Attacks on Cryptographic Hashes in Internet Protocols
draft-hoffman-hash-attacks-04
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2005-07-29
|
04 | Amy Vezza | State Changes to RFC Ed Queue from Approved-announcement sent by Amy Vezza |
2005-06-27
|
04 | Amy Vezza | IESG state changed to Approved-announcement sent |
2005-06-27
|
04 | Amy Vezza | IESG has approved the document |
2005-06-27
|
04 | Amy Vezza | Closed "Approve" ballot |
2005-06-24
|
04 | Amy Vezza | State Changes to Approved-announcement to be sent from IESG Evaluation by Amy Vezza |
2005-06-24
|
04 | (System) | Removed from agenda for telechat - 2005-06-23 |
2005-06-23
|
04 | Mark Townsley | [Ballot Position Update] New position, No Objection, has been recorded for Mark Townsley by Mark Townsley |
2005-06-22
|
04 | Ted Hardie | [Ballot Position Update] New position, No Objection, has been recorded for Ted Hardie by Ted Hardie |
2005-06-22
|
04 | Sam Hartman | [Ballot Position Update] New position, No Objection, has been recorded for Sam Hartman by Sam Hartman |
2005-06-22
|
04 | Brian Carpenter | [Ballot comment] This review from Lakshminath Dondeti is quite critical but I don't want to block the document. Specifically, I don't think this is the … [Ballot comment] This review from Lakshminath Dondeti is quite critical but I don't want to block the document. Specifically, I don't think this is the right place to tackle the MD5 issue - that is something we want to do, but independently. ----------------- Review recommendation: This draft needs another revision before publication. First, let me note that both Paul H., and Bruce S., know this stuff much better than I do (and I read Bruce Schneier's cryptogram regularly). The first part of this draft is very well written and I am happy to see that considering this might be read by folks who are not active in the security area. However, I find it incomplete in other respects, again considering that same audience. Furthermore, there is some information that I expected to see there, and would like to run that by for the authors' and the AD's consideration. 1. Generating meaningful MD5 collisions is not all that difficult. I think this I-D/RFC should be used to drill into the IETF community that we should stop using MD5 as soon as practically possible. M. Daum and S. Lucks have generated (http://th.informatik.uni-mannheim.de/people/lucks/HashCollisions/) two meaningful postscript documents that have the same MD5 hash. I think their work makes a compelling case to that effect. Their example also better illustrates the points being made toward the end of Section 4. 2. In Section 4, I don't quite understand the concept of "automated non-repudiation." I was wondering whether the intent is to say that "Hash collisions are much more effective on the message authentication property of signatures." In other words, the party signing might know the intent, but an independent party, with the signing party not present, has no option but to accept the signature and the data that is claimed to be "signed" as long as the hash of the supplied data can be verified with the signature (unless of course the verifying party declares that it won't accept, say, signed MD5 hashes :-)). 3. Section 5 is somewhat hard to read/parse. More importantly, I was hoping to see more information on adding random information to hashes before they are signed. At the risk of being incorrect or saying things the wrong way, and while reassuring everyone that I am not a cryptographer ... I was told that random information as added -- or more correctly appended -- to a hash as in PSS encoding is not all that useful in the face of collision attacks on the hash function being used. A more appropriate way would be to prepend the random information or add the random information to every block as Hugo K., et. al., randomized hashing I-D suggests, or intersperse the random information. I would like to see this I-D generally discuss how the random information might be added to the "hash plus sign" process to be effective. 4. Section 6 might be updated to say that people should stop specifying MD5, and where practical stop using MD5 (HMAC-MD5, OTOH, Hugo tells us, is ok). Further, Section 6 might talk about possibly three things we could do: a) continue to use SHA-1, keeping the reduced strength in mind. b) for signatures, consider using new randomness encoding methods (e.g., Randomized hashing) c) start planning to use SHA-256 or other hash functions. 5. (with apologies for going back in text) I was wondering if the last item in the list in Section 3 belongs with the first two items in being affected by collisions. Isn't that a reference to MD5 values of files made available for sanity checking ftp downloads? Since no keys are involved in that process, wouldn't an attack similar to that described by Daum and Lucks be possible? If so, the text immediately following the list should be revised to reflect that. 6. In Security considerations, I would like to see a summary of recommendations, and also caveats in mitigating hash attacks (e.g., summarize how to and how not to add random information before signing). A summary of the ongoing debate in the Hash BoF list might also be worthwhile, in that, each of the recommendations, e.g., a, b, and c above have some risks associated with them. (there are people who doubt the effectiveness of randomized hashing and others who are not quite sure about SHA-256 -- I think because that hash family hasn't quite received the analysis/attention that SHA-0 and SHA-1 family did). |
2005-06-22
|
04 | Brian Carpenter | [Ballot comment] This review from Lakshminath Dondeti is quite critical but I don't want to block the document. Specifically, I don't think this is the … [Ballot comment] This review from Lakshminath Dondeti is quite critical but I don't want to block the document. Specifically, I don't think this is the right place to tackle the MD5 issue - that is something we want to do, but independently. ----------------- Review recommendation: This draft needs another revision before publication. First, let me note that both Paul H., and Bruce S., know this stuff much better than I do (and I read Bruce Schneier's cryptogram regularly). The first part of this draft is very well written and I am happy to see that considering this might be read by folks who are not active in the security area. However, I find it incomplete in other respects, again considering that same audience. Furthermore, there is some information that I expected to see there, and would like to run that by for the authors' and the AD's consideration. 1. Generating meaningful MD5 collisions is not all that difficult. I think this I-D/RFC should be used to drill into the IETF community that we should stop using MD5 as soon as practically possible. M. Daum and S. Lucks have generated (http://th.informatik.uni-mannheim.de/people/lucks/HashCollisions/) two meaningful postscript documents that have the same MD5 hash. I think their work makes a compelling case to that effect. Their example also better illustrates the points being made toward the end of Section 4. 2. In Section 4, I don't quite understand the concept of "automated non-repudiation." I was wondering whether the intent is to say that "Hash collisions are much more effective on the message authentication property of signatures." In other words, the party signing might know the intent, but an independent party, with the signing party not present, has no option but to accept the signature and the data that is claimed to be "signed" as long as the hash of the supplied data can be verified with the signature (unless of course the verifying party declares that it won't accept, say, signed MD5 hashes :-)). 3. Section 5 is somewhat hard to read/parse. More importantly, I was hoping to see more information on adding random information to hashes before they are signed. At the risk of being incorrect or saying things the wrong way, and while reassuring everyone that I am not a cryptographer ... I was told that random information as added -- or more correctly appended -- to a hash as in PSS encoding is not all that useful in the face of collision attacks on the hash function being used. A more appropriate way would be to prepend the random information or add the random information to every block as Hugo K., et. al., randomized hashing I-D suggests, or intersperse the random information. I would like to see this I-D generally discuss how the random information might be added to the "hash plus sign" process to be effective. 4. Section 6 might be updated to say that people should stop specifying MD5, and where practical stop using MD5 (HMAC-MD5, OTOH, Hugo tells us, is ok). Further, Section 6 might talk about possibly three things we could do: a) continue to use SHA-1, keeping the reduced strength in mind. b) for signatures, consider using new randomness encoding methods (e.g., Randomized hashing) c) start planning to use SHA-256 or other hash functions. 5. (with apologies for going back in text) I was wondering if the last item in the list in Section 3 belongs with the first two items in being affected by collisions. Isn't that a reference to MD5 values of files made available for sanity checking ftp downloads? Since no keys are involved in that process, wouldn't an attack similar to that described by Daum and Lucks be possible? If so, the text immediately following the list should be revised to reflect that. 6. In Security considerations, I would like to see a summary of recommendations, and also caveats in mitigating hash attacks (e.g., summarize how to and how not to add random information before signing). A summary of the ongoing debate in the Hash BoF list might also be worthwhile, in that, each of the recommendations, e.g., a, b, and c above have some risks associated with them. (there are people who doubt the effectiveness of randomized hashing and others who are not quite sure about SHA-256 -- I think because that hash family hasn't quite received the analysis/attention that SHA-0 and SHA-1 family did). |
2005-06-22
|
04 | Brian Carpenter | [Ballot Position Update] New position, No Objection, has been recorded for Brian Carpenter by Brian Carpenter |
2005-06-17
|
04 | Michelle Cotton | IANA Comments: No IANA Considerations section. We understand this document to have NO IANA Actions. |
2005-06-14
|
04 | Scott Hollenbeck | [Ballot Position Update] New position, No Objection, has been recorded for Scott Hollenbeck by Scott Hollenbeck |
2005-06-08
|
04 | Russ Housley | [Ballot Position Update] New position, Yes, has been recorded for Russ Housley |
2005-06-08
|
04 | Russ Housley | Ballot has been issued by Russ Housley |
2005-06-08
|
04 | Russ Housley | Created "Approve" ballot |
2005-06-08
|
04 | (System) | Ballot writeup text was added |
2005-06-08
|
04 | (System) | Last call text was added |
2005-06-08
|
04 | (System) | Ballot approval text was added |
2005-06-08
|
04 | Russ Housley | State Changes to IESG Evaluation from AD Evaluation by Russ Housley |
2005-06-08
|
04 | Russ Housley | Placed on agenda for telechat - 2005-06-23 by Russ Housley |
2005-06-06
|
04 | (System) | New version available: draft-hoffman-hash-attacks-04.txt |
2005-06-03
|
04 | Russ Housley | State Changes to AD Evaluation from Publication Requested by Russ Housley |
2005-05-10
|
04 | Russ Housley | Draft Added by Russ Housley in state Publication Requested |
2005-05-10
|
03 | (System) | New version available: draft-hoffman-hash-attacks-03.txt |
2005-04-18
|
02 | (System) | New version available: draft-hoffman-hash-attacks-02.txt |
2005-04-15
|
01 | (System) | New version available: draft-hoffman-hash-attacks-01.txt |
2005-03-28
|
00 | (System) | New version available: draft-hoffman-hash-attacks-00.txt |