
Molnar, D., Osvik, D., and B. de Weger., "Short chosen-
prefix collisions for MD5 and the creation of a rogue CA
certificate, Crypto 2009", 2009.
[STEV2007]
Stevens, M., "On Collisions for MD5", <http://
www.win.tue.nl/hashclash/
On%20Collisions%20for%20MD5%20-%20M.M.J.%20Stevens.pdf>.
[X509-COLL] [X509-COLL]
Stevens, M., Lenstra, A., and B. Weger, "Chosen-Prefix Stevens, M., Lenstra, A., and B. Weger, "Chosen-Prefix
Collisions for MD5 and Colliding X.509 Certificates for Collisions for MD5 and Colliding X.509 Certificates for
Different Identitites. EUROCRYPT 2007: 1-22", 2005. Different Identitites. EUROCRYPT 2007: 1-22", 2007.
Authors' Addresses Authors' Addresses
Ana Kukec Ana Kukec
University of Zagreb University of Zagreb
Unska 3 Unska 3
Zagreb Zagreb
Croatia Croatia
Email: ana.kukec@fer.hr Email: ana.kukec@fer.hr
 End of changes. 9 change blocks. 
13 lines changed or deleted 30 lines changed or added

This html diff was produced by rfcdiff 1.40. The latest version is available from http://tools.ietf.org/tools/rfcdiff/