(And, a somewhat delayed response.) Fingerprint derivation MUST take measures to make multi-target attacks cost as much as single-target attacks. The easiest approach is to use something else the user verifies -- like an email address or (unique) screenname -- as an additional input to the KDF.
(The advantage, as dkg points out, is large even for private attackers. It's gigantic for those involved in mass surveillance or espionage: it's the total number of keys. Just for RSA and DSA SSH host keys: > 2^27 tagets. See, e.g., http://elastic-security.com/2013/10/29/applications-of-zmap/) On Friday, July 11, 2014, Daniel Kahn Gillmor <[email protected]> wrote: > On 07/11/2014 09:45 AM, Tom Ritter wrote: > > In my mind, a 2^80 attacker is targeting a single key, > > Hm, i don't think this is always true. > > There are groups of people (and groups of machines) where the attacker > can get value from impersonating any one of them. For example, a > mid-size hosting company may operate roughly 2^10 servers, each with its > own ssh host key. With many modern OpenSSH instances, each sshd has 3 > or even 4 host keys: dsa, rsa, ecdsa. ed25519; so that's 2^11 or 2^12 > target keys you can try to match. > > Maybe we don't want to capture this additional attacker advantage in our > model, but if so, we should at least explicitly state it as out of scope. > > --dkg > >
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
