On Sat, Feb 21, 2015 at 12:44 PM, Paul Wouters <[email protected]> wrote:
> On Fri, 20 Feb 2015, Brian Dickson wrote: > > > In section 5.1, about email leaks, it may be worth additionally >> mentioning: >> Use of distinct SALT values can further limit brute force efforts, even >> where the same key is used. >> > > How would that help? I would assume the attacker zone walks the zone and > then brute forces the names offline. Whether the actual live zone > changes salt wouldnt matter at that point? > > I should have been more clear in my comment. Enumerating a zone when NSEC3 is used, basically only gives the attacker a dictionary of NSEC3 owner names. _Those_ owner names are salted hashes of the original owner names. The effort to create a mapping from salted hashes to original owner name is "X", for some X. If the same NSEC3PARAMs are used, the same input -> same output, i.e. for owner FOO, NSEC3 owner is BAR. Changing the SALT and leaving the alg and iterations unchanged, means FOO now hashes to BAR_PRIME. If everyone used the same SALT, alg, and iterations, the attacker would be able to add to her dictionary by attacking each hashed value once. However, if everyone used random SALT, even with same alg and iterations, the dictionary of hashed values becomes worthless, and the attacker needs to maintain a dictionary of unhashed values, and need to hash the entire dictionary to find matches on each subsequent zone. It's an order(N) vs order(N) x order(M) thing, where N is the attacks dictionary size and M is the number of zones the attacker is attempting to harvest names for. It turns a win (space vs time) into a lose (diminishing returns). I think. Brian
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
