On Tue, 26 Aug 2008, Andrew Sullivan wrote: > On Tue, Aug 26, 2008 at 02:44:08PM -0400, Dean Anderson wrote: > > I don't think I can give the exact correct mathematics without using a > > book--and I don't have my crypto library right now--so I'll try to > > armwave a bit: > > If you're claiming that, after 10 years and review unto death, people > with significant profile in the crypto community got the math wrong,
The text of mine that you quote was an explanation of how a chosen plaintext attack works on PKI like RSA. All that I said is that I can't quote the exact math of how the attack works. However, If you mean to suggest that DNSSEC has been checked over for 10 years by crypto experts without finding flaws, I think your drawing the wrong conclusion from DNSSEC history, as well as who has certified its security. DNSSEC work has proceeded in fits and starts for 15 years. Prior DNSSEC work has been almost completely abandoned by RFC4033-35. Not completely replaced, since there are new typecodes are needed to continue with incompatible use of SIG, KEY, and NXT records from prior (failed) attempts at obtaining secure and workable DNSSEC. > I don't think you're going to get a warm reception. I think you need > to demonstrate that there is an actual problem. Certainly, we'll need > an argument somewhat stronger than, "The math could be wrong > somewhere." I never said 'the math could be wrong somewhere'. I said there is a PKI(RSA) chosen plaintext attack through which one can obtain the private key used to sign DNSSEC records. There is no ambiguity about the existance of that attack, but I will provide an authoritative reference tomorrow. > I seem to remember you were going to spend this week producing a > demonstration of an actual attack. An actual poisoning of a non-verifing DNSSEC cache, yes. This is pretty trivial; the code demonstrating the kaminsky poisoning will work with some DNSSEC changes. I won't be able to start on that until probably thurs or fri. I first have to find a non-verifying DNSSEC cache. I think BIND may work, but will have to check. If anyone has suggestions for a non-verifying cache, that would be appreciated. Or if some BIND experts have suggestions for making BIND not verify, that would save me some time. If someone wants to volunteer a non-verifying server that is otherwise "in the wild" for use, that would help. Contact me offlist. -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000 _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop