Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2?

Sun, 05 Jun 2011 15:29:48 -0700 

Hi, all,

+1, with a caveat below...

On 6/4/2011 1:04 PM, Paul Hoffman wrote:

On Jun 3, 2011, at 7:15 PM, Uma Chunduri wrote:


exactly how is MD5 the weakest link here? some particular words about the 
threat model + ability to subvert a running session which ships a few 
megabytes/minute around would be in order here.

[Uma]

1. Wang, X., H. Yu, "How to break MD5 and other hash
             functions", Proc. IACR Eurocrypt 2005, Denmark
2. RFC 4270



Wearing my co-author-of-4270 hat, let me state forcefully: invoking

RFC 4270 or *any* current published work on MD5 does not answer the
question of how MD5 is the weakest link here. Those are *unrelated* to
an attack on the integrity of communication in draft-sidr-rpki-rtr.
Collision attacks on MD5 and SHA-1 are, to date, unrelated to preimage
attacks, and it is preimage attacks that you care about.

On Jun 4, 2011, at 9:38 AM, Stephen Farrell wrote:


Trying to catch up with you all here.


 From reading the mail thread it seems to me that:


- tcp-md5 is available but undesirable
- tcp-ao is desirable but unavailable so far
- ssh is available and slightly undesirable for
  performance reasons but desirable in
  security terms

That would imply that an answer might be:

MUST implement SSH; SHOULD implement TCP-AO and
MUST/SHOULD prefer TCP-AO over SSH if both
available

Would that garner (rough) consensus?


Another proposal that might be more likely to garner rough consensus
would be: MUST implement TCP-MD5 [RFC2385]; SHOULD implement TCP-AO
[RFC5925] (the official successor to TCP-MD5) as soon as possible; if
both parties in the protocol support TCP-AO, they SHOULD use TCP-AO and
SHOULD NOT use TCP-MD5. After we believe that there is lots of TCP-AO
adoption, we revise the document and remove TCP-MD5 as an option.
IMO, "MUST AO, MAY MD5 if AO is not available" achieves this *without* a "MUST" that overrides the existing AO/MD5 advice in the AO RFC . 

The net effect is, AFAICT, identical, and more like what you state above.
FWIW, I also thing it's a lot more tractable to expect a MD5/AO use than an SSH/AO use; the APIs of the former two are likley to be very similar, but not the latter. 

Joe
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr

Reply via email to