Hi all, We didn't reach the consensus about how to support hash function agility. We should try to reach the consensus, thus, i am sending the summary of analysis, possible solutions for encoding the hash functions, pros and cons.
The uses of hashes are the following: a) Digital signature in X.509 certificate. Attacker can produce the false certificate with the same identity data and signature, and different key. After that, he does not have to break any other hash (CGA, key hash field, digital signature), just uses that new, unauthorized key in the generation of mentioned fields. b) CGAs. The same as with certificate, it is enough just to break the CGA, and use the false key in key hash field generation and for digital signature signing. c) Key hash field. Again the same thing. Attacker breaks the key hash and does not have to break any other hash, cause he just uses the new key for other fields generation. d) Digital signature. Attacker could change some of the SeND message fields. However the attack is probably just theoretically possible; in practice it is hard to perform it since there are mostly human-readable fields to be signed. Attacker does not need to break any other hash, the hashed message can be signed with authorized key (if attacker manages to change the message before the SeND node starts signing it). The question is, do we need to provide opportunity to choose different hash algorithms? If attacker attacks just one hash, he breaks the whole chain. Thus, it is enough to define just one hash algorithm in the Hash Algorithm option. On the other hand, the possibility for configuring multiple hashes provides additional flexibility. Additionally, we could support it because of the possible future changes in SeND. What are your opinions? Ana _______________________________________________ CGA-EXT mailing list [email protected] https://www.ietf.org/mailman/listinfo/cga-ext
