Valery Smyslov writes:
> > You should have read the rest of that paragraph:
> >
> > For MD5, the most efficient collision attacks do not have a
> > compatible message difference, but it seems possible to build
> > a dedicated attack with complexity below 2^39. However, for
> > SHA-1, all known collision attacks use differences in every
> > message words, and are thus unsuitable.
> >
> > I.e. they say that this attack is impossible with SHA-1 too for now,
> > as they cannot use the 2^77 attack for SHA-1, as it only works with
> > chosen-prefix collisions where this requires almost-common-prefix
> > collision attack, and that does not work for SHA. To be able to attack
> > SHA-1 they need to find new ways to make almost chosen-prefix attacks
> > against SHA1.
>
> At the beginning of the paper the authors write that the attack against
> IKEv2 is _almost_ practical. So, it is infeasible today, but taking
> into considerations fast progress in hash analysis can become feasible
> tomorrow. That's why it's better to have an additional defense
> on the protocol level (like moving COOKIE at the end of the message).
> It is not an urgent action that we should do in a rush, but it is an option
> we should comsider for next major protocol update (if it happens).
Moving cookie to the end does not help to protect against this attack.
Using random SPI do protect.
If they are able to do attacks against SHA-1 without chosen-prefix in
the beginning, then it does not matter where the cookie is. If they
cannot do that, then their attack does not work as long as either SPIi
and SPIr is random.
I mean if they can do attack even when the SPIs are random, then they
can also do the attack when the cookie is in the end, as only thing
they need to change durign the exchange is to change the g^x with
g^x' so they can just then force the hash to be same where the
HASH(SA_INIT(SAi | g^x | ni | infoi | ck(C1)) ==
HASH(SA_INIT(SAi | g^x' | ni | infoi | ck(C2))
where C1 and C2 are just selected so that they make hash same even
when the SPIi and SPIr, and g^x are different...
So moving cookie to the end does not offer any more protection against
this attack, thus not needed. Using random SPIi and SPIr will protect
against this attack, and when attacks against SHA-1 are so good that
it will not protect anymore, then we say MUST NOT for SHA-1.
--
kivi...@iki.fi
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
