Network Working Group A. Kukec
Internet-Draft University of Zagreb
Expires: January 2, 2009 S. Krishnan
Ericsson
S. Jiang
Huawei Technologies Co., Ltd
July 1, 2008
SeND Hash Threat Analysis
draft-kukec-csi-hash-threat-02
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 2, 2009.
Kukec, et al. Expires January 2, 2009 [Page 1]
Internet-Draft SeND Hash Threat Analysis July 2008
Abstract
This document analysis the use of hashes in SeND, possible threats
and the impact of recent attacks on hash functions used by SeND.
Current SeND specification [rfc3971] uses SHA-1 [sha-1] hash
algorithm and PKIX certificates [rfc3280] and does not provide
support for the hash algorithm agility. Based on previous analysis,
this document suggests multiple hash support that should be included
in the SeND update specification.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Impact of collision attacks on SeND . . . . . . . . . . . . . 5
3.1. Attacks against CGAs in stateless autoconfiguration . . . 5
3.2. Attacks against PKIX certificates in ADD process . . . . . 5
3.3. Attacks against Digital Signature in RSA Signature
option . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.4. Attacks against Key Hash in RSA Signature option . . . . . 7
4. Support for the hash agility in SeND . . . . . . . . . . . . . 8
4.1. Hash algorithm option . . . . . . . . . . . . . . . . . . 8
5. Security Considerations . . . . . . . . . . . . . . . . . . . 11
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13
7.1. Normative References . . . . . . . . . . . . . . . . . . . 13
7.2. Informative References . . . . . . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 14
Intellectual Property and Copyright Statements . . . . . . . . . . 15
Kukec, et al. Expires January 2, 2009 [Page 2]
Internet-Draft SeND Hash Threat Analysis July 2008
1. Introduction
SEND [rfc3971] uses the SHA-1 hash algorithm to generate the contents
of the Key Hash and the Digital Signature fields of the RSA
signature. It also uses a hash algorithm (SHA-1,MD5 etc.) in the
PKIX certificates [rfc3280] used for router authorization. Recently
there have been demonstrated attacks against the collision free
property of such hash functions [sha1-coll]. There have also been
attacks on the PKIX X.509 certificates that use the MD5 hash
algorithm [x509-coll] that allow an attacker to generate two
different certificates with different distinguished names and
different public keys that contain identical signatures. This
document analyzes the effects of such attacks on the SEND protocol
and proposes changes to make it resistant to such attacks.
Kukec, et al. Expires January 2, 2009 [Page 3]
Internet-Draft SeND Hash Threat Analysis July 2008
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [rfc2119].
Kukec, et al. Expires January 2, 2009 [Page 4]
Internet-Draft SeND Hash Threat Analysis July 2008
3. Impact of collision attacks on SeND
Due to the collision attacks demonstrated on the aforesaid hash
algorithms a study was performed to assess the threat of these
attacks on the cryptographic hash usage in internet protocols
[RFC4270]. This document analyzes the hash usage in SEND following
the approach recommended by [rfc4270]. Following the approach
recommended by [rfc4270] and [new-hashes], we will analyze the impact
of these attacks on SeND case by case in this section. Through our
analysis, whether we should support hash agility on SeND is also
discussed.
Up to date, all demonstrated attacks are attacks against a collision-
free property. Attacks against the one-way property are not yet
feasible [rfc4270].
3.1. Attacks against CGAs in stateless autoconfiguration
Hash functions are used in the stateless autoconfiguration process
that is based on CGAs. Impacts of collision attacks on current uses
of CGAs are analyzed in the update of CGA specification [rfc4982],
which also enables CGAs to support hash agility. CGAs provide proof-
of-ownership of the private key corresponding to the public key used
to generate CGA, and they don't deal with the non-repudiation
feature, while collision attacks are mainly about affecting non-
repudiation feature. While SeND is CGA based protocol, we are sure
that the node that signs the message is the same as the node that
creates the message and associated hash. So, as [rfc4982] points out
CGA based protocols, including SeND, are not affected by the recent
collision attacks.
3.2. Attacks against PKIX certificates in ADD process
The second use of hash functions is for router authorization in ADD
process. Router sends to host a certification path, which is a path
between a router and hosts's trust anchor and consists of PKIX
certificates. Researchers demonstrated attacks against PKIX
certificates with MD5 signature, in 2005 [new-hashes] and in 2007
[X509-COLL].
In 2005 they succeeded to construct the original and the false
certificate that had the same identity data and digital signature,
but different public keys [new-hashes]. The problem for the attacker
is that two certificates with the same identity are not very useful
in real-world scenarios, while Certification Authority is not allowed
to provide such two certificates. Additionally, since identity field
is humane readable data, certificates are not affected by collision
attacks in practice. Implementations SHOULD use human-readable
Kukec, et al. Expires January 2, 2009 [Page 5]
Internet-Draft SeND Hash Threat Analysis July 2008
certificate extensions only if SeND certificate profile demands. We
also have to take into account that attacker could produce such false
certificate only if he could predict context- useful certificate
data. So, although collision attacks against PKIX certificates are
theoretically possible, they can hardly be performed in practice.
In 2007 were demonstrated certificates with the same identity data
and signatures, which differed only in public keys. Such attacks are
potentially more dangerous, since attacker can decide about contents
of human readable fields, and produce for example certificates with
the same signatures, but different identities or validity periods.
However, in order to perform a real-world useful attack, attacker
still needs to predict the content of all fields appearing before the
public key, eg. serial number or validity periods. Although a
relying party cannot verify the content of these fields (each
certificate by itself is unsuspicious), the CA keeps track of those
fields and during the fraud analysis, the false certificate can be
revealed.
Generally, the most dangerous are attacks against middle-certificates
in the certification path, where for the cost of one false
certificate, attacker launches attack on multiple routers. In such
scenarios, we will be at least safe from attacks against Trust
Anchor's certificate because it is not exchanged in SeND messages.
Additionally, if attacker, for example, manages to produce a false
certificate with changed IP prefixes in IP subjectAltName extension
(which is currently just theoretically possible), IP prefixes range
will be broadened at maximum to the range from the Trust Anchor's
certificate.
3.3. Attacks against Digital Signature in RSA Signature option
Digital signature in RSA Signature option is produced as the SHA-1
hash of IPv6 addresses, ICMPv6 header, ND message and other fields
like Message Type Tag and ND options [rfc3971], and is signed with
the sender's private key, which corresponds to the public key from
the CGA parameters structure and is authorized usually through CGAs.
The possible attack on such explicit digital signature is typical
non-repudiation attack. Attacker could generate a false message with
the same hash and sign that false hashed message with authorized
private key. However, the problem for the attacker is that they are
very hard to predict the useful input data. It minimizes the
possibility for a real-world collision attack and the fact that in
order to perform a succesful real-world attack he can not change a
human-readable data. But we also have to take into account that a
variant of SHA-1 was already affected by recent collision attacks and
we have to prepare for future improved attacks.
Kukec, et al. Expires January 2, 2009 [Page 6]
Internet-Draft SeND Hash Threat Analysis July 2008
3.4. Attacks against Key Hash in RSA Signature option
Key Hash field in the RSA Signature option is a SHA-1 hash of the
public key from the CGA parameters structure in the CGA option of
SeND message. Key Hash field is a typical example of data
fingerprinting, which is potentially dangerous because input field is
a non human-readable data. But the problem for the attacker is that
a public key, which is input data is authorized through CGAs, and
sometimes additionally through a certification path if peer has
configured trust anchor. For the succesful attack, attacker has to
break both SHA-1 hashed public key, as well as corresponding CGA and
possibly a certification path. Otherwise, changed key pair will be
detected in the process of CGA verification. The same as in previous
cases, this attack is theoretically possible, but very hard to
perform in practice.
Kukec, et al. Expires January 2, 2009 [Page 7]
Internet-Draft SeND Hash Threat Analysis July 2008
4. Support for the hash agility in SeND
While all of analyzed hash functions in SeND are theoretically
affected by recent collision attacks, these attacks indicate the
possibility of future real-world attacks. In order to increase the
future security of SeND, we suggest the support for the hash and
algorithm agility in SeND.
The most effective and secure would be to bind the hash function
option with something that can not be changed at all, like [rfc4982]
does for CGA - encoding the hash function information into addresses.
But, there is no possibilty to do that in SeND. We could decide to
use by default the same hash function in SeND as in CGA, but this
solution is architecturally strange and it does not really increase
the security since the difficulty for attackers remain to break one
single hash function. Furthermore, it may even reduce the security
level by providing more relevant information of the hash function.
On the other side, the use of two different hash algorithms makes
attacker's life harder.
Another solution is to incorporate the hash function option into SeND
message. By putting a new hash function option in SeND message
before RSA Signature option, attacker will have to break both the
signature and the hash input at the same time since the new option
will be input field for the Digital Signature in RSA Signature
option. However, we can not avoid a downgrade attack totally because
peer might be using just ND and not SeND. A completely safe solution
here does not exist. A new hash function option in SeND message is a
reasonable and the best solution for the hash algorithm agility
support in SeND.
Each implementation SHOULD use different hash or signature algorithms
for each of the relevant fields (Key Hash field, Digital Signature,
PKIX signature algorithm). Since all algorithms are in different
procedures, making them the same does not make those procedures
simpler, but making them different complicates possible attacks.
4.1. Hash algorithm option
In order to provide hash algorithm agility, each SeND implemenation
MUST support the Hash algorithm option. The Hash algorithm option
defines:
o a hash algorithm that MUST be used for producing the RSA Signature
option (Key Hash field) - HA-KH,
o a hash algorithm that MUST be used for producing the RSA Signature
option (Digital Signature field) - HA-DS,
Kukec, et al. Expires January 2, 2009 [Page 8]
Internet-Draft SeND Hash Threat Analysis July 2008
o a PKIX signature algorithm that the sender of the Hash algorithm
option is ready to accept and validate. In order to enhance
interoperability, implementations SHOULD also accept and validate
PKIX certificates with a signature algorithm that has the higher
encoding number than requested signature algorithm.
Implementations MUST NOT accept PKIX certificates with signature
algorithms marked with lower encoding.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | HA-KH | HA-DS |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| SA | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1
Type
TBA1
Length
The length of the option (including the Type, Length, Reserved,
HA, SA, and Padding) in units of 8 octets.
Hash Algorithm for Key Hash field (HA-KH)
Hash algorithm used for producing the Key Hash field in the RSA
Signature option. SEND [rfc3971] uses SHA-a. In order to provide
hash algorithm agility, SHA-1 is assigned an initial value TBD1 in
this document.
Hash Algorithm for Digital Signature field (HA-DS)
Hash algorithm used for producing the Digital Signature field in
the RSA Signature option. SEND [rfc3971] uses SHA-1. In order to
provide hash algorithm agility, SHA-1 is assigned an initial value
TBD2 in this document.
Signature Algorithm (SA)
Signature algorithm of the PKIX certificate used in ADD process,
in accordance with rfc3279. SEND [rfc3971] uses RSASSA-PKCS1-v1_5
Kukec, et al. Expires January 2, 2009 [Page 9]
Internet-Draft SeND Hash Threat Analysis July 2008
algorithm. In order to provide algorithm agility, RSASSA_PKCS1-
v1_5 is assigned an initial value TBD3 in this document.
Reserved
Field reserved for future uses. The value MUST be initialized to
zero by the sender, and MUST be ignored by the recepient.
Kukec, et al. Expires January 2, 2009 [Page 10]
Internet-Draft SeND Hash Threat Analysis July 2008
5. Security Considerations
This document analyzes the impact of hash attacks in SeND and offeres
a higher security level for SeND by providing solution for the hash
agility support.
Kukec, et al. Expires January 2, 2009 [Page 11]
Internet-Draft SeND Hash Threat Analysis July 2008
6. IANA Considerations
This document defines three new registries that have been created and
are maintained by IANA.
o Hash Algorithm for Key Hash field (HA-KH). The values in this
name space are 5-bit unsigned integers.
o Hash Algorithm for Digital Signature field (HA-DS). The values in
this name space are 5-bit unsigned integers.
o Signature Algorithm (SA). The values in this name space are 5-bit
unsigned integers.
Initial values for these registries are given below. Future
assignments are to be made through Standards Action [rfc2434].
Assignments for each registry consist of a name, a value and a RFC
number where the registry is defined.
The following initial values are assigned for HA-KH in this document:
Name | Value | RFCs
-------------------+-------+------------
SHA-1 | TBD1 | this document
The following initial values are assigned for HA-DS in this document:
Name | Value | RFCs
-------------------+-------+------------
SHA-1 | TBD2 | this document
The following initial values are assigned for HA-KH in this document:
Name | Value | RFCs
-------------------+-------+------------
RSASSA-PKCS1-v1_5 | TBD3 | this document
This document defines one new Neighbor Discovery Protocol [rfc4861]
options, which must be assigned Option Type values within the option
numbering space for Neighbor Discovery Protocol messages:
The Hash algorithm option (TBA1), described in Section 4.1.
Kukec, et al. Expires January 2, 2009 [Page 12]
Internet-Draft SeND Hash Threat Analysis July 2008
7. References
7.1. Normative References
[new-hashes]
Bellovin, S. and E. Rescorla, "Deploying a New Hash
Algorithm", November 2005.
[rfc3971] Arkko, J., Kempf, J., Zill, B., and P. Nikander, "SEcure
Neighbor Discovery (SEND)", RFC 3971, March 2005.
[rfc4270] Hoffman, P. and B. Schneier, "Attacks on Cryptographic
Hashed in Internet Protocols", RFC 4270, November 2005.
[rfc4982] Bagnulo, M. and J. Arrko, "Support for Multiple Hash
Algorithms in Cryptographically Generated Addresses
(CGAs)", RFC 4982, July 2007.
7.2. Informative References
[rfc2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, March 1997.
[rfc2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", RFC 2434,
April 1998.
[rfc3280] Housley, R., "Internet X.509 Public Key Infrastructure
Certificate and Certificate Revocation List (CRL)
Profile", RFC rfc3280, April 2002.
[rfc4861] Narten, T., Nordmark, E., Simpson, W., and H. Solliman,
"Neighbor Discovery for IP Version 6 (IPv6)", RFC 4861,
April 1998.
[sha-1] NIST, FIBS PUB 180-1, "Secure Hash Standard", April 1995.
[sha1-coll]
Wang, X., Yin, L., and H. Yu, "Finding Collisions in the
Full SHA-1. CRYPTO 2005: 17-36", 2005.
[x509-coll]
Stevens, M., Lenstra, A., and B. Weger, "Chosen-Prefix
Collisions for MD5 and Colliding X.509 Certificates for
Different Identitites. EUROCRYPT 2007: 1-22", 2005.
Kukec, et al. Expires January 2, 2009 [Page 13]
Internet-Draft SeND Hash Threat Analysis July 2008
Authors' Addresses
Ana Kukec
University of Zagreb
Unska 3
Zagreb
Croatia
Email: ana.kukec@fer.hr
Suresh Krishnan
Ericsson
8400 Decarie Blvd.
Town of Mount Royal, QC
Canada
Email: suresh.krishnan@ericsson.com
Sheng Jiang
Huawei Technologies Co., Ltd
KuiKe Building, No.9 Xinxi Rd.,
Shang-Di Information Industry Base, Hai-Dian District, Beijing
P.R. China
Email: shengjiang@huawei.com
Kukec, et al. Expires January 2, 2009 [Page 14]
Internet-Draft SeND Hash Threat Analysis July 2008
Full Copyright Statement
Copyright (C) The IETF Trust (2008).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Kukec, et al. Expires January 2, 2009 [Page 15]