Valery Smyslov writes: > > You should have read the rest of that paragraph: > > > > For MD5, the most efficient collision attacks do not have a > > compatible message difference, but it seems possible to build > > a dedicated attack with complexity below 2^39. However, for > > SHA-1, all known collision attacks use differences in every > > message words, and are thus unsuitable. > > > > I.e. they say that this attack is impossible with SHA-1 too for now, > > as they cannot use the 2^77 attack for SHA-1, as it only works with > > chosen-prefix collisions where this requires almost-common-prefix > > collision attack, and that does not work for SHA. To be able to attack > > SHA-1 they need to find new ways to make almost chosen-prefix attacks > > against SHA1. > > At the beginning of the paper the authors write that the attack against > IKEv2 is _almost_ practical. So, it is infeasible today, but taking > into considerations fast progress in hash analysis can become feasible > tomorrow. That's why it's better to have an additional defense > on the protocol level (like moving COOKIE at the end of the message). > It is not an urgent action that we should do in a rush, but it is an option > we should comsider for next major protocol update (if it happens).
Moving cookie to the end does not help to protect against this attack. Using random SPI do protect. If they are able to do attacks against SHA-1 without chosen-prefix in the beginning, then it does not matter where the cookie is. If they cannot do that, then their attack does not work as long as either SPIi and SPIr is random. I mean if they can do attack even when the SPIs are random, then they can also do the attack when the cookie is in the end, as only thing they need to change durign the exchange is to change the g^x with g^x' so they can just then force the hash to be same where the HASH(SA_INIT(SAi | g^x | ni | infoi | ck(C1)) == HASH(SA_INIT(SAi | g^x' | ni | infoi | ck(C2)) where C1 and C2 are just selected so that they make hash same even when the SPIi and SPIr, and g^x are different... So moving cookie to the end does not offer any more protection against this attack, thus not needed. Using random SPIi and SPIr will protect against this attack, and when attacks against SHA-1 are so good that it will not protect anymore, then we say MUST NOT for SHA-1. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec