Rami Lehtonen wrote: >> if the bit is set, then >> interface id = low64(hash(PK, stuff)) & mask >> >> where >> PK is a public key to be used as an identifier for the host >> stuff is contains other parameters (see the earlier messages) >> hash is a cryptographic hash function, e.g. SHA1 >> low64 is a function that takes lowest 64 bits >> mask indicates that we have to clear/set some bits of the iid >> >>In essense, that would allow anyone to determine if a given public >>key belongs to a host, just inspecting the public key, the address, >>and the "stuff" above. See e.g. > > Does this prove that the public key belongs to the host? What if the > attacker just uses different network prefix and the same interface id than > the original host? > > Am I missing something?
Well, I guess my language was just too loose. CGA, as such, only says that "there has been, at some point of time, some party A, who created this interface id IID, using the parameters (PK, stuff)". This comes from the cryptographic properties of the hash function; that is, we assume that it is sufficiently hard to invert the hash function so that the only plausible way for creating (IID, PK, stuff) triples is first to first generate PK and stuff, and only then to calculate IID. Taking a given IID and generating PK or stuff from that is assumed to be hard. (There are details but I don't want to go the them here. Read draft-roe-mobileip-updateauth-02.txt.) To extend from this, we make the agreement that "since A has created this IID using PK, that indicates that A wants to be identified with PK". That creates a binding IID -> PK. Now, if you want to check that the host using IID is really A, you need to create also the reverse binding, PK -> IID. To do that, you ask A to sign a random number (a nonce) using the private key corresponding to PK. Thus, if an attacker takes the (IID, PK, stuff) triple and goes to another network, it can still use the same IID, but it can't sign anything since it doesn't have the private key corresponding to PK. Or am I missing something? --Pekka Nikander -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
