headers
Magnus Nyström | 30 Nov 2005 15:56

Re: Security Area Response to Hash Function "Breaks"


Please see below.

In light of recent cryptanalytic results on hash functions, each IETF 
working group is asked to provide an analysis of its use of hash 
functions.

SACRED rely on DIGEST-MD5, but IMO SACRED does not become vulnerable to 
attacks due to recent results on MD5. The reasons are that in Digest-MD5, 
hashes are either done on nonces provided both by the client and the 
server or on the username and password selected by the client. Hence an 
attacker cannot perform a collision attack - in the former because the 
nonces are not known in advance and in the latter case since it would be 
equivalent to finding the password, at which point he could impersonate 
the user anyway.

Comments, anyone?

-- Magnus

On Thu, 24 Nov 2005, Russ Housley wrote:

> Below is a summary of the discussion that occurred at the SAAG session during 
> IETF 64. When MD5 or SHA-1 is used to support digital signatures or used by 
> itself, recent cryptographic research findings indicate the need for a 
> transition.  Therefore, I encourage all IETF WGs to follow the lead of the 
> Security Area in transition away from MD5 and SHA-1 toward SHA-256.
> 
> TCP-MD5 is one example where a transition is needed.  In this case, a 
> transition to HMAC-SHA-1 or HMAC-SHA-256 seems like a reasonable move.
(Continue reading)

Permalink | Reply | 501 comments |
headers
Russ Housley | 30 Nov 2005 16:27

Re: Security Area Response to Hash Function "Breaks"


Magnus:

The NIST recommendation is to move away from SHA-1 by 2010, simply 
due to its size.  NIST made this recommendation before the flaws in 
SHA-1 were discovered.  SHA-1 is a 160-bit hash.  MD5 is a 128-bit 
hash.  Can you explain why the smaller hash value is acceptable in 
the SACRED protocol context beyond 2010?

Russ

At 09:56 AM 11/30/2005, Magnus Nyström wrote:

>Please see below.
>
>In light of recent cryptanalytic results on hash functions, each 
>IETF working group is asked to provide an analysis of its use of 
>hash functions.
>
>SACRED rely on DIGEST-MD5, but IMO SACRED does not become vulnerable 
>to attacks due to recent results on MD5. The reasons are that in 
>Digest-MD5, hashes are either done on nonces provided both by the 
>client and the server or on the username and password selected by 
>the client. Hence an attacker cannot perform a collision attack - in 
>the former because the nonces are not known in advance and in the 
>latter case since it would be equivalent to finding the password, at 
>which point he could impersonate the user anyway.
>
>Comments, anyone?
>
(Continue reading)

Permalink | Reply | 502 comments |
headers
Magnus Nyström | 30 Nov 2005 16:46

Re: Security Area Response to Hash Function "Breaks"

In the context of Digest-MD5, we're mostly concerned about pre-image 
resistance. I further assume that the entropy of the underlying password 
is less than 128 bits.

-- Magnus

On Wed, 30 Nov 2005, Russ Housley wrote:

> Magnus:
>
> The NIST recommendation is to move away from SHA-1 by 2010, simply due to its 
> size.  NIST made this recommendation before the flaws in SHA-1 were 
> discovered.  SHA-1 is a 160-bit hash.  MD5 is a 128-bit hash.  Can you 
> explain why the smaller hash value is acceptable in the SACRED protocol 
> context beyond 2010?
>
> Russ
>
> At 09:56 AM 11/30/2005, Magnus Nyström wrote:
>
>> Please see below.
>> 
>> In light of recent cryptanalytic results on hash functions, each IETF 
>> working group is asked to provide an analysis of its use of hash functions.
>> 
>> SACRED rely on DIGEST-MD5, but IMO SACRED does not become vulnerable to 
>> attacks due to recent results on MD5. The reasons are that in Digest-MD5, 
>> hashes are either done on nonces provided both by the client and the server 
>> or on the username and password selected by the client. Hence an attacker 
>> cannot perform a collision attack - in the former because the nonces are
(Continue reading)

Permalink | Reply | 1 comment |
headers
Magnus Nyström | 1 Dec 2005 09:48

Re: Security Area Response to Hash Function "Breaks"

That said, I of course would not have anything against a move to, e.g., a 
new DIGEST-SHA256 (even though I personally would have preferred a strong 
password-based authentication/key exchange mechanism such as EKE).

In light of the hash function results, moving away from MD5 and SHA-1 
(with reason) seems prudent practice. My initial posting here had the 
intent of examining whether SACRED faces any direct problems due to the 
results; my conclusion at this time is that SACRED does not.

-- Magnus

On Wed, 30 Nov 2005, Magnus Nyström wrote:

> In the context of Digest-MD5, we're mostly concerned about pre-image 
> resistance. I further assume that the entropy of the underlying password is 
> less than 128 bits.
>
> -- Magnus
>
> On Wed, 30 Nov 2005, Russ Housley wrote:
>
>> Magnus:
>> 
>> The NIST recommendation is to move away from SHA-1 by 2010, simply due to 
>> its size.  NIST made this recommendation before the flaws in SHA-1 were 
>> discovered.  SHA-1 is a 160-bit hash.  MD5 is a 128-bit hash.  Can you 
>> explain why the smaller hash value is acceptable in the SACRED protocol 
>> context beyond 2010?
>> 
>> Russ
(Continue reading)

Permalink | Reply | 0 comments |

Gmane