In your previous mail you wrote: > => I strongly disagree: the use of those SHAx steps is the way to extend the > search space and until SHAx pre-images are broken for the worst case (i.e., > no attack better than brute force). > > Be patient please. It takes time to prepare a response because I will need > to work on code to break RSA and also SHAx (CGA) and currently I have no > opportunity to work on this.
=> I'll be very patient about the code to break CGAs (:-). > => this seems to be replay attacks. RFC 3972 (CGAs) doesn't protect against > replay but provides message (aka connectionless) integrity so any use of > CGAs can add an anti-replay device (RFC 3971 (SEND) uses nonces and > timestamps for anti-replay). BTW CGAs and SSASs are the same for this point. > > Nonce and timestamp both cannot be much helpful for relay attacks. I > mentioned a fast replay attack. You need to consider the clock skew for > timestamp (two seconds or so). The other nodes do not know the nonce is for > an attacker or for your node. => the nonce doesn't prove the origin but the signature does. > I, as an attacker, can easily copy and paste the whole packet > content in my message with my own link layer address and send it > back to you. => I have no problem with this way to improve the service. BTW the link-layer address ND option (vs the one in the Ethernet header) is protected by the signature so you can't change it. And I still can't see a difference between SSAS and CGA about this point: in both cases signatures covered the same fields. Regards [email protected] -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
