Hi Christian,
> But can y toou explain why you believe that retrieving the private key from the public key and a clear text/encrypted text pair is easier than breaking a hash? Here we do not use any encryption and decryption and we just sign the message using private key and verify the message using public key. >Did you somehow crack RSA? I do not say that it is easier to find the private key from the public key. Because for both SSAS and CGA, public/private keys are used. I do say that the SHAx steps used for CGA generation do not increase the complexity when used against brute force attacks. This is because an attacker only needs the private key and does not need to find the modifier that was used in the generation of the node's IID nor is there a need for checking the condition of sec by 16 bits which should be equal to zero. In SSAS I just use the public/private keys and the signature and nothing is encrypted/decrypted. In CGA some extra SHAx steps are used in the generation of their IID along with the signature. I say that these steps are not needed as long as you include and send all parameters, used in the SHAx process, in the packet for verification purposes. Some people feel that CGA is secure enough when those steps are used. Now what I want to point out here is that the CGA security level is only dependent on the algorithm used for key pair and signature generation and that those extra steps do nothing enhance the security side of things. The algorithms used can be RSA or ECC or whatever, and as such the situation will be the same as it is for SSAS. I just removed the complexity from the use of CGA in order to enable a more practical and faster generation and verification process. So the question isn't how to break the encrypted text but how to break the signature. In other word, to find the same public key as used by the generator node or how to break the RSA or ECC. Based on my knowledge of hash algorithms, as I mentioned in my prior sentence, this will depend on the strength of the RSA or whatever other algorithm is used to generate these keys and sign the message. If you or anyone else thinks otherwise, please contribute to this discussion and share your opinions. I am just comparing the security aspects of SSAS, the time efficient algorithm, to those of CGA. Thank you, Hosnieh From: Christian Huitema [mailto:huit...@microsoft.com] Sent: Saturday, March 16, 2013 5:37 PM To: Hosnieh Rafiee; ipv6@ietf.org; s...@ietf.org Cc: Erik Nordmark; alexandru.petre...@gmail.com; Ray Hunter Subject: RE: security consideration of CGA and SSAS - Ii-D action : draft-rafiee-6man-ssas It is very clear that if the attacker finds the private key, the size of the hash does not matter. But can you explain why you believe that retrieving the private key from the public key and a clear text/encrypted text pair is easier than breaking a hash? Did you somehow crack RSA? From: ipv6-boun...@ietf.org [mailto:ipv6-boun...@ietf.org] On Behalf Of Hosnieh Rafiee Sent: Saturday, March 16, 2013 6:27 AM To: ipv6@ietf.org; s...@ietf.org Cc: Erik Nordmark; alexandru.petre...@gmail.com; Ray Hunter Subject: security consideration of CGA and SSAS - Ii-D action : draft-rafiee-6man-ssas Hello, There was a discussion during my presentation about security considerations regarding the use of my algorithm compared with those of the use of CGA. A big mistake that is made when considering CGA security is that the sec value plays an important role and that an attacker will need to do brute force attacks against the IID in order to generate the same IID as is generated by the use of CGA. In a CGA analysis paper they talk about a CGA security vaulue of pow (2, sec*16 * 59) where 2 is the base and sec*16 * 59 is the exponential value and so they infer that by increasing the sec value used with CGA it will be safer, but this Is not true. I, as an attacker, just to need to find your private key. That's it. This is because you have already included the CGA parameters (public key, modifier, and other required parameters) in the packet that was sent and I will have no problem in regenerating the CGA. My only problem will be in generating the signature that can be verified by use of your public key. This means that you just increased the complexity and time required for generating and verifying the IID while with SSAS you can obtain the same security as when using CGA because its security also depends on the Hash function that is used to generate the key pair and signature. If you send the CGA parameters via a safe channel, like in establishing TLS etc., then, in that case, CGA would be more secure than SSAS. But in practice all the data is sent in the same packet without encryption. If a secured channel would be used in the CGA process for security reasons (sending CGA parameters), then the cost of using CGA would be much greater than the cost of using SSAS. Now the question is, Why not use a more cost efficient algorithm that afford you with the same security level as when using CGA. I have also included the security group in this email so that they can also give me any comments that they might have. Thank you, Hosnieh
-------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
